Add KEP for Request ID

[hase1128]

This PR is KEP request.
I would like to discuss about this KEP with SIG-Auth members.

[k8s-ci-robot]

Welcome @hase1128!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @hase1128. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hase1128
To complete the pull request process, please assign enj
You can assign the PR to them by writing /assign @enj in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-auth/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hase1128]

/assign @enj

[mikedanese]

cc @dashpole

[dashpole]

Hey @hase1128, it looks like we have some similar goals. #650 is very similar in that we want to propagate an ID (the trace ID in that case) to all of the controllers so they can emit traces associated with the initial request. While #650 is about tracing, I agree that logging would benefit from being able to associate with a request as well.

Out of curiosity, what was your plan to send the "Request ID" to the kubelet?

[hase1128]

@dashpole
Thank you for the information about similar KEP.
I am checking #650 now, and I'm thinking that I would like to collaborate with existing KEP.
I may work in #650, or I may work in this KEP(if this KEP has additional point against #650 ).
It depends on the difference between these two KEPs, I think.

Out of curiosity, what was your plan to send the "Request ID" to the kubelet?

Current my plan is matching each k8s logs related to single API request by referring some ID information(e.g. audit-id in audit-log, UUID of resource, user-id, etc.) which is written in each k8s log automatically when processing an API request.
However, I don't clarify what kind of ID information is recorded in each k8s log in current k8s implementation yet.
If kubelet log doesn't have any useful ID information now, I need to consider another plan.

[hase1128]

@dashpole
I checked #650(but I didn't check all comments because #650 is too long...)
#650 seems to be in discussion in provisional status for about one year.

I think it is better that we start from small function and simple implementation.
And then, develop additional function step by step.

For example, we may be able to match each k8s logs related to single API request from user with only exsisting k8s function.

• Audit log may have API request from user and it's response information
  (e.g. API request includes username, uid, source ip, request url, etc. API Response includes uuid, etc.)
• some k8s logs may have uuid

So, we may be able to match logs by using uuid information.(but we can match only logs which include uuid)
we also know simple latency information, because each k8s log have timestamp.
This means we can know time delta between logs after matching related k8s logs by uuid.
Can this satisfy minimum requirement of a part of #650 goals?

I would like to collaborate with you for moving forward towards our goals.
But I don't grasp your current status, so I would like to talk with you by telephone(Zoom or Skype) if you are interested my idea.
I would like to know current status and discuss future direction.
(BTW, I am going to participate KubeCon San Diego. I can also talk by F2F.)

[dashpole]

It sounds like your interest is primarily in audit logs, which don't require any sort of context propagation. I didn't work on #650 for most of this year, and picked it up again in the last few months. I don't think matching by uuid is what i'm looking for, but it sounds like it meets your needs. I will be at kubecon as well, and will be presenting on #650 in the sig-instrumentation deep dive.

[brancz]

I agree with the general goal of these, but think similarly to @dashpole that this is best solved as part of the existing KEP that is already being worked on by people.

[hase1128]

@brancz
Understood.
I would like to incorporate this KEP or existing KEP into RHOCP in the future.
In the current situation, it is better that I cooperate with the existing KEP, and consider how I can contribute.

[hase1128]

@dashpole

I will be at kubecon as well, and will be presenting on #650 in the sig-instrumentation deep dive.

I'm going to go your deep dive session. I would like to cooperate with you on #650.
So, I will participate your session and understand the detail of #650 at first.
After that, I consider how I can contribute. If you like, I'd like to talk a little with you after that session.

