metrics: expose number of cached namespaces per subject #91
+57
−11
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sadlerap
force-pushed
the
subject-cache-metrics
branch
2 times, most recently
from
8a55083 to
2d0c512
Compare
Our testing cache is our source of truth for how many subjects we're using in this test case. Rather than maintaining it separately in table declarations, calculate it from the cache during tests. Signed-off-by: Andy Sadler <ansadler@redhat.com>
IMO it's better coding style, and gopls has an easier time reasoning about these constants if they have explicit types. Signed-off-by: Andy Sadler <ansadler@redhat.com>
By adding these metrics, we can have better insights into namespace-lister's deployment in our dashboards. For instance, we can now get an idea of users that have broad access to namespaces. To preserve subject information, stuff the subject information into labels. This will allow us to view our cache both as individual entries and as an aggregate cache using promql queries. During cache synchronization, we purge all existing entries and rebuild so that stale subjects who no longer live in our cache do not get reported in our metrics. Signed-off-by: Andy Sadler <ansadler@redhat.com>
sadlerap
force-pushed
the
subject-cache-metrics
branch
from
2d0c512 to
8be49fa
Compare
filariow
requested changes
Mar 4, 2025
| Subsystem: "accesscache", | ||
| Name: "cached_namespace_count", | ||
| Help: "number of cached namespaces", | ||
| }, []string{"apiGroup", "kind", "name", "namespace"}), |
There was a problem hiding this comment.
Suggested change
| }, []string{"apiGroup", "kind", "name", "namespace"}), | |
| }, []string{"apiGroup", "subject"}), |
we could reduce the number of labels this way:
- user:
user:<name> - serviceaccount:
system:serviceaccount:<namespace>:<name>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This series exposes the number of namespaces a subject has in our cache. This allows us to have better metrics on how our cache is being used in live deployments.
By adding these metrics, we can add more insightful metrics to our dashboards. For instance, we can now tell if there are subjects in our cache who have a lot of cached namespaces, indicating broad access across the cluster. We can also use these metrics to get an idea of how large our cache is, by summing across all metrics and ignoring labels.
This series also does a little refactoring of the unit tests associated with the cache.