Add live k8s API collector

[jt-dd]

This collector connect directly using the default config path to find the configuration (using controller-runtime lib):

• --kubeconfig flag pointing at a file
• KUBECONFIG environment variable pointing at a file
• In-cluster config if running in cluster
• $HOME/.kube/config if exists.

Ref: https://github.com/kubernetes-sigs/controller-runtime/blob/v0.15.0/pkg/client/config/config.go#L76

It uses the configuration to set 3 variables needed for crawling the API:

• PageSize: Number of entry being retrieving by each call on the API (same for all Kubernetes entry types)
• PageBufferSize: Number of pages to buffer
• RateLimitPerSecond: Rate limiting per second across all calls (same for all Kubernetes entry types) against the Kubernetes API

Note: for the rate limiting, a simple leaky bucket has been implemented (using ratelimit lib from Uber). The rate limiting affect simultaneously all the calls to the Kub API regardless of the type being collected.

[edznux-dd]

WIP review, gotta go :D

[edznux-dd]

Can't you use * or & or in the type instead of doing a generic in here?
For some types (like bool and all, where you don't have a variable, I see why, but i'm not sure I understand here)

[jt-dd]

I can not take address of a constant, so using for me was the most elegant way. But I guess I can also do the tricks, but for me it was less elegant:

PageSize := K8sAPIDefaultPageSize
cfg.Collector.Live.PageSize = &PageSize

[edznux-dd]

ah yep, makes sense didn't see the constant.
I would have used a var instead of const so it has a pointer available. 😅

Also tbh, this is config related, and we are already using viper so we should not use custom things to set default imo:
something like viper.SetDefault("k8s.collector.PageSize", 5000) would replace this function entirely. You would just need to call viper.GetInt("k8s.collector.PageSize")

In any case, K8sAPIDefaultPageSize should be renamed K8sAPIDefaultPageSizeDefault to make it clear that it's customizable later on and that this value isn't the "final" one.

[jt-dd]

K8sAPIDefaultPageSizeDefault has 2 default which does not make sense. If you prefer I can change it to K8sAPIPageSizeDefault but all the current variables are to DefaultBlabla.
Also the SetDefault() seems to be a pain:

• Default value for nested key spf13/viper#71 (comment)
  I will look to see how to work with it.

[edznux-dd]

ah woops, can't read, guess it shows that it needs to be prefix/suffix and not in the middle 😅
DefaultK8sAPIPageSize sounds fine to me! Having the default in the middle breaks the convention we have in other variables of DefaultBlabla as you mention yourself :D

[edznux-dd]

Is the issue mentionned still valid (from 2015, and marked as fixed by spf13/viper#195 (comment))?

[jt-dd]

It did not brake the convention because to me it made more sense to have PackageDefaultValue. The package was never mentioned in the other values. Do we want to name the "package" in those constant ? I find it easier to follow.

[edznux-dd]

You should "never" put the package's name in the name of the var. Otherwise you need to do "package.PackageVar" which is redundant (and also create more work if you want to update / move the package, but that's 🤷).

[edznux-dd]

speaking of package, If possible, I think having the whole k8s_api related in a subpackage of collector would be nicer to use (if there's no circular deps with the rest of the project) :D

[jt-dd]

no we can not due to the CollectorClient interface and ClientFactory() method. This is why I added the name of the "subpackage" (if you prefer).

[edznux-dd]

ah yep, makes sense didn't see the constant.
I would have used a var instead of const so it has a pointer available. 😅

Also tbh, this is config related, and we are already using viper so we should not use custom things to set default imo:
something like viper.SetDefault("k8s.collector.PageSize", 5000) would replace this function entirely. You would just need to call viper.GetInt("k8s.collector.PageSize")

In any case, K8sAPIDefaultPageSize should be renamed K8sAPIDefaultPageSizeDefault to make it clear that it's customizable later on and that this value isn't the "final" one.

