-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log policy NonCompliance #136
Log policy NonCompliance #136
Conversation
Sample log entry:
|
@@ -2911,7 +2908,7 @@ func convertPolicyStatusToString(plc *policyv1.ConfigurationPolicy) (results str | |||
} | |||
} | |||
} | |||
|
|||
policyLog.Info("Policy status message", "status", result) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having the log inside this function might result in it being duplicated sometimes, but I think that is a better problem than missing it sometimes. I wonder if it should be behind V(1)
or a special flag, to keep things from getting too noisy?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The goal is to have this logged by default so servicing systems that only have the GRC governance metrics and logs can determine the NonCompliance messages. Since the NonCompliance message isn't in a metric we need it to always be in log. I'll have to see if the V(1) logs show up by default. I'll do a duplication detection too to see if that happens -- it looks like I've cleaned up the logs I captured last week so will recollect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with @JustinKuli. I think these could be very noisy and make the logs grow quickly--I'd prefer we ask that servicing systems bump the log level if they want the information present in the logs. It's not too difficult since we have a custom annotation that can be applied to the ManagedClusterAddon. Does SD have a requirement that the status message be present at default logging levels?
/hold |
I rebuilt the changes on the latest code base. To get the message to display I had to use: |
@gparvin could you please log it in |
@@ -2826,11 +2826,14 @@ func (r *ConfigurationPolicyReconciler) updatePolicyStatus( | |||
eventType = eventWarning | |||
} | |||
|
|||
eventMessage := fmt.Sprintf("%s%s", policy.Status.ComplianceState, msg) | |||
log.Info("Policy status message", "status", eventMessage) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logger here doesn't automatically include the policy name. Could you please include that as a key/value pair?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Now it has the policy name. Thanks
Consistently log the policy noncompliance and compliance as updates are made. The goal is to allow tools that scrape logs to be able to obtain the violation message and the details on when compliance changes happen. Refs: - https://issues.redhat.com/browse/ACM-5568 Signed-off-by: Gus Parvin <gparvin@redhat.com>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gparvin, mprahl The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/unhold |
73f50ce
into
open-cluster-management-io:main
@gparvin: cannot checkout In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Consistently log the policy noncompliance and compliance as updates are made. The goal is to allow tools that scrape logs to be able to obtain the violation message and the details on when compliance changes happen.
Refs: