Enabling logs in critical paths (#62)

haouc · web-flow · commit 976cb4977135 · 2023-12-22T20:59:53.000-08:00
&lt;!--  Thanks for sending a pull request!  Here are some tips for you:
1. Ensure you have added the unit tests for your changes.
2. Ensure you have included output of manual testing done in the Testing
section.
3. Ensure number of lines of code for new or existing methods are within
the reasonable limit.
4. Ensure your change works on existing clusters after upgrade.
--&gt;
**What type of PR is this?**

&lt;!--
Add one of the following:
bug
cleanup
documentation
feature
--&gt;
cleanup
**Which issue does this PR fix**:


**What does this PR do / Why do we need it**:
Since we are running this controller in EKS managed control plane, we
should enable critical logs by default.

**If an issue # is not available please add steps to reproduce and the
controller logs**:


**Testing done on this change**:
&lt;!--
output of manual testing/integration tests results and also attach logs
showing the fix being resolved
--&gt;
Ran the controller locally and confirmed.
**Automation added to e2e**:
&lt;!--
List the e2e tests you added as part of this PR.
If no, create an issue with enhancement/testing label
--&gt;

**Will this PR introduce any new dependencies?**:
&lt;!--
e.g. new K8s API
--&gt;

**Will this break upgrades or downgrades. Has updating a running cluster
been tested?**:


**Does this PR introduce any user-facing change?**:
&lt;!--
If yes, a release note update is required:
Enter your extended release note in the block below. If the PR requires
additional actions
from users switching to the new release, include the string "action
required".
--&gt;

```release-note

```

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
diff --git a/internal/controllers/policy_controller.go b/internal/controllers/policy_controller.go
@@ -122,7 +122,7 @@ func (r *policyReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manage
 func (r *policyReconciler) reconcile(ctx context.Context, request reconcile.Request) error {
 	policy := &networking.NetworkPolicy{}
 	if err := r.k8sClient.Get(ctx, request.NamespacedName, policy); err != nil {
-		r.logger.V(1).Info("Unable to get policy", "resource", policy, "err", err)
+		r.logger.Info("Unable to get policy", "resource", policy, "err", err)
 		return client.IgnoreNotFound(err)
 	}
 	if !policy.DeletionTimestamp.IsZero() {
diff --git a/pkg/resolvers/endpoints.go b/pkg/resolvers/endpoints.go
@@ -167,6 +167,7 @@ func (r *defaultEndpointsResolver) resolveNetworkPeers(ctx context.Context, poli
 			// However, in this case we are not able to resolve any of the ports from the CIDR list alone. In this
 			// case we do not add the CIDR to the list of resolved peers to prevent allow all ports.
 			if len(ports) != 0 && len(portList) == 0 {
+				r.logger.Info("Couldn't resolve ports from given CIDR list and will skip this rule", "peer", peer)
 				continue
 			}
 			networkPeers = append(networkPeers, policyinfo.EndpointInfo{
@@ -215,7 +216,7 @@ func (r *defaultEndpointsResolver) getIngressRulesPorts(ctx context.Context, pol
 	var portList []policyinfo.Port
 	for _, pod := range podList.Items {
 		portList = append(portList, r.getPortList(pod, ports)...)
-		r.logger.Info("got ingress port", "port", portList, "pod", pod)
+		r.logger.Info("Got ingress port", "port", portList, "pod", pod)
 	}
 
