Hi,
While reviewing the kube-controller-manager we noticed that there are many inconsistencies in the naming of the controllers. This is becoming more important with the current switch to contextual logging as each component can specify a logging prefix.
There are 4 places for each controller that are important from a user's perspective
- controller initializer name [1]: can be used when enabling/disabling controllers with the --controllers flag
- client (service account) name [2], [3]: useful when inspecting audit logs.
- event source name: useful for identifying the relevant controller that emitted the event
- logs: messages are currently only identified by a file where they originated, which does not always correspond to the controller.
There are inconsistencies between these places for some controllers. And inconsistencies between the controllers.
I have made a spreadsheet to summarize these for a bigger picture [4].
I think it is helpful for users to have a consistent identifier for each controller across all the possible mentions. It can help the user to search for the same string in audit logs, events and logs.
We have been discussing this with Patrick and Maciej in #113464 PR [5] and would like to get additional opinions on this.
Currently the best candidate for a logging component prefix that would make a lot of sense, is to use the same name as the client (SA) name. This would at least help to correlate the logs with the audit logs.
However, there are a few problems with these:
- "-" not applied consistently between words
- "-controller" suffix not applied consistently
- some names ("node-controller", "expand-controller") are too generic
- some controllers use the same SA:
- csrsigning, csrapproving and csrcleaner with "certificate-controller"
- nodeipam, nodelifecycle and cloud-node-lifecycle with "node-controller"
I have the following questions:
1. Is it feasible to change the client (SA) names to achieve better naming consistency? I suppose we would have to put RBAC migration into place, so it might not be worth it? Nevertheless, this group of names is the most consistent and would not require that many changes.
2. The controller initializers are the most inconsistent. Is there a way to rename them? Or is the risk of breaking people here too big?
3. Can we change the event source to be the same as the logger name? This would mostly fix the inconsistent use of "_" instead of "-". And would help in a few other places, such as disruption-controller emitting events with controllermanager as a source.
To reiterate, with the introduction of logging prefixes, it would be great to standardize this somehow, because the change in a logging format is a big area and will affect a lot of people.
Any feedback would be appreciated!
Filip
1.
https://github.com/kubernetes/kubernetes/blob/1e3946ce9dcb745771b03845d4afd97caa7c7737/cmd/kube-controller-manager/app/controllermanager.go#L4342.
https://github.com/kubernetes/kubernetes/blob/c865a641d3d7ed85723ef2f37f3756d52d8f5da3/cmd/kube-controller-manager/app/core.go#L1613.
https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go#L664.
https://docs.google.com/spreadsheets/d/1s0Y3ruLDUWR8k0KyMLlY-5gm09TDiOjONFsMqs0-Fjw5.
https://github.com/kubernetes/kubernetes/pull/113464#discussion_r1065155841