add prometheusK8s.enforcedBodySizeLimit to CMO ConfigMap, limiting the

bodysize when scraping metric.
Empty value or 0 means bodysize limit. "automatic" for automatically
deduced bodysize limit.

Author: raptorsun

Diff for: CHANGELOG.md

@@ -9,6 +9,7 @@
 - [#1601](https://github.com/openshift/cluster-monitoring-operator/pull/1601) Expose the /federate endpoint of UWM Prometheus as a service
 - [#1617](https://github.com/openshift/cluster-monitoring-operator/pull/1617) Add Oauth2 setting to PrometheusK8s remoteWrite config
 - [#1598](https://github.com/openshift/cluster-monitoring-operator/pull/1598) Expose Authorization settings for remote write in the CMO configuration
+- [#1467](https://github.com/openshift/cluster-monitoring-operator/pull/1467) Add bodysize limit for metric scraping
 
 ## 4.10
 

Diff for: pkg/client/client.go

@@ -1524,6 +1524,24 @@ func (c *Client) DeleteRole(ctx context.Context, role *rbacv1.Role) error {
 	return err
 }
 
+func (c *Client) PodCapacity(ctx context.Context) (int, error) {
+	nodes, err := c.kclient.CoreV1().Nodes().List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return 0, err
+	}
+	var podCapacityTotal int64
+	for _, node := range nodes.Items {
+		podsCount, succeeded := node.Status.Capacity.Pods().AsInt64()
+		if !succeeded {
+			klog.Warningf("Cannot get pod capacity from node: %s. Error: %v", node.Name, err)
+			continue
+		}
+		podCapacityTotal += podsCount
+	}
+
+	return int(podCapacityTotal), nil
+}
+
 // mergeMetadata merges labels and annotations from `existing` map into `required` one where `required` has precedence
 // over `existing` keys and values. Additionally function performs filtering of labels and annotations from `exiting` map
 // where keys starting from string defined in `metadataPrefix` are deleted. This prevents issues with preserving stale

Diff for: pkg/client/client_test.go

@@ -25,6 +25,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
@@ -1836,3 +1837,50 @@ func TestCreateOrUpdateValidatingWebhookConfiguration(t *testing.T) {
 		})
 	}
 }
+
+func TestPodCapacity(t *testing.T) {
+	ctx := context.Background()
+	node1 := v1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "node1",
+		},
+		Status: v1.NodeStatus{
+			Capacity: v1.ResourceList{
+				v1.ResourcePods: resource.MustParse("100"),
+			},
+		},
+	}
+	node2 := v1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "node2",
+		},
+		Status: v1.NodeStatus{
+			Capacity: v1.ResourceList{
+				v1.ResourcePods: resource.MustParse("50"),
+			},
+		},
+	}
+	nodeList := v1.NodeList{
+		Items: []v1.Node{
+			node1,
+			node2,
+		},
+	}
+	t.Run("sum 2 nodes pod capacity", func(st *testing.T) {
+
+		c := Client{
+			kclient: fake.NewSimpleClientset(nodeList.DeepCopy()),
+		}
+
+		podCapacity, err := c.PodCapacity(ctx)
+
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if podCapacity != 150 {
+			t.Fatalf("expected pods capacity 150, got %d", podCapacity)
+		}
+	})
+
+}

Diff for: pkg/manifests/config.go

@@ -16,19 +16,28 @@ package manifests
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
+	"math"
 
 	configv1 "github.com/openshift/api/config/v1"
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	poperator "github.com/prometheus-operator/prometheus-operator/pkg/operator"
 	v1 "k8s.io/api/core/v1"
 	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
+	"k8s.io/klog/v2"
 )
 
 const (
 	DefaultRetentionValue = "15d"
+
+	// Limit the body size from scrape queries
+	// Assumptions: one node has in average 110 pods, each pod exposes 400 metrics, each metric is expressed by on average 250 bytes.
+	// 1.5x the size for a safe margin, it rounds to 16MB (16,500,000 Bytes).
+	minimalSizeLimit = 1.5 * 110 * 400 * 250
 )
 
