Enable audit to write cache to disk to reduce memory

[ritazh]

Signed-off-by: Rita Zhang rita.z.zhang@gmail.com

What this PR does / why we need it:
Improve audit memory footprint by writing audit cache to disk

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #163
Fixes #1088
Fixes #1279
Partial #1405

Special notes for your reviewer:

[codecov-commenter]

Codecov Report

Merging #1634 (40a7480) into master (87cb662) will decrease coverage by 0.66%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master    #1634      +/-   ##
==========================================
- Coverage   52.81%   52.14%   -0.67%     
==========================================
  Files          98       98              
  Lines        8591     8693     +102     
==========================================
- Hits         4537     4533       -4     
- Misses       3695     3800     +105     
- Partials      359      360       +1     

Flag	Coverage Δ
unittests	52.14% <0.00%> (-0.67%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/audit/manager.go	0.00% <0.00%> (ø)
...onstrainttemplate/constrainttemplate_controller.go	58.76% <0.00%> (-0.95%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 87cb662...40a7480. Read the comment docs.

[maxsmythe]

What purpose does embedding the namespace in the filename serve?

[ritazh]

From few lines above, since we are already calling the api server to get the namespace of the object to see if we can skip it to avoid having to create the file if namespace is excluded, we should persist the namespace as part of the filename so we do not have to make another api call later when loading the obj from disk.

objNamespace := objList.Items[index].GetNamespace()
isExcludedNamespace, err := am.skipExcludedNamespace(&objList.Items[index])

[maxsmythe]

Two problems with this benefit:

1. We need to get the full namespace object so that we can evaluate namespace selectors, not the name
2. We are already caching the namespace in nsCache

[ritazh]

From few lines below, the namespace saved as part of the file name is used to lookup the full namespace object from nsCache:

objNs := strings.Split(fileName, "_")[0]
ns := corev1.Namespace{}
if objNs != "" {
  ns, err = nsCache.Get(ctx, am.client, objNs)

[shomron]

nit: Can we encapsulate the encoding and decoding logic for these filenames into helper functions, making this naming convention more explicit?

[ritazh]

I'm removing the namespace from the filename but prefixing with kind to avoid delays in os.RemoveAll.

[maxsmythe]

Actually, it looks like we are auditing after we've looped through all GVKs, we'd definitely need to write out objects to separate directories by GVK in order to avoid clobbering.

One note about how we could be gentler on the API server...

If we perform the audit for a given kind before grabbing the next kind from the API server, we even out the load on the API server somewhat.

[ritazh]

Per above comment, I dont think we are clobbering it.

If we perform the audit for a given kind before grabbing the next kind from the API server, we even out the load on the API server somewhat.

Can this optimization be a follow up PR given that we would need to do few rounds of load tests?

[maxsmythe]

Yeah, you're not clobbering it.

One other benefit of interleaving audits and lists... you can wipe the disk after each audit, lowering the maximum amount of disk space used.

Why would we need load tests?

In any case, we can defer, but the reduction in disk space seems valuable (akin to how much memory we got back when we switched to auditing on a per-kind basis)

[ritazh]

latest commit audits right after cache to disk for a given kind

[maxsmythe]

If this is why we are embedding the namespace in the filename, could we retrieve the namespace after we've called am.readUnstructured() and get it from the object itself?

[ritazh]

Per above comment, we are already making the api call to get namespace to test ns exclusion prior to saving the file. It makes more sense to me to save it as part of the file at that point instead.

[maxsmythe]

Except we are calling nsCache.Get() here anyway? Per above, we'd need to get the whole namespace object so we can evaluate the namespace selector.

[ritazh]

done

[maxsmythe]

mostly nits

[maxsmythe]

Two problems with this benefit:

1. We need to get the full namespace object so that we can evaluate namespace selectors, not the name
2. We are already caching the namespace in nsCache

[maxsmythe]

Yeah, you're not clobbering it.

One other benefit of interleaving audits and lists... you can wipe the disk after each audit, lowering the maximum amount of disk space used.

Why would we need load tests?

In any case, we can defer, but the reduction in disk space seems valuable (akin to how much memory we got back when we switched to auditing on a per-kind basis)

[maxsmythe]

Except we are calling nsCache.Get() here anyway? Per above, we'd need to get the whole namespace object so we can evaluate the namespace selector.

