This prevents alerts resolving and re-firing when different windows fire.

Implemented using the suggestion from @tokheim in #240. Fixes https://github.com/slok/sloth/issues/240

As in the image below, the value of the "Remaining error budget (30d window)" label is not properly shown.

As you can see there are multiple values "NaN"

Why this is happening and how can I fix it? Thank you in advance!

What: Deployments can have security settings in their manifest on two levels: pod and container. However, there are some capabilities only configurable in one of the respective levels(https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core). This PR sets a default configuration for container securityContext, which drops all POSIX capabilities and denies privilege escalation and for pod securityContext adds user, group fsGroup and supplementalGroups and also denies root usage. These are and should be standard settings in the context of Kubernetes. It also adds the possibility of running vault-injector in a Kubernetes environment without PSP (to be removed in v1.25 https://kubernetes.io/docs/concepts/security/pod-security-policy/), but with OpenPolicyAgent (possibly the PSP substitute) with the same capabilities as a restricted PSP instead.

This PR sets the respective settings to the values.yaml and is defaulting them as well. With this they can be adopted if it is needed.

I'm wondering what can be done about the scenario where the service has periods of receiving no (or few) requests so NaN values start to creep in.

This is because, for example

(sum(rate(http_server_requests_seconds_count{deployment="sloexample"}[1h])))

evaluates to 0 so you get NaN when you divide by it to get error ratios.

Normally this is fine - until you come to error budgets. My remaining error budget is not "undefined" or NaN just because my service went quiet for a period of time.

Hi,

I created a PrometheusServiceLevel with two SLI. Checking the generated PrometheusRule CR with promtool it complains about a duplicate recording rule.

> promtool check rules example.yaml
Checking example.yaml
1 duplicate rule(s) found.
Metric: slo:sli_error:ratio_rate30d
Label(s):
        sloth_window: 30d
Might cause inconsistency while recording expressions.
  SUCCESS: 34 rules found

example of one generated recording rule.

    - expr: |
        sum_over_time(slo:sli_error:ratio_rate5m{sloth_id="example-ingress-error-rate", sloth_service="example", sloth_slo="ingress-error-rate"}[30d])
        / ignoring (sloth_window)
        count_over_time(slo:sli_error:ratio_rate5m{sloth_id="example-ingress-error-rate", sloth_service="example", sloth_slo="ingress-error-rate"}[30d])
      labels:
        sloth_window: 30d
        // sloth_slo: ingress-error-rate  // <- this fixes promlint complains.
      record: slo:sli_error:ratio_rate30d

The problem can be bypassed by adding abel: sloth_slo: ingress-error-rate to the expression explicitly. Would you accept a PR for this chagne?

👋 Hi there!

First and foremost thanks for open sourcing this, this is cool stuff that I might end up using at work.

Do you have any plans for adding support to different time windows other than 30 days?

I was taking a look at the code and I see it is hardcoded in https://github.com/slok/sloth/blob/main/internal/prometheus/spec.go#L63

I'm not sure if this is just a matter of adding support for this in the api spec or if there's more to it than just that.

This PR adds support for customizing SLO period windows.

It has a new spec that the users can use to decide how the SLO period windows should be. An example of the most common used SLO period (30d) that Sloth has by default, would be declared like this:

apiVersion: "sloth.slok.dev/v1"
kind: "AlertWindows"
spec:
  sloPeriod: 30d
  page:
    quick:
      errorBudgetPercent: 2
      shortWindow: 5m
      longWindow: 1h
    slow:
      errorBudgetPercent: 5
      shortWindow: 30m
      longWindow: 6h
  ticket:
    quick:
      errorBudgetPercent: 10
      shortWindow: 2h
      longWindow: 1d
    slow:
      errorBudgetPercent: 10
      shortWindow: 6h
      longWindow: 3d

By default, Sloth continues supporting 28d and 30d SLO periods.

Also added --slo-period-windows-path flag to load custom SLO period windows from a directory.

BREAKING

• --window-days has been renamed to --default-slo-period.
• Removed -w short flag for --window-days.

Hi, Xabier

I have Prometheus plugin installed in my Jenkins, which is using DropWizard metrics. The plugin exports the metric jenkins_job_total_duration that already includes quantile label. Eg: jenkins_job_total_duration{quantile="0.999"} = 300ms, meaning that 99.9% of Jenkins jobs are having the duration 300ms. However, there's no way to know how many jobs are having that 300ms duration. It's not like the Bucket implementation of Prometheus, where we apply histogram_quantile function and le label to know the duration and how many jobs.

In this case, I can't write the SLO "99.9% Jobs should have duration less than 300ms" in the meta of "ErrorQuery and TotalQuery". Because ms is not jobs to be divided, they're not in the same unit.

So my question is: Is there another way to write SLO in this case ? Does Sloth support another SLO declaration without ErrorQuery and TotalQuery ? Something like RED framework. Would love to know your opinion to define SLO for this case.

I love your work. Thanks, Xabier.

Why?

In our case, PrometheusRule requires labels to be picked up.

Disclaimer

I think I did it right? It works (tested on my clusters), but Golang development is a hobby for me xD I'm a system administrator. Let me know if you want me to change something

In https://github.com/slok/sloth/blob/main/internal/prometheus/recording_rules.go#L53 the SLI for the SLO-period is always calculated using a optimized calculation method. When there isn't uniform load on a service the result of the optimized method can differ quite a lot from a calculation using errors divided by total. An example can be seen below where traffic (green) is very uneven, and the optimized calculation (yellow) underestimates the error rate many times over compared to the regular (blue) calculation.

This comes from the optimized calcuation assuming that each 5m slice are equally important for the overall SLO. You can even see that while the blue line stays static in periods with no traffic, the yellow error rate slowly decreases.