 type Config struct {
@@ -171,17 +180,18 @@ type RemoteWriteSpec struct {
 }
 
 type PrometheusK8sConfig struct {
-	LogLevel            string                               `json:"logLevel"`
-	Retention           string                               `json:"retention"`
-	NodeSelector        map[string]string                    `json:"nodeSelector"`
-	Tolerations         []v1.Toleration                      `json:"tolerations"`
-	Resources           *v1.ResourceRequirements             `json:"resources"`
-	ExternalLabels      map[string]string                    `json:"externalLabels"`
-	VolumeClaimTemplate *monv1.EmbeddedPersistentVolumeClaim `json:"volumeClaimTemplate"`
-	RemoteWrite         []RemoteWriteSpec                    `json:"remoteWrite"`
-	TelemetryMatches    []string                             `json:"-"`
-	AlertmanagerConfigs []AdditionalAlertmanagerConfig       `json:"additionalAlertmanagerConfigs"`
-	QueryLogFile        string                               `json:"queryLogFile"`
+	LogLevel              string                               `json:"logLevel"`
+	Retention             string                               `json:"retention"`
+	NodeSelector          map[string]string                    `json:"nodeSelector"`
+	Tolerations           []v1.Toleration                      `json:"tolerations"`
+	Resources             *v1.ResourceRequirements             `json:"resources"`
+	ExternalLabels        map[string]string                    `json:"externalLabels"`
+	VolumeClaimTemplate   *monv1.EmbeddedPersistentVolumeClaim `json:"volumeClaimTemplate"`
+	RemoteWrite           []RemoteWriteSpec                    `json:"remoteWrite"`
+	TelemetryMatches      []string                             `json:"-"`
+	AlertmanagerConfigs   []AdditionalAlertmanagerConfig       `json:"additionalAlertmanagerConfigs"`
+	QueryLogFile          string                               `json:"queryLogFile"`
+	EnforcedBodySizeLimit string                               `json:"enforcedBodySizeLimit,omitempty"`
 }
 
 type AdditionalAlertmanagerConfig struct {
@@ -313,19 +323,18 @@ func (cfg *TelemeterClientConfig) IsEnabled() bool {
 	return true
 }
 
-func NewConfig(content io.Reader) (*Config, error) {
+func NewConfig(content io.Reader) (res *Config, err error) {
 	c := Config{}
 	cmc := ClusterMonitoringConfiguration{}
-	err := k8syaml.NewYAMLOrJSONDecoder(content, 4096).Decode(&cmc)
+	err = k8syaml.NewYAMLOrJSONDecoder(content, 4096).Decode(&cmc)
 	if err != nil {
 		return nil, err
 	}
 	c.ClusterMonitoringConfiguration = &cmc
-	res := &c
+	res = &c
 	res.applyDefaults()
 	c.UserWorkloadConfiguration = NewDefaultUserWorkloadMonitoringConfig()
-
-	return res, nil
+	return
 }
 
 func (c *Config) applyDefaults() {
@@ -471,6 +480,46 @@ func (c *Config) NoProxy() string {
 	return c.ClusterMonitoringConfiguration.HTTPConfig.NoProxy
 }
 
+// PodCapacityReader returns the maximum number of pods that can be scheduled in a cluster.
+type PodCapacityReader interface {
+	PodCapacity(context.Context) (int, error)
+}
+
+func (c *Config) LoadEnforcedBodySizeLimit(pcr PodCapacityReader, ctx context.Context) error {
+	if c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit == "automatic" {
+		podCapacity, err := pcr.PodCapacity(ctx)
+		if err != nil {
+			return fmt.Errorf("error fetching pod capacity: %v", err)
+		}
+		c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit = calculateBodySizeLimit(podCapacity)
+		return nil
+	}
+
+	if c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit != "" {
+		return poperator.ValidateSizeField(c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit)
+	}
+
+	return nil
+}
+
+func (c *Config) UseMinimalEnforcedBodySizeLimit() {
+	c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit = fmt.Sprintf("%dMB", int(math.Ceil(float64(minimalSizeLimit)/(1024*1024))))
+}
+
+func calculateBodySizeLimit(podCapacity int) string {
+	const samplesPerPod = 400       // 400 samples per pod
+	const sizePerSample = 200       // 200 Bytes
+	const loadFactorPercentage = 60 // assume 80% of the maximum pods capacity per node is used
+
+	bodySize := loadFactorPercentage * podCapacity / 100 * samplesPerPod * sizePerSample
+	if bodySize < minimalSizeLimit {
+		bodySize = minimalSizeLimit
+		klog.Infof("Calculated scrape body size limit is too small, using default value %v instead", minimalSizeLimit)
+	}
+
+	return fmt.Sprintf("%dMB", int(math.Ceil(float64(bodySize)/(1024*1024))))
+}
+
 func NewConfigFromString(content string) (*Config, error) {
 	if content == "" {
 		return NewDefaultConfig(), nil

