fix(plugins/k8saudit-aks): skip non-JSON records before parsing

[raajheshkannaa]

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area plugins

What this PR does / why we need it:

When AKS diagnostic settings route multiple categories (kube-apiserver, kube-controller-manager, kube-scheduler, cluster-autoscaler, kube-audit) to the same EventHub, only the kube-audit category emits JSON. The other categories carry klog text in properties.log (e.g. I0109 21:24:54.475483 ... or Trace[7816759]: ...), which the consumer was feeding straight into the JSON parser. The reporter saw ~9100 cannot parse JSON: cannot parse number errors in 20 minutes from a single pod.

The plugin now checks the first non-whitespace byte of properties.log. If it isn't { or [, the record is skipped silently. Kubernetes audit events are always JSON objects or arrays per the API server schema, so the guard cannot drop legitimate events.

Includes a table-driven test for the helper covering JSON objects, JSON arrays, klog info and trace lines, plain text, numbers, string literals, and a UTF-8 BOM case that documents the preserved parser behavior.

The other k8saudit-* plugins are not affected: EKS filters CloudWatch to the kube-apiserver-audit log group before parsing, GKE rejects non-audit Pub/Sub entries, and OVH JSON-decodes its envelope before reaching the audit parser. Keeping the helper local avoids a shared abstraction with no second user.

Which issue(s) this PR fixes:

Fixes #1145

Special notes for your reviewer:

go vet reports two pre-existing warnings about cancel/context paths in Open(). Confirmed on upstream main at 85f6d9e; not introduced by this PR.

Does this PR introduce a user-facing change?:

fix(plugins/k8saudit-aks): skip non-JSON records before parsing so non-audit AKS diagnostic categories (kube-apiserver, cluster-autoscaler, etc.) routed to the same EventHub no longer spam "cannot parse JSON" errors.

[ekoops]

I guess using fastjson.ValidateBytes() is a more robust approach. WDYT?

[raajheshkannaa]

Good call, switched to fastjson.ValidateBytes in 7b23a83. Promoted fastjson from indirect to a direct dependency, renamed the helper to isValidJSON, and updated the table-driven test (the number/string-literal cases are now valid JSON per spec, replaced with a truncated-object case to keep coverage on malformed inputs). Tests pass locally.

[ekoops]

To be honest, I would not create a separate function. I would just call it in place, with a comment describing the fact that we are doing pre-validation to ensure that errors related to non-JSON payloads pollute the logs. Moreover, tests are not needed here, because we are basically testing the fastjson.ValidateBytes() API, which should be a job of fastjson maintainers

[poiana]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: raajheshkannaa
Once this PR has been reviewed and has the lgtm label, please ask for approval from ekoops. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• plugins/k8saudit-aks/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[raajheshkannaa]

Done in a5cb0cf. Inlined fastjson.ValidateBytes at the call site with the rationale in the surrounding comment, and dropped the helper test since it covered upstream fastjson behavior rather than this plugin's logic.