pkg/option: allow policy-filter-map-entries configurable via flag #4331
Conversation
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
kyledong-suse
force-pushed
the
pr/kyledong-suse/allow-configuring-policy-filter-map-size
branch
from
db01b6c to
7475a97
Compare
This commit introduces a new flag to configure the number of entries in policy filter maps. This allows users to tune the map size based on workload scale and system resources, improving flexibility in policy handling. Note: this commit only affects policies with k8s segmentation primitives (i.e., either podSelectors or namespaced policies). Fixes: cilium#4260 Signed-off-by: Kyle Dong <[email protected]>
kyledong-suse
force-pushed
the
pr/kyledong-suse/allow-configuring-policy-filter-map-size
branch
from
7475a97 to
444c976
Compare
mtardy
left a comment
mtardy
left a comment
There was a problem hiding this comment.
Thanks for the patch, I think it's the right direction and a good idea, just need a few changes in how it's done :)
| struct { | ||
| __uint(type, BPF_MAP_TYPE_HASH_OF_MAPS); | ||
| __uint(max_entries, POLICY_FILTER_MAX_POLICIES); | ||
| __uint(max_entries, 1); // will be resized by agent when needed |
There was a problem hiding this comment.
This is used by policy_filter_cgroup_maps just nearby. Maybe we would need to update both and remove that const?
There was a problem hiding this comment.
Sure, I think it makes sense to me. I'll update both of them and remove that const.
| // Set MaxEntries for policy_filter_maps if it exists in the spec. | ||
| // This ensures the spec matches the user-defined value. | ||
| if ms, ok := spec.Maps["policy_filter_maps"]; ok { | ||
| ms.MaxEntries = uint32(option.Config.PolicyFilterMapEntries) | ||
| } | ||
|
|
There was a problem hiding this comment.
ah yes already have a facility to do that higher level in the loader (it's just above your new code btw), please use the SetMaxEntries on the map itself directly, you need to have the map handle.
There was a problem hiding this comment.
I was thinking to reuse SetMaxEntries. However, after digging into the code, I had the following findings:
policy_filter_mapsis not aprogram.Map.policy_filter_mapsis created as rawebpf.Mapin newPfMap(), which is called duringpolicyfilter.New()policyfilter.GetState()is called in StartSensorManager(), which happens before sensors load.
So your suggestion is to refactor policy_filter_maps from ebpf.Map to program.Map? Also need to refactor this PfMap struct.
There was a problem hiding this comment.
Let's ask since we can before investing time in this :)!
Hey @tpapagian and @kkourt, I see you are the one you touched this code, any reason why you didn't use program.Map in the first place?
There was a problem hiding this comment.
Not reason I remember. Is the idea be to make the map a part of the base/exec sensor?
There was a problem hiding this comment.
IMO, I think it makes sense to add policy_filter_maps to base sensor (similar to execve_map).
| if _, ok := spec.Maps["policy_filter_maps"]; ok { | ||
| spec.Maps["policy_filter_maps"].MaxEntries = uint32(option.Config.PolicyFilterMapEntries) | ||
| } |
There was a problem hiding this comment.
see other comment about using SetMaxEntries, you should see example by grepping
| if ret.cgroupMap, err = openMap(spec, CgroupMapName, polMaxPolicies); err != nil { | ||
| releaseMap(ret.policyMap) | ||
| return PfMap{}, fmt.Errorf("opening cgroup map %s failed: %w", MapName, err) | ||
| return PfMap{}, fmt.Errorf("opening cgroup map %s failed: %w", CgroupMapName, err) |
There was a problem hiding this comment.
maybe this could be part of another commit fixing this typo?
There was a problem hiding this comment.
Sure, I'll remove the typo fix from this commit.
Do you like another commit to fix this typo in the same PR or a separate PR?
|
|
||
| flags.Int(KeyRetprobesCacheSize, defaults.DefaultRetprobesCacheSize, "Set {k,u}retprobes events cache maximum size") | ||
|
|
||
| flags.Int(KeyPolicyFilterMapEntries, defaults.DefaultPolicyFilterMapEntries, "Set entries for policy_filter_map table (default 128)") |
There was a problem hiding this comment.
could you be a little bit more explicit in the help what this map is for and why changing its size would matter (why you want to increase or decrease its size). Succinct is still better than extra verbose, but out of context on the map, it's not clear why this matters with this help (at least for me :)).
There was a problem hiding this comment.
WDYT about this one?
"Set maximum number of policies in policy_filter_maps (default 128). This map restricts tracing policies to specific pods/containers. Increase if you have many policies, decrease to save memory if you have few policies."
There was a problem hiding this comment.
yep it's a nice suggestion! Don't need to repeat the default as cobra should display it in the help.
kkourt
added
the
release-note/minor
3 participants
Description
This commit introduces a new flag to configure the number of entries in policy filter maps. This allows users to tune the map size based on workload scale and system resources, improving flexibility in policy handling.
Note: this commit only affects policies with k8s segmentation primitives (i.e., either podSelectors or namespaced policies).
Fixes: #4260