injector ValidateServiceAccount

cmd/injector/injector.go

@@ -14,6 +14,7 @@ func main() {
 	//https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md
 	klog.InitFlags(nil)
 	kube.InitFlags(nil)
+	injector.BindConfigFlags(nil)
 
 	flag.Parse()
 	defer klog.Flush()
@@ -25,12 +26,15 @@ func main() {
 	ctx := context.Background()
 
 	kubeClient := kube.GetKubeClient()
-	uids, err := injector.AllowedControllersServiceAccountUID(ctx, kubeClient)
-	if err != nil {
-		log.Fatalf("failed to get authentication uids from services accounts: %s", err)
-	}
+	var authUIDs []string
 
-	err = injector.NewInjector(uids, cfg, kubeClient).Run(ctx)
+	if cfg.ValidateServiceAccount {
+		authUIDs, err = injector.AllowedControllersServiceAccountUID(ctx, kubeClient)
+		if err != nil {
+			log.Fatalf("failed to get authentication uids from services accounts: %s", err)
+		}
+	}
+	err = injector.NewInjector(authUIDs, cfg, kubeClient).Run(ctx)
 	if err != http.ErrServerClosed {
 		klog.Fatal(err)
 	}

cmd/rusid/sidecar.go

@@ -66,7 +66,7 @@ func main() {
 	klog.InfoS("Rusid is using", "config", cfg)
 
 	//Start diagnostics server
-	go startDiagnosticsServer(mainCtx, wg, cfg.DiagnosticsPort, cfg.EnableMetrics,
+	go startDiagnosticsServer(mainCtx, wg, cfg.AppID, cfg.DiagnosticsPort, cfg.EnableMetrics,
 		// WithTimeout allows you to set a max overall timeout.
 		healthcheck.WithTimeout(5*time.Second),
 		healthcheck.WithChecker("component manager", compManager))
@@ -93,7 +93,7 @@ func shutdownOnInterrupt(cancel func()) {
 	}()
 }
 
-func startDiagnosticsServer(ctx context.Context, wg *sync.WaitGroup, port int,
+func startDiagnosticsServer(ctx context.Context, wg *sync.WaitGroup, appId string, port int,
 	enableMetrics bool, options ...healthcheck.Option) {
 	wg.Add(1)
 	defer wg.Done()
@@ -102,7 +102,8 @@ func startDiagnosticsServer(ctx context.Context, wg *sync.WaitGroup, port int,
 	router.Handle("/healthz", healthcheck.HandlerFunc(options...))
 
 	if enableMetrics {
-		router.Handle("/metrics", metrics.GetPrometheusMetricHandler())
+		exporter := metrics.SetupPrometheusMetrics(appId)
+		router.HandleFunc("/metrics", exporter.ServeHTTP)
 	} else {
 		metrics.SetNoopMeterProvider()
 	}

internal/metrics/metrics.go

@@ -5,14 +5,13 @@ import (
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
 	"go.opentelemetry.io/otel/metric/global"
-	"os"
+
 	"sync"
 	"time"
 )
 
 type serviceMetrics struct {
 	pubsubMeter       metric.Meter
-	hostname          string
 	publishCount      metric.Int64Counter
 	subscribeDuration metric.Int64Histogram
 }
@@ -22,7 +21,7 @@ var (
 	s        *serviceMetrics
 )
 
-func DefaultMonitoring() *serviceMetrics {
+func DefaultPubSubMetrics() *serviceMetrics {
 	initOnce.Do(func() {
 		s = newServiceMetrics()
 	})
@@ -32,11 +31,9 @@ func DefaultMonitoring() *serviceMetrics {
 func newServiceMetrics() *serviceMetrics {
 	meter := global.Meter("rusi.io/pubsub")
 	pubsubM := metric.Must(meter)
-	hostname, _ := os.Hostname()
 
