Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

operator: Add support for blocking queries per tenant #11094

Merged
merged 23 commits into from
Nov 28, 2023
Merged
Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
f47c70d
Add spec for blocking queries
periklis Oct 31, 2023
bafa99b
Add config rendering
periklis Oct 31, 2023
7192e22
Update API docs
periklis Oct 31, 2023
35828e7
Add changelog entry
periklis Oct 31, 2023
48f0281
Address code review suggestions
periklis Oct 31, 2023
31b72ab
Rename blockedQueries field to blocked
periklis Oct 31, 2023
321f1c3
Address code review suggestions
periklis Nov 2, 2023
fd3ddde
Remove hack file amendments
periklis Nov 2, 2023
4db8460
Re-render bundles with imagePullPolicy set to IfNotPresent
periklis Nov 2, 2023
f76991c
Merge branch 'main' into operator-blocking-queries
periklis Nov 20, 2023
f37260e
Merge branch 'main' into operator-blocking-queries
periklis Nov 23, 2023
02d1c98
Fix changelog
periklis Nov 23, 2023
9712f6e
Merge branch 'operator-blocking-queries' of github.com:periklis/loki …
periklis Nov 23, 2023
e8aaba3
Update operator/hack/lokistack_gateway_ocp.yaml
periklis Nov 24, 2023
7321632
Merge branch 'main' into operator-blocking-queries
periklis Nov 27, 2023
ce6b722
Apply code review suggestions
periklis Nov 27, 2023
246f500
Re-Render api docs
periklis Nov 27, 2023
0883a4b
Remove obsolete docs
periklis Nov 27, 2023
5aeb9f0
Apply suggestions from code review
periklis Nov 27, 2023
49b17b7
Apply code review suggestions
periklis Nov 27, 2023
af48ac3
Merge branch 'main' into operator-blocking-queries
periklis Nov 27, 2023
98fff2f
Disallow empty blockedQuerySpec
periklis Nov 27, 2023
7a815d2
Merge branch 'main' into operator-blocking-queries
periklis Nov 28, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion operator/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
## Main

- [11094](https://github.com/grafana/loki/pull/11094) **periklis**: Add support for blocking queries per tenant
- [11288](https://github.com/grafana/loki/pull/11288) **periklis**: Fix custom CA for object-store in ruler component
- [11091](https://github.com/grafana/loki/pull/11091) **periklis**: Add automatic stream sharding support
- [11022](https://github.com/grafana/loki/pull/11022) **JoaoBraveCoding**: Remove outdated BoltDB dashboards
- [10932](https://github.com/grafana/loki/pull/10932) **JoaoBraveCoding**: Adds new value v13 to schema
- [11232](https://github.com/grafana/loki/pull/11232) **periklis**: Update dependencies and dev tools
- [11129](https://github.com/grafana/loki/pull/11129) **periklis**: Update deps to secure webhooks for CVE-2023-44487
-

## 0.5.0 (2023-10-24)

- [10924](https://github.com/grafana/loki/pull/10924) **periklis**: Update Loki operand to v2.9.2
Expand Down
90 changes: 89 additions & 1 deletion operator/apis/loki/v1/lokistack_types.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package v1

import (
"strings"

corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -633,6 +635,62 @@ type QueryLimitSpec struct {
CardinalityLimit int32 `json:"cardinalityLimit,omitempty"`
}

// BlockedQueryType defines the query limits type for blocked queries.
periklis marked this conversation as resolved.
Show resolved Hide resolved
//
// +kubebuilder:validation:Enum=filter;limited;metric
type BlockedQueryType string

const (
// BlockedQueryFilter defines the blocking type for queries with at least one log filter.
BlockedQueryFilter BlockedQueryType = "filter"
// BlockedQueryLimited defines the blocking type for queries without a filter or a metric aggregation.
BlockedQueryLimited BlockedQueryType = "limited"
// BlockedQueryMetric defines the blocking type for queries with an aggregation.
periklis marked this conversation as resolved.
Show resolved Hide resolved
BlockedQueryMetric BlockedQueryType = "metric"
)

type BlockedQueryTypes []BlockedQueryType
periklis marked this conversation as resolved.
Show resolved Hide resolved

