Add bodysize limit for metric scraping.

[raptorsun]

• I added CHANGELOG entry for this change.
• No user-facing changes, so no entry in CHANGELOG was needed.

This PR adds an option to CMO config map to activate bodysize limit on metrics scraping, which can prevent potential OOM problems when scraping metric endpoints responding with an oversized HTTP body.

The dependency upgrade PR is PR #1468 . This functionality requires Prometheus-Operator 0.51+. So I upgrade it to 0.52.

Here is the JIRA ticket.

FIeld prometheusK8s.enforcedBodySizeLimit to CMO ConfigMap, accepting the size format from Prometheus:

• Empty value and 0 mean no limit
• string "automatic" for automatically set the limit according the cluster pod capacity.
• [0-9]+[A-Z][a-z]*B for a customized size.

[raptorsun]

/retest-required

[raptorsun]

/test e2e-agnostic-upgrade

[raptorsun]

Tested with clusterbot it is well set to 2MB body size limit when adding the option limitScrapeBodySize: true in CMO config map.

$k exec -it prometheus-k8s-0 -n openshift-monitoring -- cat /etc/prometheus/config_out/prometheus.env.yaml  | grep body_size
  body_size_limit: 2MB
  body_size_limit: 2MB
  body_size_limit: 2MB

With the default value 2MB limit all targets are correctly scraped.

When setting the body size limit to 500KB part of the targets shows an error of exceeding the limit as shown in the screenshot below. (CMO running locally)

[jan--f]

Nice, this looks good to me. Is the scenario of hitting a scrape limit already covered by an existing alert?

I think it should definitely be alerted upon, as otherwise user might not get relevant metrics without being aware.

[raptorsun]

Nice, this looks good to me. Is the scenario of hitting a scrape limit already covered by an existing alert?

I think it should definitely be alerted upon, as otherwise user might not get relevant metrics without being aware.

Thanks for pointing out the alert. I almost forget it 😀
There is a metric prometheus_target_scrapes_exceeded_body_size_limit_total in prometheus to trigger alert when scrape body exceeds the size limit. I complete the PR with a commit adding this alert.

[arajkumar]

Can this be defined in upstream prometheus mixin?

[raptorsun]

Yes, I will submit a change to upstream prometheus mixins later. Once it is fit into upstream, we can clean it from CMO.

[raptorsun]

PR created in Prometheus to add this alert to mixins: prometheus/prometheus#9873
Hope it can be merged someday :)

[simonpasquier]

Can you add a TODO so we don't forget?

[raptorsun]

of course, when the PR is merged, we can safely removed this alert patch.

[simonpasquier]

let remove the patched alert and rely on upstream.

[raptorsun]

A new version is pushed :)
limitScrapeBodySize is a string now accepting the following 3 values:

1. a size in Prometheus config format such as "10MB"
2. a string "default" to use the default value we provided "2MB"
3. empty. no limit will be set.

[simonpasquier]

I'm not a big fan of named return values as I find that they make the code less readable. Maybe this is only me but I don't feel either that this change is required here.

[simonpasquier]

Maybe define a const for "automatic".

[simonpasquier]

Can you add a comment about how using the parameter?

• an empty value means no enforcement
• "automatic" means that CMO picks up a value based on the cluster capacity
• A fixed size can be defined too.

[simonpasquier]

you can handle the "return-early" case first.

Suggested change

	if c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit == "automatic" {
	if c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit == "" {
	return nil
	}
	if c.ClusterMonitoringConfiguration.PrometheusK8sConfig.EnforcedBodySizeLimit == "automatic" {

[simonpasquier]

this doesn't seem to be used but should be incorporated in calculateBodySizeLimit() I believe.

[simonpasquier]

I would assume that the full capacity can be used.

[simonpasquier]

we could log both values (e.g. "calculated body size limit = ... is too small, using ... instead")

[simonpasquier]

Suggested change

	klog.Warningf("Error loading enforced body size limit, no body size limit will be enforced. Error: %v", err)
	klog.Warningf("Error loading enforced body size limit, no body size limit will be enforced: %v", err)

[simonpasquier]

Suggested change

	t, 5*time.Minute, `ceil(sum(increase(prometheus_target_scrapes_exceeded_body_size_limit_total{job="prometheus-k8s"}[5m])))`,
	t, 5*time.Minute, `sum(increase(prometheus_target_scrapes_exceeded_body_size_limit_total{job="prometheus-k8s"}[5m]))`,

[raptorsun]

need to keep the ceil function to round the result to an integer as WaitForQueryReturn requires.

[raptorsun]

/test e2e-agnostic-upgrade

[simonpasquier]

I think we can get rid of loadFactorPercentage.

Suggested change

	const loadFactorPercentage = 100 // assume 100% of the maximum pods capacity per node is used
	bodySize := loadFactorPercentage * podCapacity / 100 * samplesPerPod * sizePerSample
	bodySize := podCapacity * samplesPerPod * sizePerSample

[simonpasquier]

We probably need a "safe" lower-bound value for the "automatically computed" value but I'm not sure that this value is accurate. I would take a typical CI cluster, load it with as many pods/secret/configmaps as possible and measure the body size returned by kube-state-metrics /metrics.

[raptorsun]

Having tested with 100k secrets and 100k config maps with kube-burner, KSM scrape target gives us ~32MB body size.
So this lower bound is tripled to 48MB in new commit. It should be large enough I suppose :)

[raptorsun]

/test e2e-agnostic-operator

[raptorsun]

/test e2e-agnostic-operator

[jan--f]

This lgtm

[simonpasquier]

/lgtm

[simonpasquier]

/hold cancel

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jan--f, raptorsun, simonpasquier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jan--f,raptorsun,simonpasquier]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@raptorsun: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.