 	return &serviceMetrics{
 		pubsubMeter: meter,
-		hostname:    hostname,
 		publishCount: pubsubM.NewInt64Counter("pubsub.publish.count",
 			metric.WithDescription("The number of publishes")),
 		subscribeDuration: pubsubM.NewInt64Histogram("pubsub.subscribe.duration",
@@ -49,7 +46,6 @@ func (s *serviceMetrics) RecordPublishMessage(ctx context.Context, topic string,
 	s.pubsubMeter.RecordBatch(
 		ctx,
 		[]attribute.KeyValue{
-			attribute.String("hostname", s.hostname),
 			attribute.String("topic", topic),
 			attribute.Bool("success", success),
 		},
@@ -60,7 +56,6 @@ func (s *serviceMetrics) RecordSubscriberProcessingTime(ctx context.Context, top
 	s.pubsubMeter.RecordBatch(
 		ctx,
 		[]attribute.KeyValue{
-			attribute.String("hostname", s.hostname),
 			attribute.String("topic", topic),
 			attribute.Bool("success", success),
 		},

internal/metrics/prometheus.go

@@ -1,19 +1,26 @@
 package metrics
 
 import (
+	"context"
 	"go.opentelemetry.io/otel/exporters/prometheus"
 	"go.opentelemetry.io/otel/metric/global"
 	sdk_metric "go.opentelemetry.io/otel/sdk/export/metric"
 	"go.opentelemetry.io/otel/sdk/metric/aggregator/histogram"
 	controller "go.opentelemetry.io/otel/sdk/metric/controller/basic"
 	processor "go.opentelemetry.io/otel/sdk/metric/processor/basic"
 	selector "go.opentelemetry.io/otel/sdk/metric/selector/simple"
+	"go.opentelemetry.io/otel/sdk/resource"
+	semconv "go.opentelemetry.io/otel/semconv/v1.4.0"
 	"k8s.io/klog/v2"
-	"net/http"
+	"time"
 )
 
-func GetPrometheusMetricHandler() http.HandlerFunc {
+func SetupPrometheusMetrics(appId string) *prometheus.Exporter {
 	config := prometheus.Config{}
+	r, _ := resource.New(context.Background(),
+		resource.WithHost(),
+		resource.WithAttributes(semconv.ServiceNameKey.String(appId)))
+
 	c := controller.New(
 		processor.NewFactory(
 			selector.NewWithHistogramDistribution(
@@ -22,12 +29,14 @@ func GetPrometheusMetricHandler() http.HandlerFunc {
 			sdk_metric.CumulativeExportKindSelector(),
 			processor.WithMemory(true),
 		),
+		controller.WithResource(r),
+		controller.WithCollectPeriod(10*time.Second), //default - 10 sec
 	)
 	exporter, err := prometheus.New(config, c)
 	if err != nil {
 		klog.ErrorS(err, "failed to initialize prometheus exporter")
 		return nil
 	}
 	global.SetMeterProvider(exporter.MeterProvider())
-	return exporter.ServeHTTP
+	return exporter
 }

pkg/injector/config.go

@@ -1,9 +1,12 @@
 package injector
 
 import (
+	"flag"
 	"github.com/kelseyhightower/envconfig"
 )
 
+var defaultConfig = NewConfigWithDefaults()
+
 // Config represents configuration options for the Rusi Sidecar Injector webhook server.
 type Config struct {
 	TLSCertFile            string `envconfig:"TLS_CERT_FILE" required:"true"`
@@ -12,6 +15,7 @@ type Config struct {
 	SidecarImagePullPolicy string `envconfig:"SIDECAR_IMAGE_PULL_POLICY"`
 	Namespace              string `envconfig:"NAMESPACE" required:"true"`
 	KubeClusterDomain      string `envconfig:"KUBE_CLUSTER_DOMAIN"`
+	ValidateServiceAccount bool
 }
 
 // NewConfigWithDefaults returns a Config object with default values already
@@ -20,17 +24,20 @@ type Config struct {
 func NewConfigWithDefaults() Config {
 	return Config{
 		SidecarImagePullPolicy: "Always",
+		ValidateServiceAccount: true,
 	}
 }
 