// BlockedQuerySpec defines the rule spec for queries to be blocked.
type BlockedQuerySpec struct {
// Hash is a 32-bit FNV-1 hash of the query string.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:com.tectonic.ui:number",displayName="Query Hash"
Hash int32 `json:"hash,omitempty"`
// Pattern defines the pattern matching the queries to be blocked.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query Pattern"
Pattern string `json:"pattern,omitempty"`
// Regex defines if the pattern is a regular expression. If false the pattern will be used only for exact matches.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch",displayName="Regex"
Regex bool `json:"regex,omitempty"`
// Types defines the list of query types that should be considered for blocking.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query Types"
Types BlockedQueryTypes `json:"types,omitempty"`
}

// PerTenantQueryLimitSpec defines the limits applied to per tenant query path.
type PerTenantQueryLimitSpec struct {
QueryLimitSpec `json:",omitempty"`

// Blocked defines the list of rules to block matching queries.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Blocked"
Blocked []BlockedQuerySpec `json:"blocked,omitempty"`
}

// IngestionLimitSpec defines the limits applied at the ingestion path.
type IngestionLimitSpec struct {
// IngestionRate defines the sample size per second. Units MB.
Expand Down Expand Up @@ -773,6 +831,27 @@ type LimitsTemplateSpec struct {
Retention *RetentionLimitSpec `json:"retention,omitempty"`
}

// LimitsTemplateSpec defines the limits applied at ingestion or query path.
type PerTenantLimitsTemplateSpec struct {
// IngestionLimits defines the limits applied on ingested log streams.
//
// +optional
// +kubebuilder:validation:Optional
IngestionLimits *IngestionLimitSpec `json:"ingestion,omitempty"`

// QueryLimits defines the limit applied on querying log streams.
//
// +optional
// +kubebuilder:validation:Optional
QueryLimits *PerTenantQueryLimitSpec `json:"queries,omitempty"`

// Retention defines how long logs are kept in storage.
//
// +optional
// +kubebuilder:validation:Optional
Retention *RetentionLimitSpec `json:"retention,omitempty"`
}

// LimitsSpec defines the spec for limits applied at ingestion or query
// path across the cluster or per tenant.
type LimitsSpec struct {
Expand All @@ -788,7 +867,7 @@ type LimitsSpec struct {
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Limits per Tenant"
Tenants map[string]LimitsTemplateSpec `json:"tenants,omitempty"`
Tenants map[string]PerTenantLimitsTemplateSpec `json:"tenants,omitempty"`
}

// RulesSpec defines the spec for the ruler component.
Expand Down Expand Up @@ -1148,3 +1227,12 @@ func init() {

// Hub declares the v1.LokiStack as the hub CRD version.
func (*LokiStack) Hub() {}

func (t BlockedQueryTypes) String() string {
res := make([]string, 0, len(t))
for _, t := range t {
res = append(res, string(t))
}

return strings.Join(res, ",")
}
94 changes: 93 additions & 1 deletion operator/apis/loki/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 8 additions & 6 deletions operator/apis/loki/v1beta1/lokistack_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -933,11 +933,11 @@ func (src *LokiStack) ConvertTo(dstRaw conversion.Hub) error {
}

if len(src.Spec.Limits.Tenants) > 0 {
dst.Spec.Limits.Tenants = make(map[string]v1.LimitsTemplateSpec)
dst.Spec.Limits.Tenants = make(map[string]v1.PerTenantLimitsTemplateSpec)
}

for tenant, srcSpec := range src.Spec.Limits.Tenants {
dstSpec := v1.LimitsTemplateSpec{}
dstSpec := v1.PerTenantLimitsTemplateSpec{}

if srcSpec.IngestionLimits != nil {
dstSpec.IngestionLimits = &v1.IngestionLimitSpec{
Expand All @@ -952,10 +952,12 @@ func (src *LokiStack) ConvertTo(dstRaw conversion.Hub) error {
}

