metrics: Policy Attachment metrics (investigate/proof of concept)

[david-martin]

How can/Does it make sense to support state metrics for Policies that have been attached via https://gateway-api.sigs.k8s.io/references/policy-attachment/?

What's the impact on:

• the CustomResourceStateMetrics config
• RBAC permissions for different CRDs

Would an example or 'how-to' make more sense if it's not reasonable to solve this in a generic way?

[david-martin]

@guicassolato @alexsnaps Would you have an example AuthPolicy and RateLimitPolicy for reference here (v2 I guess)? Even better if you had one with the status block showing some useful information.

Thanks, I'd really appreciate it.

[guicassolato]

@guicassolato @alexsnaps Would you have an example AuthPolicy and RateLimitPolicy for reference here (v2 I guess)? Even better if you had one with the status block showing some useful information.

These are the most up-to-date examples of AuthPolicy and RateLimitPolicy v2 I can think of now, @david-martin:

• https://github.com/Kuadrant/kuadrant-operator/blob/95f6c6344ac1fc7d2fb673139301c0560dd8cbe8/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md
• https://github.com/Kuadrant/kuadrant-operator/blob/95f6c6344ac1fc7d2fb673139301c0560dd8cbe8/doc/user-guides/authenticated-rl-for-app-developers.md

TBH, I'm not sure how helpful the status stanza of these CRs can be as of today. But we do have some work in the roadmap to get them enhanced soon – certainly along the lines of what's proposed in https://github.com/Kuadrant/architecture/pull/9, but also open to suggestions.

Meanwhile, and at least for Authorino only, maybe there's sth here that we could use:

• https://docs.kuadrant.io/authorino/docs/user-guides/observability/
• https://github.com/Kuadrant/authorino/blob/bffb49e40b68e13edc8e489a4cb21c10ddd20830/api/v1beta1/auth_config_types.go#L707-L772, along with https://github.com/Kuadrant/authorino/blob/bffb49e40b68e13edc8e489a4cb21c10ddd20830/api/v1beta1/auth_config_types.go#L47-L58

While the AuthConfigs and the AuthPolicies relate 1:1 one another, the status of the AuthConfig CRs, as well as their so-called associated "deep metrics", will certainly influence the status and the metrics of the AuthPolicies. Perhaps not so much regarding the Policy Attachment aspect of the AuthPolicies directly, but other observable aspects for sure. And, by transition, even the Policy Attachment part may end up affected, I reckon.

E.g.: "HTTPRouteRule X is generating too much latency due to an associated config in the auth policy that make requests to this route to fetch metadata from an external source, without setting proper caching." (If that makes any sense.)

[guicassolato]

I don't see metrics related to Kuadrant's AuthPolicy introduced in #36. Do we want to reopen this issue or capture what we missed in a new one?

[david-martin]

Good catch @guicassolato I'll reopen this. It closed automatically. @Ygnas We can model the AuthPolicy metrics and dashboard on the RLP & TLSPolicy ones.