-// GetConfig returns configuration derived from environment variables.
-func GetConfig() (Config, error) {
-	// get config from environment variables
-	c := NewConfigWithDefaults()
-	err := envconfig.Process("", &c)
-	if err != nil {
-		return c, err
+func BindConfigFlags(flagset *flag.FlagSet) {
+	if flagset == nil {
+		flagset = flag.CommandLine
 	}
 
-	return c, nil
+	flagset.BoolVar(&defaultConfig.ValidateServiceAccount, "validate_service_account", defaultConfig.ValidateServiceAccount, "If true, injector will validate that rusi sidecars can only be created by a specified list of serviceAccounts")
+}
+
+// GetConfig returns configuration derived from environment variables.
+func GetConfig() (Config, error) {
+	err := envconfig.Process("", &defaultConfig)
+	return defaultConfig, err
 }

pkg/injector/injector.go

@@ -107,7 +107,7 @@ func (i *injector) handleRequest(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		klog.Errorf("Can't decode body: %v", err)
 	} else {
-		if !utils.StringSliceContains(ar.Request.UserInfo.UID, i.authUIDs) {
+		if i.config.ValidateServiceAccount && !utils.StringSliceContains(ar.Request.UserInfo.UID, i.authUIDs) {
 			err = errors.New(fmt.Sprintf("service account '%s' not on the list of allowed controller accounts", ar.Request.UserInfo.Username))
 			klog.Error(err)
 		} else if ar.Request.Kind.Kind != "Pod" {

pkg/injector/pod_patch.go

@@ -52,7 +52,7 @@ const (
 	apiAddress                    = "rusi-api"
 	apiPort                       = 80
 	kubernetesMountPath           = "/var/run/secrets/kubernetes.io/serviceaccount"
-	defaultConfig                 = "default"
+	defaultConfigName             = "default"
 	defaultEnabledMetric          = true
 	defaultMetricsPort            = 9090
 	defaultSidecarDebug           = false
@@ -219,7 +219,7 @@ func podContainsSidecarContainer(pod *corev1.Pod) bool {
 }
 
 func getConfig(annotations map[string]string) string {
-	return getStringAnnotationOrDefault(annotations, rusiConfigKey, defaultConfig)
+	return getStringAnnotationOrDefault(annotations, rusiConfigKey, defaultConfigName)
 }
 
 func getEnableDebug(annotations map[string]string) bool {

pkg/middleware/metrics.go

@@ -12,7 +12,7 @@ func SubscriberMetricsMiddleware() messaging.Middleware {
 		return func(ctx context.Context, msg *messaging.MessageEnvelope) error {
 			start := time.Now()
 			err := next(ctx, msg)
-			metrics.DefaultMonitoring().RecordSubscriberProcessingTime(ctx, msg.Subject, err == nil, time.Since(start))
+			metrics.DefaultPubSubMetrics().RecordSubscriberProcessingTime(ctx, msg.Subject, err == nil, time.Since(start))
 			return err
 		}
 	}
@@ -22,7 +22,7 @@ func PublisherMetricsMiddleware() messaging.Middleware {
 	return func(next messaging.Handler) messaging.Handler {
 		return func(ctx context.Context, msg *messaging.MessageEnvelope) error {
 			err := next(ctx, msg)
-			metrics.DefaultMonitoring().RecordPublishMessage(ctx, msg.Subject, err == nil)
+			metrics.DefaultPubSubMetrics().RecordPublishMessage(ctx, msg.Subject, err == nil)
 			return err
 		}
 	}

pkg/runtime/config.go

@@ -11,7 +11,7 @@ import (
 const (
 	defaultGRPCPort        = 50003
 	defaultDiagnosticsPort = 8080
-	defaultEnableMetrics   = false
+	defaultEnableMetrics   = true
 )
 
 type ConfigBuilder struct {