if srcSpec.QueryLimits != nil {
dstSpec.QueryLimits = &v1.QueryLimitSpec{
MaxEntriesLimitPerQuery: srcSpec.QueryLimits.MaxEntriesLimitPerQuery,
MaxChunksPerQuery: srcSpec.QueryLimits.MaxChunksPerQuery,
MaxQuerySeries: srcSpec.QueryLimits.MaxQuerySeries,
dstSpec.QueryLimits = &v1.PerTenantQueryLimitSpec{
QueryLimitSpec: v1.QueryLimitSpec{
MaxEntriesLimitPerQuery: srcSpec.QueryLimits.MaxEntriesLimitPerQuery,
MaxChunksPerQuery: srcSpec.QueryLimits.MaxChunksPerQuery,
MaxQuerySeries: srcSpec.QueryLimits.MaxQuerySeries,
},
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ metadata:
categories: OpenShift Optional, Logging & Tracing
certified: "false"
containerImage: docker.io/grafana/loki-operator:0.5.0
createdAt: "2023-11-23T11:25:33Z"
createdAt: "2023-11-03T11:44:16Z"
description: The Community Loki Operator provides Kubernetes native deployment
and management of Loki and related logging components.
operators.operatorframework.io/builder: operator-sdk-unknown
Expand Down Expand Up @@ -444,6 +444,27 @@ spec:
path: limits.tenants.ingestion.perStreamRateLimitBurst
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:number
- description: Blocked defines the list of rules to block matching queries.
displayName: Blocked
path: limits.tenants.queries.blocked
- description: Hash is a 32-bit FNV-1 hash of the query string.
displayName: Query Hash
path: limits.tenants.queries.blocked[0].hash
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:number
- description: Pattern defines the pattern matching the queries to be blocked.
displayName: Query Pattern
path: limits.tenants.queries.blocked[0].pattern
- description: Regex defines if the pattern is a regular expression. If false
the pattern will be used only for exact matches.
displayName: Regex
path: limits.tenants.queries.blocked[0].regex
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- description: Types defines the list of query types that should be considered
for blocking.
displayName: Query Types
path: limits.tenants.queries.blocked[0].types
- description: CardinalityLimit defines the cardinality limit for index queries.
displayName: Cardinality Limit
path: limits.tenants.queries.cardinalityLimit
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,41 @@ spec:
description: QueryLimits defines the limit applied on querying
log streams.
properties:
blocked:
description: Blocked defines the list of rules to block
matching queries.
items:
description: BlockedQuerySpec defines the rule spec
for queries to be blocked.
properties:
hash:
description: Hash is a 32-bit FNV-1 hash of the
query string.
format: int32
type: integer
pattern:
description: Pattern defines the pattern matching
the queries to be blocked.
type: string
regex:
description: Regex defines if the pattern is a
regular expression. If false the pattern will
be used only for exact matches.
type: boolean
types:
description: Types defines the list of query types
that should be considered for blocking.
items:
description: BlockedQueryType defines the query
limits type for blocked queries.
enum:
- filter
- limited
- metric
type: string
type: array
type: object
type: array
cardinalityLimit:
description: CardinalityLimit defines the cardinality
limit for index queries.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ metadata:
categories: OpenShift Optional, Logging & Tracing
certified: "false"
containerImage: docker.io/grafana/loki-operator:0.5.0
createdAt: "2023-11-23T11:25:30Z"
createdAt: "2023-11-03T11:44:14Z"
description: The Community Loki Operator provides Kubernetes native deployment
and management of Loki and related logging components.
operators.operatorframework.io/builder: operator-sdk-unknown
Expand Down Expand Up @@ -444,6 +444,27 @@ spec:
path: limits.tenants.ingestion.perStreamRateLimitBurst
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:number
- description: Blocked defines the list of rules to block matching queries.
displayName: Blocked
path: limits.tenants.queries.blocked
- description: Hash is a 32-bit FNV-1 hash of the query string.
displayName: Query Hash
path: limits.tenants.queries.blocked[0].hash
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:number
- description: Pattern defines the pattern matching the queries to be blocked.
displayName: Query Pattern
path: limits.tenants.queries.blocked[0].pattern
- description: Regex defines if the pattern is a regular expression. If false
the pattern will be used only for exact matches.
displayName: Regex
path: limits.tenants.queries.blocked[0].regex
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- description: Types defines the list of query types that should be considered
for blocking.
displayName: Query Types
path: limits.tenants.queries.blocked[0].types
- description: CardinalityLimit defines the cardinality limit for index queries.
displayName: Cardinality Limit
path: limits.tenants.queries.cardinalityLimit
Expand Down
Loading
Loading