Skip to content

make the policy update atomic #155

Open
Open
make the policy update atomic#155
Labels
enhancementNew feature or request
Milestone
Backlog
@Andreagit97

Description

@Andreagit97
Andreagit97
opened on Jan 8, 2026

With the current implementation, the update of a policy is not atomic. Let's consider some examples

  1. Let's say we modify both the mode and values of a WorkloadPolicy
from:
    mode: protect
    allow list: A, B, C

to:
    mode: monitor
    allow list: A

Today, we first update the values and then the mode, so there will be a brief window where the policy becomes:

mode: protect
allow list: A

This could cause a transient problem in the user's workload.
This issue is due to the fact that policy mode and values are in 2 different ebpf maps, so there are 2 different update operations.

  1. Our matching strings are saved in 11 ebpf maps. Let's say this is the initial situation
1. stringmap#0: /usr/bin/ls
2. stringmap#1:
3. stringmap#2:
... all empty

We want to replace /usr/bin/ls with /usr/bin/cat and add a new binary /usr/bin/longgggggggggg, we could endup in a situation where we enforce a mix of the previous state and the new state

1. stringmap#0: /usr/bin/ls
2. stringmap#1:
3. stringmap#2: `/usr/bin/longgggggggggg`
... all empty

This is again just transient; in the end, we will end up with

1. stringmap#0: /usr/bin/cat
2. stringmap#1:
3. stringmap#2: `/usr/bin/longgggggggggg`
... all empty

This is because we use multiple EBPF maps to store the matching strings, rather than just one. I'm not even sure this is a real issue, it is probably acceptable to have some ns of a transient state...

Some ideas:

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions