From 0fa119122f85f876bfd022d2a232dcbcc7e85f07 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 20 Aug 2025 20:48:41 +0200 Subject: [PATCH 1/4] Properly align logs from leader election and regular operator logs Signed-off-by: Jannik Hollenbach --- operator/main.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/operator/main.go b/operator/main.go index 61a0bf754e..a194750a52 100644 --- a/operator/main.go +++ b/operator/main.go @@ -15,6 +15,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" + "k8s.io/klog/v2" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" @@ -51,12 +52,14 @@ func main() { "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") opts := zap.Options{ - Development: true, + Development: false, } opts.BindFlags(flag.CommandLine) flag.Parse() - ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + logger := zap.New(zap.UseFlagOptions(&opts)) + ctrl.SetLogger(logger) + klog.SetLogger(logger) mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, From 854d2901850c44c08973857bb8281314e7e6511b Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 20 Aug 2025 20:57:52 +0200 Subject: [PATCH 2/4] Align operator logs to make them less spammy and more useful Moved less helpful logs to higher verbosity levels and added (more helpful) logs for more interesting events, like job creation for scans, parsers and hooks Signed-off-by: Jannik Hollenbach --- .../execution/scans/hook_reconciler.go | 4 +++- .../execution/scans/parse_reconciler.go | 5 ++--- .../execution/scans/scan_reconciler.go | 11 ++++------ .../execution/scans/serviceaccount.go | 20 +++++++++---------- 4 files changed, 19 insertions(+), 21 deletions(-) diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go index 5219071414..cf5cf3638d 100644 --- a/operator/controllers/execution/scans/hook_reconciler.go +++ b/operator/controllers/execution/scans/hook_reconciler.go @@ -55,7 +55,7 @@ func (r *ScanReconciler) setHookStatus(scan *executionv1.Scan) error { hookStatuses = utils.MapClusterHooksToHookStatus(clusterScanCompletionHooks.Items) } - r.Log.Info("Found ScanCompletionHooks", "ScanCompletionHooks", len(hookStatuses)) + r.Log.V(7).Info("Found ScanCompletionHooks", "ScanCompletionHooks", len(hookStatuses)) orderedHookStatus := utils.FromUnorderedList(hookStatuses) scan.Status.OrderedHookStatuses = orderedHookStatus @@ -468,6 +468,8 @@ func (r *ScanReconciler) createJobForHook(hookName string, hookSpec *executionv1 return "", err } + r.Log.Info("Creating hook job", "job", job.Name, "scanCompletionHook", hookName, "scan", scan.Name, "namespace", scan.Namespace) + if err := r.Create(ctx, job); err != nil { return "", err } diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go index 477cb706db..d5aa6d8985 100644 --- a/operator/controllers/execution/scans/parse_reconciler.go +++ b/operator/controllers/execution/scans/parse_reconciler.go @@ -7,7 +7,6 @@ package scancontrollers import ( "context" "fmt" - "strings" executionv1 "github.com/secureCodeBox/secureCodeBox/operator/apis/execution/v1" util "github.com/secureCodeBox/secureCodeBox/operator/utils" @@ -53,7 +52,7 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { return fmt.Errorf("no ParseDefinition of type '%s' found", parseType) } - log.Info("Matching ParseDefinition Found", "ParseDefinition", parseType) + log.V(7).Info("Matching ParseDefinition Found", "ParseDefinition", parseType) parseDefinitionSpec = parseDefinition.Spec } else if *scan.Spec.ResourceMode == executionv1.ClusterWide { var clusterParseDefinition executionv1.ClusterParseDefinition @@ -243,7 +242,7 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { return err } - log.V(7).Info("Constructed Job object", "job args", strings.Join(job.Spec.Template.Spec.Containers[0].Args, ", ")) + log.Info("Creating parse job", "job", job.Name, "parseDefinition", parseType, "scan", scan.Name, "namespace", scan.Namespace) if err := r.Create(ctx, job); err != nil { log.Error(err, "unable to create Job for Parser", "job", job) diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go index 77a7185859..e90865b1b3 100644 --- a/operator/controllers/execution/scans/scan_reconciler.go +++ b/operator/controllers/execution/scans/scan_reconciler.go @@ -10,7 +10,6 @@ import ( "fmt" "os" "path/filepath" - "strings" "time" executionv1 "github.com/secureCodeBox/secureCodeBox/operator/apis/execution/v1" @@ -66,7 +65,7 @@ func (r *ScanReconciler) startScan(scan *executionv1.Scan) error { return fmt.Errorf("no ScanType of type '%s' found", scan.Spec.ScanType) } - log.Info("Matching ScanType Found", "ScanType", scanType.Name) + log.V(7).Info("Matching ScanType Found", "ScanType", scanType.Name) scanTypeSpec = scanType.Spec } else if *scan.Spec.ResourceMode == executionv1.ClusterWide { var clusterScanType executionv1.ClusterScanType @@ -108,8 +107,7 @@ func (r *ScanReconciler) startScan(scan *executionv1.Scan) error { return err } - log.V(7).Info("Constructed Job object", "job args", strings.Join(job.Spec.Template.Spec.Containers[0].Args, ", ")) - + log.Info("Creating scan job", "job", job.Name, "scanType", scan.Spec.ScanType, "scan", scan.Name, "namespace", scan.Namespace) if err := r.Create(ctx, job); err != nil { log.Error(err, "unable to create Job for Scan", "job", job) return err @@ -154,7 +152,6 @@ func (r *ScanReconciler) startScan(scan *executionv1.Scan) error { r.updateScanStatus(ctx, scan) - log.V(7).Info("created Job for Scan", "job", job) return nil } @@ -308,7 +305,7 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe return nil, fmt.Errorf("unknown seccompProfile for lurker: %s", seccompProfileRaw) } - r.Log.Info("Using Lurker Image", "seccompProfile", seccompProfileRaw) + r.Log.V(8).Info("Using Lurker Image", "seccompProfile", seccompProfileRaw) falsePointer := false truePointer := true @@ -366,7 +363,7 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe } customCACertificate, isConfigured := os.LookupEnv("CUSTOM_CA_CERTIFICATE_EXISTING_CERTIFICATE") - r.Log.Info("Configuring customCACerts for lurker", "customCACertificate", customCACertificate, "isConfigured", isConfigured) + r.Log.V(7).Info("Configuring customCACerts for lurker", "customCACertificate", customCACertificate, "isConfigured", isConfigured) if customCACertificate != "" { job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes, corev1.Volume{ Name: "ca-certificate", diff --git a/operator/controllers/execution/scans/serviceaccount.go b/operator/controllers/execution/scans/serviceaccount.go index 88e48a2872..781dff44f4 100644 --- a/operator/controllers/execution/scans/serviceaccount.go +++ b/operator/controllers/execution/scans/serviceaccount.go @@ -22,7 +22,7 @@ func (r *ScanReconciler) ensureServiceAccountExists(namespace, serviceAccountNam var serviceAccount corev1.ServiceAccount err := r.Get(ctx, types.NamespacedName{Name: serviceAccountName, Namespace: namespace}, &serviceAccount) if apierrors.IsNotFound(err) { - r.Log.Info("Service Account doesn't exist creating now") + r.Log.Info("Creating missing service account", "serviceAccountName", serviceAccountName, "namespace", namespace) serviceAccount = corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: serviceAccountName, @@ -34,18 +34,18 @@ func (r *ScanReconciler) ensureServiceAccountExists(namespace, serviceAccountNam } err := r.Create(ctx, &serviceAccount) if err != nil { - r.Log.Error(err, "Failed to create ServiceAccount") + r.Log.Error(err, "Failed to create ServiceAccount", "serviceAccountName", serviceAccountName, "namespace", namespace) return err } } else if err != nil { - r.Log.Error(err, "Unexpected error while checking if a ServiceAccount exists") + r.Log.Error(err, "Unexpected error while checking if a ServiceAccount exists", "serviceAccountName", serviceAccountName, "namespace", namespace) return err } var role rbacv1.Role err = r.Get(ctx, types.NamespacedName{Name: serviceAccountName, Namespace: namespace}, &role) if apierrors.IsNotFound(err) { - r.Log.Info("Role doesn't exist creating now") + r.Log.Info("Creating missing Role", "roleName", serviceAccountName, "namespace", namespace) role = rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{ Name: serviceAccountName, @@ -58,7 +58,7 @@ func (r *ScanReconciler) ensureServiceAccountExists(namespace, serviceAccountNam } err := r.Create(ctx, &role) if err != nil { - r.Log.Error(err, "Failed to create Role") + r.Log.Error(err, "Failed to create Role", "roleName", serviceAccountName, "namespace", namespace) return