Granted there isn't any broad consensus on how SLOs should be calculated, it is a topic with passionate debate. One example discussing the fairness of using ratio based SLOs can be found in https://grafana.com/blog/2019/11/27/kubecon-recap-how-to-include-latency-in-slo-based-alerting/

“ISPs love to tell you they have 99.9% uptime. What does that mean? This implies it’s time-based, but all night I’m asleep, I am not using my internet connection. And even if there’s a downtime, I won’t notice and my ISP will tell me they were up all the time. Not using the service is like free uptime for the ISP. Then I have a 10-minute, super important video conference, and my internet connection goes down. That’s for me like a full outage. And they say, yeah, 10 minutes per month, that’s three nines, it’s fine.”

A better alternative: a request-based SLA that says, “During each month we’ll serve 99% of requests successfully.”

Would there be any interest in making the OptimizedSLIRecordGenerator optional? With some input on how a user could control this, I'd be happy to try to create a pull request.

This is a very simple typo fix in the heml chart, the string extra-lables -> extra-labels.

Updated the Chart version to 0.4.1 manually, but in case this is not needed please let me know and will revert it back

I try to create a github action to generate the rules but I get an error for my generate command

job part of my github action config:

  generate-slo-job-1:
    name: Generate the SLOs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: download and setup generator binary
        run: |       
          wget https://github.com/slok/sloth/releases/download/v0.11.0/sloth-linux-amd64
          chmod +x sloth-linux-amd64
          ./sloth-linux-amd64 generate -i ./configuration/sloth/rules/ -o ./configuration/sloth/rules/_gen/
      - uses: EndBug/add-and-commit@v9

error message: error: "generate" command failed: invalid spec, could not load with any of the supported spec types

what would be the correct command?

Issue

When specifying a custom slo period window, the sloth cli returns some technical errors and not the expected behaviour. Even when following the guide on the website, it doesn't work properly. Especially without altering enabled, the page & ticket windows are still required in the AlertWindows.

Expected behaviour

It should be easy to generate SLOs with custom period windows (e.g. 7d or 14d)

Steps to reproduce

Scenario 1: Just specifying the default-slo-period

sloth generate --default-slo-period="14d" -i ./examples/getting-started.yml
...
error: "generate" command failed: invalid default slo period: window period 336h0m0s missing%

Very technical error

Scenario 2: Specifying the default-slo-period and slo-period-windows-path

sloth generate --default-slo-period="7d" --slo-period-windows-path=./examples/windows -i ./examples/getting-started.yml

Works

Scenario 3: Specifying the default-slo-period and slo-period-windows-path without alerting/paging

Change 7d.yaml to not include alerting/paging

apiVersion: sloth.slok.dev/v1
kind: AlertWindows
spec:
  sloPeriod: 7d

sloth generate --default-slo-period="7d" --slo-period-windows-path=./examples/windows -i ./examples/no-alerts.yml
(error: "generate" command failed: could not load SLO period windows repository: could not initialize custom windows: could not discover period windows: could not load "7d.yaml" alert windows: invalid alerting window: invalid page quick: long window is required%

It seems like the page & ticket section in the AlertWindows is needed even though it is not used in the SLO spec.

Ideas

Improve error messages

• Throw a proper error message when custom window can't be found
• Throw a proper error message when the page/ticket section in the AlertWindows is missing (make it required)

Don't throw an error if altering is not needed

• When the alerting is disabled in the SLO spec, it should not be required in the AlertWindows section

Hi folks.

We were wondering if we can monitor and introduce alerts if somethings goes wrong with the sloth operator itself. We deployed it in kubernetes and with the PodMonitor we can fetch the metrics exposed on :8081/metrics. Some seem to be related to the /metrics interface, some on the kooper controller, on Go, etc.

Long story short, we want to be alerted when Sloth could not expand the spec to a prometheus rule. Is there a metric for this and I'm missing it?

Thank you.

Bumps github.com/prometheus/prometheus from 0.40.3 to 0.41.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Hi Team, @slok

Is there a way to we can pull the latest image from docker hub registry rather than from ghcr? Last updated tag was a year ago

https://hub.docker.com/r/slok/sloth

Hi there! We will have to create a lot of SLOs (Loading time, Errors rate for > 200 endpoints etc...) Looking at what sloth generated as rules - examples:

- record: slo:sli_error:ratio_rate5m
    expr: |
      (sum(rate(http_request_duration_seconds_count{job="myservice",code=~"(5..|429)"}[5m])))
      /
      (sum(rate(http_request_duration_seconds_count{job="myservice"}[5m])))

- record: slo:sli_error:ratio_rate30d
    expr: |
      sum_over_time(slo:sli_error:ratio_rate5m{sloth_id="myservice-requests-availability", sloth_service="myservice", sloth_slo="requests-availability"}[30d])
      / ignoring (sloth_window)
      count_over_time(slo:sli_error:ratio_rate5m{sloth_id="myservice-requests-availability", sloth_service="myservice", sloth_slo="requests-availability"}[30d])

I have a question regarding how to manage hundred of records in case of we need to specify the service name and handler properties in each record. Is it correct and is it worth to create a single record without specifying the job/service or any other property like the following ones:

- record: slo:sli_error:ratio_rate5m
    expr: |
      (sum(rate(http_request_duration_seconds_count{code=~"(5..|429)"}[5m])))
      /
      (sum(rate(http_request_duration_seconds_count{}[5m])))

- record: slo:sli_error:ratio_rate30d
    expr: |
      sum_over_time(slo:sli_error:ratio_rate5m{}[30d])
      / ignoring (sloth_window)
      count_over_time(slo:sli_error:ratio_rate5m{}[30d])

Thanks a lot for your help!