Use structured logging

[uablrek]

Use structured logging in json format if -logging-format=json is specified. The same setup functions as for K8s core packages are used (component-base).

Also, contextual logging is used (beta in 1.30, so no feature-gateway is needed).

Fixes #48

This PR will be a draft until all code is changed to use structured/contextual logging.

[uablrek]

/cc @pohly

@pohly Can you please review the updates in main() in the first commit? I don't want to do any fundamental mistakes. The rest I think I can manage.

[uablrek]

Example output:

# kubectl logs -n kube-system   kube-network-policies-8hb7p | jq
...
{
  "ts": 1720002972865.8306,
  "caller": "cache/reflector.go:359",
  "msg": "Caches populated for *v1.Pod from pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232",
  "v": 2
}
{
  "ts": 1720002972953.2607,
  "caller": "cache/shared_informer.go:320",
  "msg": "Caches are synced for kube-network-policies",
  "v": 0
}
{
  "ts": 1720002972953.3674,
  "caller": "networkpolicy/metrics.go:61",
  "msg": "Registering metrics",
  "v": 0
}
{
  "ts": 1720002972953.4724,
  "caller": "networkpolicy/controller.go:344",
  "msg": "Syncing nftables rules",
  "v": 0
}

[uablrek]

Lint complaints:

Error: cmd/main.go:81:3: exitAfterDefer: os.Exit will exit, and `defer cancel()` will not run (gocritic)

This is just as bad with klog.Fatalf, but lint misses that. A pattern seem to be:

func main() {
  os.Exit(run())
}
func run() int {
  return errorCode
}

Shall we use it? Else I restore klog.Fatalf in main()

I will call cancel() explicitly. (but since it's right before exit, it will not really matter)

[aojea]

func main() {
  os.Exit(run())
}
func run() int {
  return errorCode
}

that sounds like the right way to do it

[aojea]

@uablrek what is missing here? it lgtms

/lgtm
/approve

[uablrek]

@uablrek what is missing here? it lgtms

Lots and lots of Infof(), and friends, should be changed to InfoS().

Also i was planning to introduce contextual logging, but I think that can wait.

[uablrek]

Structured logging allows a nice optimization possibility. Without this p.String() is always called, regardless of verbosity.

	// evaluatePacket() should be fast unless trace logging is enabled.
	// Logging optimization: We check if V(2) is enabled before hand,
	// rather than evaluating the all parameters make an unnecessary logger call
	tlogger := logger.V(2)
	if tlogger.Enabled() {
		tlogger.Info("Evaluating packet", "packet", p)
		tlogger = tlogger.WithValues("id", p.id)
	}

[uablrek]

Logging like this exist at several places. I am unsure how to handle them. A general recommendation is to not log errors if you return them (let the caller decide). And normally logger.Error(err, ...) is used for logging errors, but then it will be at a higher log-level. I made a compromise by keeping the log at Info level.

[uablrek]

A way to keep info about what caused the error is to wrap them:

return fmt.Errorf("could not open nfqueue socket %w", err)

(ref: recent discussion on slack)

[uablrek]

Example packet log in JSON format:

{
  "ts": 1720777151838.3552,
  "caller": "networkpolicy/controller.go:461",
  "msg": "Evaluating packet",
  "v": 2,
  "packet": {
    "Id": 9,
    "Family": "IPv4",
    "SrcIP": "11.0.3.3",
    "DstIP": "11.0.2.2",
    "Proto": "TCP",
    "SrcPort": 33803,
    "DstPort": 6000
  }
}

Text output is not altered:

I0712 09:53:52.257809       1 controller.go:461] "Evaluating packet" packet=<
        [8] 11.0.1.3:40243 11.0.2.2:6000 TCP
        00000000  00 00 a0 02 fa f0 19 33  00 00 02 04 05 b4 04 02  |.......3........|
        00000010  08 0a c1 d9 c1 bd 00 00  00 00 01 03 03 07        |..............|
 >

[uablrek]

I will squash commits later

[aojea]

let me know once is ready for merging

[pohly]

This shouldn't be needed and might never give you a JSON logger.

