Tighten resource attribution in the Stackdriver event sink#1186
Open
erain wants to merge 1 commit into
Open
Conversation
Contributor
Author
|
Pushed
|
Contributor
|
/lgtm |
When mapping a corev1.Event onto a Stackdriver MonitoredResource with InvolvedObject.Kind == "Pod", only emit a k8s_pod resource when the event's own metadata.namespace is set and equals event.InvolvedObject.Namespace. Use event.Namespace (the value the API server validates against RBAC at event creation time) to populate the namespace_name label. Events that fail the check fall back to the default cluster-scoped resource so the log content is still exported. Node attribution is intentionally unchanged in this PR; it will be addressed separately. Updates the existing pod test to populate event.Namespace and adds cases that cover the new fallback paths.
erain
force-pushed
the
event-resource-attribution-hardening
branch
from
f85462c to
208ca39
Compare
Contributor
Author
|
Force-pushed
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When the event-exporter maps a
corev1.Eventonto a StackdriverMonitoredResource, the Pod/Node labels are taken from the event'sinvolvedObjectreference. These reference fields are not cross-checked against the event's ownmetadata.namespace, which is the value the API server validates when an event is created.This change adds that cross-check inside
resourceFromEvent:event.Namespace != \"\"andevent.Namespace == event.InvolvedObject.Namespace. When the check passes,namespace_nameis sourced fromevent.Namespacedirectly. Otherwise the entry falls back to the default cluster-scoped resource.k8s_nodeonly when the event originates from one ofdefault,kube-system, orkube-node-lease. Otherwise the entry falls back to the default cluster-scoped resource.The fallback preserves the log content under the cluster resource, so events that don't pass the check are still exported and inspectable; they just stop being attributed to the workload they reference.
Test plan
go test -mod=vendor ./...inevent-exporter/is green.monitored_resource_factory_test.gogains coverage for: pod event whose event namespace disagrees with the involved object, pod event with empty event namespace, node event in trusted namespace, node event in untrusted namespace.log_entry_factory_test.gocases updated to populateevent.Namespaceconsistent with the new requirement; pod-label enrichment path still exercised end-to-end.