Aggregated Throughput Anomaly detection

[tushartathgur]

This PR does the following:

• Implements argument "agg-flow" and "p2p-label" for aggregated flow.
• Aggregated flow contains Pods to external, pods to pods based of labels and pod to service flows.
• New retrieve table has been added for aggregated TAD.
• Modified retrieve table for TAD, new fields include agg_type and algo_type for better understanding.
• TAD delete command can now take multiple tad ids to delete.

[codecov]

Codecov Report

Merging #184 (e305fdd) into main (31f4752) will decrease coverage by 0.30%.
The diff coverage is 64.32%.

@@            Coverage Diff             @@
##             main     #184      +/-   ##
==========================================
- Coverage   66.54%   66.25%   -0.30%     
==========================================
  Files          38       38              
  Lines        4783     5049     +266     
==========================================
+ Hits         3183     3345     +162     
- Misses       1453     1548      +95     
- Partials      147      156       +9     

Flag	Coverage Δ
python-coverage	56.37% <55.73%> (-1.14%)	⬇️
unit-tests	69.90% <74.21%> (+0.20%)	⬆️

Impacted Files	Coverage Δ
plugins/anomaly-detection/anomaly_detection.py	46.52% <51.20%> (-2.51%)	⬇️
pkg/theia/commands/anomaly_detection_run.go	84.81% <60.97%> (-12.00%)	⬇️
pkg/controller/anomalydetector/controller.go	73.76% <70.96%> (+1.49%)	⬆️
pkg/theia/commands/anomaly_detection_delete.go	94.00% <100.00%> (+1.14%)	⬆️
pkg/theia/commands/anomaly_detection_retrieve.go	89.65% <100.00%> (+3.50%)	⬆️
...lugins/anomaly-detection/anomaly_detection_test.py	94.23% <100.00%> (+1.20%)	⬆️

... and 1 file with indirect coverage changes

[elton-furtado]

code formatter missing in .go files?

[tushartathgur]

no, make fmt does cover rest files
tathgurt@tathgurtFLVDL theia % find . -type d -name '.cache' -prune -o -type f -name '*.go' -print | grep rest ./pkg/apiserver/registry/intelligence/throughputanomalydetector/rest.go ./pkg/apiserver/registry/intelligence/throughputanomalydetector/rest_test.go ./pkg/apiserver/registry/intelligence/networkpolicyrecommendation/rest.go ./pkg/apiserver/registry/intelligence/networkpolicyrecommendation/rest_test.go ./pkg/apiserver/registry/system/supportbundle/rest.go ./pkg/apiserver/registry/system/supportbundle/rest_test.go ./pkg/apiserver/registry/stats/clickhouse/rest.go ./pkg/apiserver/registry/stats/clickhouse/rest_test.go

[tushartathgur]

/theia-test-e2e

[yanjunz97]

Just for curiosity, why do we change this from flowStartSeconds to flowEndSeconds?

[tushartathgur]

That is because we are reusing the same table for aggregated flow output and it will not have flowStartSeconds col in aggregated output, but the common column in both the outputs is flowEndSeconds

[yanjunz97]

I think it's the mix of spaces and tabs makes the indentation looks strange here. Could you unify them?

[yanjunz97]

Keep the camel-case naming to make them aggTadPodQuery, aggTadPod2PodQuery, aggTadPod2SvcQuery

[yanjunz97]

Suggested change

	func deleteTADid(cmd *cobra.Command, tadName string) error {
	func deleteTADId(cmd *cobra.Command, tadName string) error {

[yanjunz97]

I feels this is not quite readable. Is it possible to construct a matrix and reuse the TableOutput function here?

[yanjunz97]

For the newly added functionality, could you include them in documentation?

[tushartathgur]

Thanks for the comment, I have added it in the other PR 192

[dreamtalen]

I recommend merging the shared operations found in lines 317-343. Looks like the different operations are selecting different columns in 322-324 and 336-338.

[dreamtalen]

As we discussed last Friday, this should be sum(throughput) for aggregated TAD, I noticed you put that changes on #192, can you move all functional code changes inside this PR and let #192 have test codes only?

[tushartathgur]

/theia-test-e2e

[dreamtalen]

I think the main issue is that the implementation has deviated from our initial design. If you prefer, we can discuss this further offline.

[dreamtalen]

I don't think the 'pod_to_svc' type aligns with our design. Our goal was to monitor the aggregated throughput of all traffic directed to a Service, so the 'sourcePodNamespace' and 'sourcePodLabels' parameters are not relevant in this case.

[dreamtalen]

Same concern for the 'pod_to_external' type. I think our goal was to monitor the aggregated throughput of all traffic directed to an external IP.

[dreamtalen]

"pod_to_pod" seems a fair usecase here, just want to point out our initial goal was to monitor the aggregated in/out bound throughput of a set of specific pod labels.

[dreamtalen]

Why we require users input Pod labels and IP for "pod" and "external" cases but not require a service name for the "svc" case?
I feel Pod labels and external IP are optional input, if user doesn't provide this info, we will considering all possible pod labels and external IPs. Like what we have done in the "svc" case.

[tushartathgur]

Sure, I can add them as optional parameters, just wanted to confirm if the user doesn’t provide labels or external ip, should we have a check if the corresponding columns are empty or should we even include those columns in DF ?

[dreamtalen]

For example if user chooses "external" agg type and doesn't provided any input IP, we will consider all toExternal flows, group by the destinationIP, aggregated throughput for each destinationIP, and find anomalies if any.
Hope this exmaple answered your question.

[tushartathgur]

for “external” case, it may work as we have flow type to define if the traffic is for external, but there could be pods with no labels, and pods with any type of label, should we add both of them? they both would have different kind of queries.

[tushartathgur]

I think we should add both the cases of empty and non empty case for labels, also we can add svc name as argument for user to provide a specific service name, but in case of service age_type, we should only consider non empty cases

[dreamtalen]

I see, we can consider the non empty case only for now if the empty case needs big changes.
Maybe you can add another parameter "podname" in the pod agg case, it will help cover the cases of pods with no labels.

[tushartathgur]

Currently, we should not consider the empty cases, as we look for pods based of labels, if there are no labels it would be little misleading to still collect them based of their name.

[dreamtalen]

What I meant was to have a user input parameter 'podname' that would cover cases where the user knows the pods they're interested in don't have labels.
Just a nice-to-have.

[dreamtalen]

It should be a comma instead of semicolon between DROP COLUMNs, please check my previous comment: #184 (comment)

[dreamtalen]

Same above, use comma and add datatype in ADD COLUMNs, please check my previous comment: #184 (comment)

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[elton-furtado]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e

[tushartathgur]

/theia-test-e2e