Leave the context as it is. A klog.FromContext will then get the global default prepared by logsapi.ValidateAndApply.

Suggested change

	logger := klog.NewKlogr()
	logger := klog.FromContext(ctx)

[pohly]

Delete this.

[uablrek]

Rebased, updated after review, and use klog.KObj. Ready for review.

Please note that payload is empty for TCP/SYN, which is the only TCP packets we see:

I0721 08:56:53.060501       1 controller.go:491] "Evaluating packet" packet=<
        [10] 11.0.4.3:34751 11.0.4.2:6000 TCP
 >

[uablrek]

let me know once is ready for merging

@aojea Ready for review at least. I hope for merging. No logic is altered (except in main()), but very many log printouts

[uablrek]

The flag-logging can be made in different ways:

1. The "structured object way" (this doesn't look so good for non-json logging):

	flag.VisitAll(func(flag *flag.Flag) {
		logger.Info("flag", "flag", flag)
	})

{
  "ts": 1731837080411.8074,
  "caller": "cmd/main.go:83",
  "msg": "flag",
  "v": 0,
  "flag": {
    "Name": "nfqueue-id",
    "Usage": "Number of the nfqueue used",
    "Value": 100,
    "DefValue": "100"
  }
}

2. The "name/value way" (this is what I selected)

	flag.VisitAll(func(flag *flag.Flag) {
		logger.Info("flag", "name", flag.Name, "value", flag.Value)
	})

{
  "ts": 1731837858630.011,
  "caller": "cmd/main.go:83",
  "msg": "flag",
  "v": 0,
  "name": "nfqueue-id",
  "value": "100"
}

Non-json logging:

I1117 11:05:07.914817  119614 main.go:83] "flag" name="nfqueue-id" value="100"

3. The "non structured logging way" (not recommended)

	flag.VisitAll(func(flag *flag.Flag) {
		klog.Infof("FLAG: --%s=%q", flag.Name, flag.Value)
	})

{
  "ts": 1731838042913.3442,
  "caller": "cmd/main.go:84",
  "msg": "FLAG: --nfqueue-id=\"100\"",
  "v": 0
}

[uablrek]

The failing test seem unrelated to the updates. I ran e2e:

(BASE_FAMILY=IPv6 PROXY_MODE=nftables)
export SKIP=NOTHING
export FOCUS=Netpol
Ran 50 of 6622 Specs in 132.293 seconds
SUCCESS! -- 50 Passed | 0 Failed | 0 Pending | 6572 Skipped

[uablrek]

/retest

[aojea]

helper.go:123: StatefulSet replicas in namespace network-policy-conformance-forbidden-forrest not rolled out yet. 0/2 replicas are available.

it seems a resource problem, let me retry

@paulgmiller can you please review, since you have been working on this in a separate PR

/assign @paulgmiller

[k8s-ci-robot]

@aojea: GitHub didn't allow me to assign the following users: paulgmiller.

Note that only kubernetes-sigs members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

helper.go:123: StatefulSet replicas in namespace network-policy-conformance-forbidden-forrest not rolled out yet. 0/2 replicas are available.

it seems a resource problem, let me retry

@paulgmiller can you please review, since you have been working on this in a separate PR

/assign @paulgmiller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[aojea]

/lgtm
/hold

waiting for @paulgmiller review, we can unhold tomorrow if he does not have time to review

@paulgmiller just do /hold cancel if you are happy with the PR

[paulgmiller]

Seems good sorry to be slow had to learn some things about k8s.io/component-base/logs/

[paulgmiller]

should we use the same tlogger := logger.V(2) if tlogger.Enabled tricke we use here as we use at 517 in evaluage packet?

[uablrek]

It's not as urgent in this case since only PacketID is passed (not an entire packet analyzed)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, paulgmiller, uablrek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [aojea]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[paulgmiller]

/hold cancel

left one perf comment but doesn't seeem worth holding up