search

kubernetes / apiserver

Library for writing a Kubernetes-style API server.
Apache License 2.0
647 stars 400 forks source link

Audit logs #72

Closed VidarHUN closed 2 years ago

VidarHUN commented 3 years ago

Hello,

I have a problem with the apiserver though it makes audit logs for certain patches and this makes it slow. Currently, I use it with default settings, so in theory, it should not have to make any audit logs, but it does somehow.

For cluster I use Minikube v1.19.0 with Kubernetes v1.21.2.

That's the log: 

I0716 12:17:04.198943       1 queueset.go:305] QS(workload-low): Context of request "service-accounts" &request.RequestInfo{IsResourceRequest:true, Path:"/api/v1/namespaces/default/pods", Verb:"list", APIPrefix:"api", APIGroup:"", APIVersion:"v1", Namespace:"default", Resource:"pods", Subresource:"", Name:"", Parts:[]string{"pods"}} &user.DefaultInfo{Name:"system:serviceaccount:default:default", UID:"e7d9a12e-48c2-4391-9e5a-3b77a8507c72", Groups:[]string{"system:serviceaccounts", "system:serviceaccounts:default", "system:authenticated"}, Extra:map[string][]string{"authentication.kubernetes.io/pod-name":[]string{"rtpe-controller-795ffd98c-r6vl4"}, "authentication.kubernetes.io/pod-uid":[]string{"15e8f728-3ba5-445c-88dc-a44d70a234fe"}}} is Done
I0716 12:17:04.210936       1 trace.go:205] Trace[581813521]: "Patch" url:/apis/l7mp.io/v1/namespaces/default/rules/worker-rtp-rule-30383040-fromtag3038,user-agent:kopf/1.32.1,client:172.17.0.3,accept:*/*,protocol:HTTP/1.1 (16-Jul-2021 12:17:01.799) (total time: 2411ms):
Trace[581813521]: ---"Recorded the audit event" 2374ms (12:17:00.173)
Trace[581813521]: ---"About to apply patch" 0ms (12:17:00.173)
Trace[581813521]: ---"About to check admission control" 6ms (12:17:00.180)
Trace[581813521]: ---"Object stored in database" 29ms (12:17:00.210)
Trace[581813521]: ---"Self-link added" 0ms (12:17:00.210)
Trace[581813521]: [2.41185977s] [2.41185977s] END
I0716 12:17:04.211241       1 queueset.go:732] QS(workload-low) at r=2021-07-16 12:17:04.211216353 v=31.852181904s: request &request.RequestInfo{IsResourceRequest:true, Path:"/apis/l7mp.io/v1/namespaces/default/rules/worker-rtp-rule-30383040-fromtag3038", Verb:"patch", APIPrefix:"apis", APIGroup:"l7mp.io", APIVersion:"v1", Namespace:"default", Resource:"rules", Subresource:"", Name:"worker-rtp-rule-30383040-fromtag3038", Parts:[]string{"rules", "worker-rtp-rule-30383040-fromtag3038"}} &user.DefaultInfo{Name:"system:serviceaccount:default:l7mp-account-chart-1626433631", UID:"6ffade7d-19ba-4192-b753-c9325640bbe6", Groups:[]string{"system:serviceaccounts", "system:serviceaccounts:default", "system:authenticated"}, Extra:map[string][]string{"authentication.kubernetes.io/pod-name":[]string{"l7mp-operator-5fc45f5b9c-lddsm"}, "authentication.kubernetes.io/pod-uid":[]string{"620928fa-5435-4dad-a3a8-f63b38dd5a53"}}} finished, adjusted queue 38 virtual start time to 751.633329449s due to service time 2.416107905s, queue will have 0 waiting & 12 executing
I0716 12:17:04.211314       1 apf_filter.go:160] Handle(RequestDigest{RequestInfo: &request.RequestInfo{IsResourceRequest:true, Path:"/apis/l7mp.io/v1/namespaces/default/rules/worker-rtp-rule-30383040-fromtag3038", Verb:"patch", APIPrefix:"apis", APIGroup:"l7mp.io", APIVersion:"v1", Namespace:"default", Resource:"rules", Subresource:"", Name:"worker-rtp-rule-30383040-fromtag3038", Parts:[]string{"rules", "worker-rtp-rule-30383040-fromtag3038"}}, User: &user.DefaultInfo{Name:"system:serviceaccount:default:l7mp-account-chart-1626433631", UID:"6ffade7d-19ba-4192-b753-c9325640bbe6", Groups:[]string{"system:serviceaccounts", "system:serviceaccounts:default", "system:authenticated"}, Extra:map[string][]string{"authentication.kubernetes.io/pod-name":[]string{"l7mp-operator-5fc45f5b9c-lddsm"}, "authentication.kubernetes.io/pod-uid":[]string{"620928fa-5435-4dad-a3a8-f63b38dd5a53"}}}}) => fsName="service-accounts", distMethod=&v1beta1.FlowDistinguisherMethod{Type:"ByUser"}, plName="workload-low", isExempt=false, queued=true, Finish() => panicking=false idle=false
I0716 12:17:04.211408       1 httplog.go:89] "HTTP" verb="PATCH" URI="/apis/l7mp.io/v1/namespaces/default/rules/worker-rtp-rule-30383040-fromtag3038" latency="2.434419481s" userAgent="kopf/1.32.1" srcIP="172.17.0.3:36016" resp=200
I0716 12:17:04.212052       1 queueset.go:305] QS(workload-low): Context of request "service-accounts" &request.RequestInfo{IsResourceRequest:true, Path:"/apis/l7mp.io/v1/namespaces/default/rules/worker-rtp-rule-30383040-fromtag3038", Verb:"patch", APIPrefix:"apis", APIGroup:"l7mp.io", APIVersion:"v1", Namespace:"default", Resource:"rules", Subresource:"", Name:"worker-rtp-rule-30383040-fromtag3038", Parts:[]string{"rules", "worker-rtp-rule-30383040-fromtag3038"}} &user.DefaultInfo{Name:"system:serviceaccount:default:l7mp-account-chart-1626433631", UID:"6ffade7d-19ba-4192-b753-c9325640bbe6", Groups:[]string{"system:serviceaccounts", "system:serviceaccounts:default", "system:authenticated"}, Extra:map[string][]string{"authentication.kubernetes.io/pod-name":[]string{"l7mp-operator-5fc45f5b9c-lddsm"}, "authentication.kubernetes.io/pod-uid":[]string{"620928fa-5435-4dad-a3a8-f63b38dd5a53"}}} is Done
I0716 12:17:04.216521       1 trace.go:205] Trace[814898886]: "Create" url:/api/v1/namespaces/default/events,user-agent:kopf/1.32.1,client:172.17.0.3,accept:*/*,protocol:HTTP/1.1 (16-Jul-2021 12:17:01.796) (total time: 2419ms):
Trace[814898886]: ---"About to convert to expected version" 2376ms (12:17:00.173)
Trace[814898886]: ---"Conversion done" 0ms (12:17:00.173)
Trace[814898886]: ---"About to store object in database" 0ms (12:17:00.173)
Trace[814898886]: ---"Object stored in database" 42ms (12:17:00.216)
Trace[814898886]: [2.419520835s] [2.419520835s] END

How can I remove the Recorded the audit event and About to convert to expected version time?

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-ci-robot commented 2 years ago

@k8s-triage-robot: Closing this issue.

In response to [this](https://github.com/kubernetes/apiserver/issues/72#issuecomment-992552252): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues and PRs according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue or PR with `/reopen` >- Mark this issue or PR as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.