[logicalhan]

/sig instrumentation
/cc @brancz

[hase1128]

@brancz
I would like to discuss the following at the next SIG instrumentation meeting.
How to proceed KEP#1348
Background of this discussion

• I issued KEP(Add KEP for Request ID #1348), and there is a similar KEP(#650)
• But I noticed that the following point are different from what I would like to do with existing KEP(Propose KEP: Leveraging Distributed Tracing to Understand Kubernetes Object Lifecycles #650)
• The existing KEP(Propose KEP: Leveraging Distributed Tracing to Understand Kubernetes Object Lifecycles #650) does not have a mechanism for adding ID information to each k8s log file.
• This is serious problem for me. Use case of KEP(Add KEP for Request ID #1348) is here.
• Target: Support team of the k8s service provider (such as OpenShift)
• Objective: Resolving customer problem quickly by analyzing log files as a support team when they received log files from their customer when some troubles occurs in customer environment.
• So, I would like to have a mechanism that we can match each k8s component log related to single API request easily by adding some ID information to each k8s component log.
• Current design of my KEP(Add KEP for Request ID #1348) is as follows
  Design 1. Adding some ID information to metadata of object related to a single API request.
  Design 2. Adding this ID information to log files of each k8s component
  As a result, we can match each k8s component log related to single API request.
• Design 1 may be able to implemented by using a part of mechanism of existing KEP(Propose KEP: Leveraging Distributed Tracing to Understand Kubernetes Object Lifecycles #650). (propagate trace ID to related object)
• Design 2 may be able to implemented by using the another KEP(#1367).
  In the above situation, I would like to consult how to proceed my kEP(Add KEP for Request ID #1348).
  Example:
• Adding the feature (adding ID information to each log) to existing KEP(Propose KEP: Leveraging Distributed Tracing to Understand Kubernetes Object Lifecycles #650)
• Work on KEP(Add KEP for Request ID #1348)

[sftim]

/retest

[k8s-ci-robot]

@hase1128: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-enhancements-verify	1383a34	link	/test pull-enhancements-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[serathius]

/assign

[serathius]

This should more like in scope of Audit Logging. https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
Please be precise about use cases that audit logs cannot solve.

[hase1128]

I added additional description.

[serathius]

What is an operation here? kubectl request, Operator request etc.

Problem: most requests in cluster are not done by user, but some controller that works on user behalf.

Example user sends 1 request about creating Deployment. This leads to tens of requests done to reconcile Deployment state. Deployment creates replica set. Replicaset creates pods. Pods are scheduled etc. Everything is a request here.

[hase1128]

operation means kubectl command. we would like to associate logs related to klog calls which called by functions and APIs via kubectl command. I added more explanation.

[serathius]

Openstack defines two types of Request-ID. Local and Global one.

Based on further text I guess that you mean Global Request ID. Please make it more explicit in KEP.

I would propose to rename all references to "Request-ID" to "Trace-ID" to reduce naming confusion.

[hase1128]

yes, It means global request-id. I changed to Global request id in the above sentence.

[hase1128]

I would propose to rename all references to "Request-ID" to "Trace-ID" to reduce naming confusion.

OK, I consider this and may update KEP later.

[serathius]

What was the criteria for picking those and not others?

[serathius]

What marks an important kubectl operation?

[hase1128]

I added criteria and explanation in the KEP.

[serathius]

"Request-ID should be a normal field, meaning it should be put after message "Pod status updated"

[hase1128]

OK, I put request-id after the message.
btw, what is normal field? (sorry, I'm not familiar the structure of field of klog in k8s...)

[dashpole]

It would help to readers to give these cases summaries. This one would probably be something like:
Given an API Request, find the resulting component logs

The one below would be something like
Given a component log, find the API Request

[hase1128]

I added cases summaries.

[dashpole]

Usually the process of moving from:
disabled by default -> enabled by default -> always enabled
maps to
alpha -> beta -> GA

Unless you are proposing something outside of this, it probably doesn't need to be mentioned in goals.

[hase1128]

I think you are pointing feature gate.
I considered whether feature gate can satisfy our objective or not, but I'd like to allow the user to adjust the trade-off with log size. (This is similar to the concept of log level), so I'd like to implement the feature which can control request-id feature.

[dashpole]

Maybe more precise here. You want to add it to write operations, as those are the ones that cause changes in the system.