[shomron]

@ritazh overall looks good! I had a few questions and nits, nothing blocking. LMKWYT.
I think a cool future enhancement might be to process the reviews concurrently to filling the cache - this might improve overall audit time for larger clusters.

[shomron]

1. Do we know how many files will be in this directory? Is it better to page through the items using File.Readdirnames(n) instead of making assumptions, or do we know this will be manageable?
2. Is there any validation we want to do to make sure it's actually our cache directory, and not / or some other unfortunate mistake?

[ritazh]

Do we know how many files will be in this directory?

latest commit adds paging to get files

Is there any validation we want to do to make sure it's actually our cache directory

we pass in apiCacheDir to these functions.

apiCacheDir               = flag.String("api-cache-dir", defaultApiCacheDir, "The directory where  

[shomron]

nit: Can we encapsulate the encoding and decoding logic for these filenames into helper functions, making this naming convention more explicit?

[ritazh]

NOTE: updating default auditChunkSize value

[ritazh]

NOTE: updated default to 500 and flag usage. Will open a separate PR to update doc after the next release is out.

[ritazh]

@maxsmythe @shomron I have addressed you comments, PTAL.

[shomron]

I think we ignore non-EOF errors here. Should we bubble those back up to the caller?

[shomron]

Is this comment still accurate? Does it just mean that the namespace is stored within the file payload?

[shomron]

Why did this move into the loop? Are we trying to reduce peak disk usage?

[maxsmythe]

I think so?

Could be useful if there are a lot of large lists of kinds.

[shomron]

Can we add a comment somewhere with the cache directory structure? Otherwise we need to infer this from the code.

[ritazh]

this was commented earlier when we create the sub folders.

// for each batch, create a parent folder
// prefix kind to avoid delays in removeall
subPath = fmt.Sprintf("%s_%d", kind, folderCount)
parentDir := path.Join(*apiCacheDir, subPath)

I will add the same comment in this func as well.

[shomron]

While this pages files from the OS, it still aggregates the list in memory before processing. This should be fine unless we expect the list to be very large. Otherwise we could pass in a processing function to be called per page.

[maxsmythe]

Or maybe walk the directory and call audit on every file we walk into?

walk() is probably preferable, but I don't have an issue with this as-is, since the list of file names is probably much smaller than the list of actual objects.

[ritazh]

I think the list of file names is pretty small compare to everything else (actual resources) we are caching. We can further optimize this if we see a dramatic improvement later.

[maxsmythe]

I think so?

Could be useful if there are a lot of large lists of kinds.

[maxsmythe]

Or maybe walk the directory and call audit on every file we walk into?

walk() is probably preferable, but I don't have an issue with this as-is, since the list of file names is probably much smaller than the list of actual objects.

[sozercan]

LGTM

[anlandu]

QQ, I might be misreading but it looks like this only excludes from writing to disk objects in namespaces that are excluded by ProcessExcluder, which would just be the GK config-level excludedNamespaces? Could the map of matchedKinds also include a field for matchedNamespaces so as to also exclude those that don't match the namespaces defined in the constraint? And potentially use that info to winnow down the List api call?

[maxsmythe]

In theory, but that would presume that:

• It's common to ignore namespaces
• The namespaces that are ignored contain a significant chunk of the resources of the cluster

A second point: performance "optimizations" that lower resource coverage are less optimizations and more an acknowledgement of the limits of how far a system can scale. If I can only handle 1000 resources, and remove some from scope, the system can still only handle 1000 resources and I will still have a problem if I scale beyond that size WRT resources that are in scope.

As such, performance improvements, graceful degradation, and removal of upper bounds (e.g. via chunking) should be the main focus, with culling more useful for triage and avoiding unnecessary processing time (as opposed to being an operational necessity).

[anlandu]

Thanks for the reply, that makes a lot of sense! I was looking at a case where a cluster had hundreds of thousands of a certain resource type, but none in the default namespace, and were applying the "shouldn't use the default namespace" template with "default" as the only included namespace on the constraint. Obviously a very niche case but it just spurred me to think about possible triages and their feasibility. Totally understand if it's not as worthwhile as actual optimizations!