Skip to content

Commit

Permalink
Actions: add rateLimitScope
Browse files Browse the repository at this point in the history
Post actions can have a rateLimit argument that specifies how often
identical events from the same hook and thread are generated. There is a
use case to rate limit per process or generally.

This commit introduces the rateLimitScope argument, to be used with
rateLimit, to specify whether the rate limiting should be limited to the
same thread, the same process, or globally, using values "thread"
(default), "process", or "global".

Signed-off-by: Kevin Sheldrake <[email protected]>
  • Loading branch information
kevsecurity committed Jan 11, 2024
1 parent 53d3567 commit abbc757
Show file tree
Hide file tree
Showing 12 changed files with 352 additions and 23 deletions.
26 changes: 21 additions & 5 deletions bpf/process/types/basic.h
Original file line number Diff line number Diff line change
Expand Up @@ -1865,9 +1865,13 @@ do_action_signal(int signal)
*/
#define KEY_BYTES_PER_ARG 40

/* Rate limit scope. */
#define ACTION_RATE_LIMIT_SCOPE_THREAD 0
#define ACTION_RATE_LIMIT_SCOPE_PROCESS 1
#define ACTION_RATE_LIMIT_SCOPE_GLOBAL 2

struct ratelimit_key {
__u64 func_id;
__u64 retprobe_id;
__u64 action;
__u64 tid;
__u8 data[MAX_POSSIBLE_ARGS * KEY_BYTES_PER_ARG];
Expand Down Expand Up @@ -1904,7 +1908,7 @@ struct {

#ifdef __LARGE_BPF_PROG
static inline __attribute__((always_inline)) bool
rate_limit(__u64 ratelimit_interval, struct msg_generic_kprobe *e)
rate_limit(__u64 ratelimit_interval, __u64 ratelimit_scope, struct msg_generic_kprobe *e)
{
__u64 curr_time = ktime_get_ns();
__u64 *last_repeat_entry;
Expand All @@ -1926,9 +1930,20 @@ rate_limit(__u64 ratelimit_interval, struct msg_generic_kprobe *e)
ro_heap = map_lookup_elem(&ratelimit_ro_heap, &zero);

key->func_id = e->func_id;
key->retprobe_id = e->retprobe_id;
key->action = e->action;
key->tid = e->tid;
switch (ratelimit_scope) {
case ACTION_RATE_LIMIT_SCOPE_THREAD:
key->tid = e->tid;
break;
case ACTION_RATE_LIMIT_SCOPE_PROCESS:
key->tid = e->current.pid;
break;
case ACTION_RATE_LIMIT_SCOPE_GLOBAL:
key->tid = 0;
break;
default:
return false;
}

// Clean the heap
probe_read(key->data, MAX_POSSIBLE_ARGS * KEY_BYTES_PER_ARG, ro_heap);
Expand Down Expand Up @@ -2093,8 +2108,9 @@ do_action(void *ctx, __u32 i, struct msg_generic_kprobe *e,
break;
case ACTION_POST: {
__u64 ratelimit_interval __maybe_unused = actions->act[++i];
__u64 ratelimit_scope __maybe_unused = actions->act[++i];
#ifdef __LARGE_BPF_PROG
if (rate_limit(ratelimit_interval, e))
if (rate_limit(ratelimit_interval, ratelimit_scope, e))
*post = false;
#endif /* __LARGE_BPF_PROG */
__u32 stack_trace = actions->act[++i];
Expand Down
5 changes: 5 additions & 0 deletions docs/content/en/docs/concepts/tracing-policy/selectors.md
Original file line number Diff line number Diff line change
Expand Up @@ -825,6 +825,11 @@ matchActions:
rateLimit: 5m
```

By default, the rate limiting is applied per thread, meaning that only repeated
actions by the same thread will be rate limited. This can be expanded to all
threads for a process by specifying a rateLimitScope with value "process"; or
can be expanded to all processes by specifying the same with the value "global".

#### Stack traces

`Post` takes the `stackTrace` parameter, when turned to `true` (by default to
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -582,6 +593,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -908,6 +930,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1205,6 +1238,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1355,6 +1399,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1652,6 +1707,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -582,6 +593,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -908,6 +930,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1205,6 +1238,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1355,6 +1399,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1652,6 +1707,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down
8 changes: 8 additions & 0 deletions pkg/k8s/apis/cilium.io/v1alpha1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,14 @@ type ActionSelector struct {
// or hours ('h' suffix). Only valid with the post action.
RateLimit string `json:"rateLimit"`
// +kubebuilder:validation:Optional
// The scope of the provided rate limit argument. Can be "thread" (default),
// "process" (all threads for the same process), or "global". If "thread" is
// selected then rate limiting applies per thread; if "process" is selected
// then rate limiting applies per process; if "global" is selected then rate
// limiting applies regardless of which process or thread caused the action.
// Only valid with the post action and with a rateLimit specified.
RateLimitScope string `json:"rateLimitScope"`
// +kubebuilder:validation:Optional
// Enable stack trace export. Only valid with the post action.
StackTrace bool `json:"stackTrace"`
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/k8s/apis/cilium.io/v1alpha1/version.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ package v1alpha1
// Used to determine if CRD needs to be updated in cluster
//
// Developers: Bump patch for each change in the CRD schema.
const CustomResourceDefinitionSchemaVersion = "1.1.2"
const CustomResourceDefinitionSchemaVersion = "1.1.3"
Loading

0 comments on commit abbc757

Please sign in to comment.