err } } else if !reflect.DeepEqual(role.Rules, policyRules) { @@ -66,18 +66,18 @@ func (r *ScanReconciler) ensureServiceAccountExists(namespace, serviceAccountNam role.Rules = policyRules err := r.Update(ctx, &role) if err != nil { - r.Log.Error(err, "Failed to update Role") + r.Log.Error(err, "Failed to update Role", "roleName", serviceAccountName, "namespace", namespace) return err } } else if err != nil { - r.Log.Error(err, "Unexpected error while checking if a Role exists") + r.Log.Error(err, "Unexpected error while checking if a Role exists", "roleName", serviceAccountName, "namespace", namespace) return err } var roleBinding rbacv1.RoleBinding err = r.Get(ctx, types.NamespacedName{Name: serviceAccountName, Namespace: namespace}, &roleBinding) if apierrors.IsNotFound(err) { - r.Log.Info("RoleBinding doesn't exist creating now") + r.Log.Info("Creating missing RoleBinding", "roleName", serviceAccountName, "namespace", namespace) roleBinding = rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: serviceAccountName, @@ -100,11 +100,11 @@ func (r *ScanReconciler) ensureServiceAccountExists(namespace, serviceAccountNam } err := r.Create(ctx, &roleBinding) if err != nil { - r.Log.Error(err, "Failed to create RoleBinding") + r.Log.Error(err, "Failed to create RoleBinding", "roleName", serviceAccountName, "namespace", namespace) return err } } else if err != nil { - r.Log.Error(err, "Unexpected error while checking if a RoleBinding exists") + r.Log.Error(err, "Unexpected error while checking if a RoleBinding exists", "roleName", serviceAccountName, "namespace", namespace) return err } From c384c78dfa2b10703a796c52e1733a7c7cb787be Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 20 Aug 2025 21:28:40 +0200 Subject: [PATCH 3/4] Properly align logs from leader election and regular kubernetes auto-discovery logs Signed-off-by: Jannik Hollenbach --- auto-discovery/kubernetes/main.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/auto-discovery/kubernetes/main.go b/auto-discovery/kubernetes/main.go index 9ca6b5ee3f..84e9e601bd 100644 --- a/auto-discovery/kubernetes/main.go +++ b/auto-discovery/kubernetes/main.go @@ -16,6 +16,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" + "k8s.io/klog/v2" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/metrics/server" @@ -45,12 +46,14 @@ func main() { "Omit this flag to use the default configuration values. "+ "Command-line flags override configuration from this file.") opts := zap.Options{ - Development: true, + Development: false, } opts.BindFlags(flag.CommandLine) flag.Parse() - ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + logger := zap.New(zap.UseFlagOptions(&opts)) + ctrl.SetLogger(logger) + klog.SetLogger(logger) ctrlConfig, err := util.LoadAutoDiscoveryConfig(configFile) if err != nil { From 109dca49123ca2aaaa02303f4c5a5fd48c984851 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 20 Aug 2025 21:31:57 +0200 Subject: [PATCH 4/4] Properly align logs in aws auto-discovery to be in line with other go projects Signed-off-by: Jannik Hollenbach --- auto-discovery/cloud-aws/cmd/service/main.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/auto-discovery/cloud-aws/cmd/service/main.go b/auto-discovery/cloud-aws/cmd/service/main.go index d8f52c4dea..d3f62743be 100644 --- a/auto-discovery/cloud-aws/cmd/service/main.go +++ b/auto-discovery/cloud-aws/cmd/service/main.go @@ -11,6 +11,7 @@ import ( "github.com/secureCodeBox/secureCodeBox/auto-discovery/cloud-aws/pkg/aws" "github.com/secureCodeBox/secureCodeBox/auto-discovery/cloud-aws/pkg/config" "github.com/secureCodeBox/secureCodeBox/auto-discovery/cloud-aws/pkg/kubernetes" + "k8s.io/klog/v2" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/log/zap" ) @@ -22,13 +23,14 @@ func main() { "Omit this flag to use the default configuration values. "+ "Environment variables override some configuration values from this file.") opts := zap.Options{ - Development: true, + Development: false, } opts.BindFlags(flag.CommandLine) flag.Parse() log := zap.New(zap.UseFlagOptions(&opts)) ctrl.SetLogger(log) + klog.SetLogger(log) // Read config from file first, some values may be overridden by env variables cfg := config.GetConfig(configFile)