[hase1128]

you are right. I added more explanation.

[dashpole]

It looks like you have a well-defined list of places you would like to add this log below. Maybe say here that you are adding metadata to "key" kuberntes logs, rather than "all" logs. "all" logs would be an enormous undertaking and may not be realistic.

[hase1128]

yes, I modified the word "all".

[dashpole]

Interesting. This is the equivalent of verbosity for adding this info to logs. How do you plan to propagate the request id value here to controllers? Will it also have to be stored in an annotation and propagated the same way the SpanContext is for tracing?

[hase1128]

I am considering the method, but I don't have the best idea now.
Currently, I think we don't use the same way the SpanContext. There is an idea that we add parameter into component-base. This is the same idea as structured logging(--logging-format). However, I think this requires restart of each K8s component when we changes the value of flag. Currently, I am investigating a method which applies against all of component and does not need restart.

[hase1128]

@serathius
In your strctured logging KEP, you are going to implement following structure.

LoggingConfig structure should be implemented as part of k8s.io/component-base options and include a common set of flags for logger initialization.

Can we add --request-id parameter into this structure? Since --request-id parameter is also related to logging, I think it would be a simpler implementation to include it in this structure.

[hase1128]

@serathius
I have additional questions.

set of klog flags is included in klog package. Does LoggingConfig structure is related to these klog flags?
if there is a component which does not use logger initialization via component-base, we need to implement this against such component?

[dashpole]

Ok, I think I understand the proposal now. I'll defer to @serathius, but I don't think we want to introduce a new verbosity level for each piece of metadata we are considering adding to logs.

If we are very concerned about this adding to log size, we might instead prioritize adding this field to lower (>4) verbosity logs. That way, we don't log this field very often by default, but turning up the verbosity adds many logs that contain the field.

[hase1128]

Thanks the comment.
I will wait reply from @serathius . I understand your opinion, because --request-id parameter's effect is similar to the existing verbosity level. (So, this may make the use of parameters difficult and complicated for users.)

If we use existing verbosity log(--v), I want to consider which level we should add request-id.

[dashpole]

Can you document what the "impact" you are referring to here is?

[hase1128]

I added the explanation about "impact".

[dashpole]

Please also note that context-based logging doesn't have nearly the same degree of security that audit logs have. The context propagation described in the tracing proposal doesn't guarantee that all actions taken by controllers will be tied back to the same trace id. In particular, if the trace context is overwritten, new spans/logs from components will be associated with the new trace context. We can't provide guarantees around the completeness of logs for a given trace id. Audit logging is also purposefully designed to be secure. Component logs do not provide the same protections.

[hase1128]

In particular, if the trace context is overwritten, new spans/logs from components will be associated with the new trace context.

Does this mean below? (I referred your KEP)

High-level processes, such as starting a pod or restarting a failed container, could be interrupted before completion by an update to the desired state. While this leaves a "partial" trace for the first process, it is the most accurate representation of the work and timing of reconciling desired and actual state.

Even If logs before overwriting trace-context have same trace-ID and associated logs after overwriting have another trace-ID, I think both logs are valuable from a troubleshooting standpoint.

[serathius]

Can you add Glossary section to KEP and explain names like Global request ID in context of this KEP.
It would really help if you used same naming convention as tracing KEP https://github.com/kubernetes/enhancements/blob/master/keps/sig-instrumentation/0034-distributed-tracing-kep.md#definitions
It's hard to map different terms used in both KEPs

[serathius]

Recent changes to tracing KEP https://github.com/kubernetes/enhancements/pull/1458/files removed idea of propagating traces through K8s controllers. This means that you should rethink idea of Global request ID as now traces will be very short (they will cover only client -> apiserver -> etcd)

[serathius]

With object tracing removed from tracing KEP, this is no longer possible.

[serathius]

What is root API request?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[hase1128]

I close this KEP, because this KEP has been replaced by the following KEP.
#1961