[jt-dd]

This whole thing can be replaced by
assert.Equal(cfg.Collector.Live, tt.args,value) I believe
The pretty print and all will be done automatically, example go playground: https://goplay.tools/snippet/n_yR-edgBMq

=== RUN   TestSomething
    prog_test.go:19: 
        	Error Trace:	/tmp/sandbox3381284915/prog_test.go:19
        	Error:      	Not equal: 
        	            	expected: main.testlol{FieldA:"Hellolola", FieldB:123}
        	            	actual  : main.testlol{FieldA:"Hellolol", FieldB:123}
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,3 +1,3 @@
        	            	 (main.testlol) {
        	            	- FieldA: (string) (len=9) "Hellolola",
        	            	+ FieldA: (string) (len=8) "Hellolol",
        	            	  FieldB: (int) 123
        	Test:       	TestSomething
        	Messages:   	The two words should be the same.
--- FAIL: TestSomething (0.00s)
FAIL

I did not know that trick. It is really nice.

[jt-dd]

This should be a switch based on the config instead of being hardcoded

Yes implemented.

[d0g0x01]

There are a couple of features missing from the spec https://datadoghq.atlassian.net/browse/ASENG-362 - maybe it would be worth adding these as a subsequent PR?

When this is complete do you want to switch the integration tests over to use this collector? you'll need to update the code at test/system/setup_test.go

[d0g0x01]

should you not do then attach the config to the collector instance? also you dont use the logger?

[d0g0x01]

Also should this be a private method?

[jt-dd]

Not sure to understand what you mean by attaching the config to the collector instance. The config is attached to the collector instance.
Same for the logger, it is being used by the collector instance.

Yes this should be private.

[d0g0x01]

nice find!

[d0g0x01]

I think we should be able to specify a target cluster in the configuration. I think currently this will default to the current kubectx which might not be what the user wnats/expects?

[jt-dd]

This support an env variable KUBECONFIG (and other standard way) . But I can try to path it over through the config file in another PR.

[d0g0x01]

it might be worth getting all the namespaces once then caching for quick lookups as should not be that much data

[d0g0x01]

*no need to use the formal cache provider here. just a hashmap in memory attached to the collector would be fine

[jt-dd]

Same for this, maybe I should do the caching in a different PR since it is purely optimisation?

[d0g0x01]

sounds good

[d0g0x01]

We discussed in the original desing meeting that it might help ensure better consistency if we pull all the objects namespace by namespace for pods/roles/rolebindings. What do you think of tweaking the logic slightly to be

1. pull all namespaces
2. cache namespaces in the collector instance
3. call streamXXXNamespace for each namespace in order

You have most of the pieces to do it already so should not be too tricky. @edznux-dd any thoughts?

[edznux-dd]

This is "why" we though about the WithOption() pattern in the Stream* functions.
Caching the list of namespace seems fine to me, I don't see it grow that significantly for it to cause any issue.

Doing the iteration in the Steam* function may make it a bit difficult to parallelize more in the future? (multiple namespace concurrently, so non concurently). I don't know how the API/Storage of k8s handles the load balancing/sharding of this kind of resources, and I don't know if it matters :D (I don't think that could cause hot spots to appears if we do purely sequential reads, but I don't know)

[jt-dd]

What is the actual gain of iterating manually over the namespace vs the "automated way" ?

[d0g0x01]

On second thoughts I think this might be some premature optimization. Suggest we leave as is for now and revisit if we see any issues materialize

[d0g0x01]

is compute ok with this internally?

[jt-dd]

I did not ping them, but those a the default value (expect the rate limiting). But 100 req/sec seems pretty low to me (I used to try to keep under this value why I was pentesting API). But I will ask them.

[d0g0x01]

I think thats fine for me then

[d0g0x01]

might be worth editing the default config to use this (configs/etc/kubehound.yaml)

[jt-dd]

pushed

[d0g0x01]

LGTM