Diff for: pkg/manifests/config_test.go

@@ -16,6 +16,8 @@ package manifests
 
 import (
 	"bytes"
+	"context"
+	"errors"
 	"io/ioutil"
 	"os"
 	"testing"
@@ -192,7 +194,7 @@ func TestHttpProxyConfig(t *testing.T) {
 	conf := `http:
   httpProxy: http://test.com
   httpsProxy: https://test.com
-  noProxy: https://example.com	
+  noProxy: https://example.com
 `
 
 	c, err := NewConfig(bytes.NewBufferString(conf))
@@ -234,3 +236,100 @@ func TestHttpProxyConfig(t *testing.T) {
 		}
 	}
 }
+
+type fakePodCapacity struct {
+	capacity int
+	err      error
+}
+
+func (fpc *fakePodCapacity) PodCapacity(context.Context) (int, error) {
+	return fpc.capacity, fpc.err
+}
+
+func TestLoadEnforcedBodySizeLimit(t *testing.T) {
+
+	mc_10 := fakePodCapacity{capacity: 10, err: nil}
+	mc_1000 := fakePodCapacity{capacity: 1000, err: nil}
+	mc_err := fakePodCapacity{capacity: 1000, err: errors.New("error")}
+	for _, tt := range []struct {
+		name                string
+		config              string
+		expectBodySizeLimit string
+		expectError         bool
+		pcr                 PodCapacityReader
+	}{
+		{
+			name:                "empty config",
+			config:              "",
+			expectBodySizeLimit: "",
+			expectError:         false,
+			pcr:                 &mc_10,
+		},
+		{
+			name:                "disable body size limit",
+			config:              `{"prometheusK8s": {"enforcedBodySizeLimit": "0"}}`,
+			expectBodySizeLimit: "0",
+			expectError:         false,
+			pcr:                 &mc_10,
+		},
+		{
+			name:                "normal size format",
+			config:              `{"prometheusK8s": {"enforcedBodySizeLimit": "10KB"}}`,
+			expectBodySizeLimit: "10KB",
+			expectError:         false,
+			pcr:                 &mc_10,
+		},
+		{
+			name:                "invalid size format",
+			config:              `{"prometheusK8s": {"enforcedBodySizeLimit": "10EUR"}}`,
+			expectBodySizeLimit: "",
+			expectError:         true,
+			pcr:                 &mc_10,
+		},
+		{
+			name:                "automatic deduced limit: error when getting pods capacity",
+			config:              `{"prometheusK8s": {"enforcedBodySizeLimit": "automatic"}}`,
+			expectBodySizeLimit: "",
+			expectError:         true,
+			pcr:                 &mc_err,
+		},
+		{
+			name:                "automatically deduced limit: minimal 16MB",
+			config:              `{"prometheusK8s": {"enforcedBodySizeLimit": "automatic"}}`,
+			expectBodySizeLimit: "16MB",
+			expectError:         false,
+			pcr:                 &mc_10,
+		},
+		{
+			name:                "automatically deduced limit: larger than minimal 16MB",
+			config:              `{"prometheusK8s": {"enforcedBodySizeLimit": "automatic"}}`,
+			expectBodySizeLimit: "46MB",
+			expectError:         false,
+			pcr:                 &mc_1000,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			c, err := NewConfigFromString(tt.config)
+			if err != nil {
+				t.Fatalf("config parsing error")
+			}
+
+			err = c.LoadEnforcedBodySizeLimit(tt.pcr, context.Background())
+			if tt.expectError {
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("expected no error, got error %v", err)
+			}
+
+			if c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit != tt.expectBodySizeLimit {
+				t.Fatalf("incorrect EnforcedBodySizeLimit is set: got %s, expected %s",
+					c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit,
+					tt.expectBodySizeLimit)
+			}
+		})
+	}
+}

Diff for: pkg/manifests/manifests.go

@@ -1653,6 +1653,10 @@ func (f *Factory) PrometheusK8s(grpcTLS *v1.Secret, trustedCABundleCM *v1.Config
 		p.Spec.Secrets = append(p.Spec.Secrets, getAdditionalAlertmanagerSecrets(f.config.ClusterMonitoringConfiguration.PrometheusK8sConfig.AlertmanagerConfigs)...)
 	}
 
+	if f.config.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit != "" {
+		p.Spec.EnforcedBodySizeLimit = f.config.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit
+	}
+
 	return p, nil
 }