 	return portList
@@ -260,7 +261,7 @@ func (r *defaultEndpointsResolver) resolveServiceClusterIPs(ctx context.Context,
 				return nil, err
 			}
 		}
-		r.logger.V(1).Info("Namespaces for service clusterIP lookup", "list", namespaces)
+		r.logger.Info("Populated namespaces for service clusterIP lookup", "list", namespaces)
 		for _, ns := range namespaces {
 			networkPeers = append(networkPeers, r.getMatchingServiceClusterIPs(ctx, peer.PodSelector, ns, ports)...)
 		}
@@ -323,11 +324,12 @@ func (r *defaultEndpointsResolver) getMatchingPodAddresses(ctx context.Context,
 	for _, pod := range podList.Items {
 		podIP := k8s.GetPodIP(&pod)
 		if len(podIP) == 0 {
-			r.logger.V(1).Info("pod IP not assigned yet", "pod", k8s.NamespacedName(&pod))
+			r.logger.Info("pod IP not assigned yet", "pod", k8s.NamespacedName(&pod))
 			continue
 		}
 		portList := r.getPortList(pod, ports)
 		if len(ports) != len(portList) && len(portList) == 0 {
+			r.logger.Info("Couldn't get matched port list from the pod", "pod", k8s.NamespacedName(&pod), "expectedPorts", ports)
 			continue
 		}
 		addresses = append(addresses, policyinfo.EndpointInfo{
@@ -382,16 +384,24 @@ func (r *defaultEndpointsResolver) getMatchingServiceClusterIPs(ctx context.Cont
 		return nil
 	}
 	for _, svc := range svcList.Items {
-		if k8s.IsServiceHeadless(&svc) || !svcSelector.Matches(labels.Set(svc.Spec.Selector)) {
+		// do not add headless services to policy endpoints
+		if k8s.IsServiceHeadless(&svc) {
+			r.logger.Info("skipping headless service when populating EndpointInfo", "serviceName", svc.Name, "serviceNamespace", svc.Namespace)
 			continue
 		}
+		// do not add services if their pod selector is not matching with the pod selector defined in the network policy
+		if !svcSelector.Matches(labels.Set(svc.Spec.Selector)) {
+			r.logger.Info("skipping pod selector mismatched service when populating EndpointInfo", "serviceName", svc.Name, "serviceNamespace", svc.Namespace, "expectedPS", svcSelector)
+			continue
+		}
+
 		var portList []policyinfo.Port
 		for _, port := range ports {
 			var portPtr *int32
 			if port.Port != nil {
 				portVal, err := r.getMatchingServicePort(ctx, &svc, port.Port, *port.Protocol)
 				if err != nil {
-					r.logger.V(1).Info("Unable to lookup service port", "err", err)
+					r.logger.Info("Unable to lookup service port", "err", err)
 					continue
 				}
 				portPtr = &portVal
@@ -403,6 +413,7 @@ func (r *defaultEndpointsResolver) getMatchingServiceClusterIPs(ctx context.Cont
 			})
 		}
 		if len(ports) != len(portList) && len(portList) == 0 {
+			r.logger.Info("Couldn't find matching port for the service", "service", k8s.NamespacedName(&svc))
 			continue
 		}
 		networkPeers = append(networkPeers, policyinfo.EndpointInfo{
@@ -420,7 +431,7 @@ func (r *defaultEndpointsResolver) getMatchingServicePort(ctx context.Context, s
 	if portVal, err := k8s.LookupServiceListenPort(svc, *port, protocol); err == nil {
 		return portVal, nil
 	} else {
-		r.logger.V(1).Info("Unable to lookup service port", "err", err)
+		r.logger.Info("Unable to lookup service port", "err", err)
 	}
 	// List pods matching the svc selector
 	podSelector, err := metav1.LabelSelectorAsSelector(metav1.SetAsLabelSelector(svc.Spec.Selector))
@@ -438,8 +449,9 @@ func (r *defaultEndpointsResolver) getMatchingServicePort(ctx context.Context, s
 	for i := range podList.Items {
 		if portVal, err := k8s.LookupListenPortFromPodSpec(svc, &podList.Items[i], *port, protocol); err == nil {
 			return portVal, nil
+		} else {
+			r.logger.Info("The pod doesn't have port matched", "err", err, "pod", podList.Items[i])
 		}
-		break
 	}
-	return 0, errors.Errorf("unable to find matching service listen port %s", port.String())
+	return 0, errors.Errorf("unable to find matching service listen port %s for service %s", port.String(), k8s.NamespacedName(svc))
 }
diff --git a/pkg/resolvers/endpoints_test.go b/pkg/resolvers/endpoints_test.go
@@ -830,7 +830,6 @@ func TestEndpointsResolver_ResolveNetworkPeers(t *testing.T) {
 		)
 
 		for _, rule := range policy.Spec.Egress {
-			resolver.logger.V(1).Info("computing egress addresses", "peers", rule.To)
 			if rule.To == nil {
 				egressEndpoints = append(egressEndpoints, resolver.getAllowAllNetworkPeers(rule.Ports)...)
 				continue
diff --git a/pkg/resolvers/policies_for_service.go b/pkg/resolvers/policies_for_service.go
@@ -17,7 +17,7 @@ import (
 // getReferredPoliciesForService returns the list of policies that refer to the service.
 func (r *defaultPolicyReferenceResolver) getReferredPoliciesForService(ctx context.Context, svc, svcOld *corev1.Service) ([]networking.NetworkPolicy, error) {
 	if k8s.IsServiceHeadless(svc) {
-		r.logger.V(1).Info("Ignoring headless service", "svc", k8s.NamespacedName(svc))
+		r.logger.Info("Ignoring headless service", "svc", k8s.NamespacedName(svc))
 		return nil, nil
 	}
 	policiesWithEgressRules := r.policyTracker.GetPoliciesWithEgressRules()

Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ func (r *policyReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manage`
`122`	`122`	`func (r *policyReconciler) reconcile(ctx context.Context, request reconcile.Request) error {`
`123`	`123`	`policy := &networking.NetworkPolicy{}`
`124`	`124`	`if err := r.k8sClient.Get(ctx, request.NamespacedName, policy); err != nil {`
`125`		`- r.logger.V(1).Info("Unable to get policy", "resource", policy, "err", err)`
	`125`	`+ r.logger.Info("Unable to get policy", "resource", policy, "err", err)`
`126`	`126`	`return client.IgnoreNotFound(err)`
`127`	`127`	`}`
`128`	`128`	`if !policy.DeletionTimestamp.IsZero() {`
Original file line number	Diff line number	Diff line change
`@@ -830,7 +830,6 @@ func TestEndpointsResolver_ResolveNetworkPeers(t *testing.T) {`
`830`	`830`	`)`
`831`	`831`
`832`	`832`	`for _, rule := range policy.Spec.Egress {`
`833`		`- resolver.logger.V(1).Info("computing egress addresses", "peers", rule.To)`
`834`	`833`	`if rule.To == nil {`
`835`	`834`	`egressEndpoints = append(egressEndpoints, resolver.getAllowAllNetworkPeers(rule.Ports)...)`
`836`	`835`	`continue`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import (`
`17`	`17`	`// getReferredPoliciesForService returns the list of policies that refer to the service.`
`18`	`18`	`func (r defaultPolicyReferenceResolver) getReferredPoliciesForService(ctx context.Context, svc, svcOld corev1.Service) ([]networking.NetworkPolicy, error) {`
`19`	`19`	`if k8s.IsServiceHeadless(svc) {`
`20`		`- r.logger.V(1).Info("Ignoring headless service", "svc", k8s.NamespacedName(svc))`
	`20`	`+ r.logger.Info("Ignoring headless service", "svc", k8s.NamespacedName(svc))`
`21`	`21`	`return nil, nil`
`22`	`22`	`}`
`23`	`23`	`policiesWithEgressRules := r.policyTracker.GetPoliciesWithEgressRules()`