From abbc75708e9c758d5242892f61ec350986a0751e Mon Sep 17 00:00:00 2001 From: Kevin Sheldrake Date: Thu, 11 Jan 2024 14:13:34 +0000 Subject: [PATCH] Actions: add rateLimitScope Post actions can have a rateLimit argument that specifies how often identical events from the same hook and thread are generated. There is a use case to rate limit per process or generally. This commit introduces the rateLimitScope argument, to be used with rateLimit, to specify whether the rate limiting should be limited to the same thread, the same process, or globally, using values "thread" (default), "process", or "global". Signed-off-by: Kevin Sheldrake --- bpf/process/types/basic.h | 26 ++++++-- .../docs/concepts/tracing-policy/selectors.md | 5 ++ .../v1alpha1/cilium.io_tracingpolicies.yaml | 66 +++++++++++++++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 66 +++++++++++++++++++ pkg/k8s/apis/cilium.io/v1alpha1/types.go | 8 +++ pkg/k8s/apis/cilium.io/v1alpha1/version.go | 2 +- pkg/selectors/kernel.go | 33 ++++++++-- pkg/selectors/kernel_test.go | 27 ++++---- .../v1alpha1/cilium.io_tracingpolicies.yaml | 66 +++++++++++++++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 66 +++++++++++++++++++ .../pkg/k8s/apis/cilium.io/v1alpha1/types.go | 8 +++ .../k8s/apis/cilium.io/v1alpha1/version.go | 2 +- 12 files changed, 352 insertions(+), 23 deletions(-) diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index 879f087fede..a4a55e8ae75 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -1865,9 +1865,13 @@ do_action_signal(int signal) */ #define KEY_BYTES_PER_ARG 40 +/* Rate limit scope. */ +#define ACTION_RATE_LIMIT_SCOPE_THREAD 0 +#define ACTION_RATE_LIMIT_SCOPE_PROCESS 1 +#define ACTION_RATE_LIMIT_SCOPE_GLOBAL 2 + struct ratelimit_key { __u64 func_id; - __u64 retprobe_id; __u64 action; __u64 tid; __u8 data[MAX_POSSIBLE_ARGS * KEY_BYTES_PER_ARG]; @@ -1904,7 +1908,7 @@ struct { #ifdef __LARGE_BPF_PROG static inline __attribute__((always_inline)) bool -rate_limit(__u64 ratelimit_interval, struct msg_generic_kprobe *e) +rate_limit(__u64 ratelimit_interval, __u64 ratelimit_scope, struct msg_generic_kprobe *e) { __u64 curr_time = ktime_get_ns(); __u64 *last_repeat_entry; @@ -1926,9 +1930,20 @@ rate_limit(__u64 ratelimit_interval, struct msg_generic_kprobe *e) ro_heap = map_lookup_elem(&ratelimit_ro_heap, &zero); key->func_id = e->func_id; - key->retprobe_id = e->retprobe_id; key->action = e->action; - key->tid = e->tid; + switch (ratelimit_scope) { + case ACTION_RATE_LIMIT_SCOPE_THREAD: + key->tid = e->tid; + break; + case ACTION_RATE_LIMIT_SCOPE_PROCESS: + key->tid = e->current.pid; + break; + case ACTION_RATE_LIMIT_SCOPE_GLOBAL: + key->tid = 0; + break; + default: + return false; + } // Clean the heap probe_read(key->data, MAX_POSSIBLE_ARGS * KEY_BYTES_PER_ARG, ro_heap); @@ -2093,8 +2108,9 @@ do_action(void *ctx, __u32 i, struct msg_generic_kprobe *e, break; case ACTION_POST: { __u64 ratelimit_interval __maybe_unused = actions->act[++i]; + __u64 ratelimit_scope __maybe_unused = actions->act[++i]; #ifdef __LARGE_BPF_PROG - if (rate_limit(ratelimit_interval, e)) + if (rate_limit(ratelimit_interval, ratelimit_scope, e)) *post = false; #endif /* __LARGE_BPF_PROG */ __u32 stack_trace = actions->act[++i]; diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md index 56b8a34cc86..294e425ae84 100644 --- a/docs/content/en/docs/concepts/tracing-policy/selectors.md +++ b/docs/content/en/docs/concepts/tracing-policy/selectors.md @@ -825,6 +825,11 @@ matchActions: rateLimit: 5m ``` +By default, the rate limiting is applied per thread, meaning that only repeated +actions by the same thread will be rate limited. This can be expanded to all +threads for a process by specifying a rateLimitScope with value "process"; or +can be expanded to all processes by specifying the same with the value "global". + #### Stack traces `Post` takes the `stackTrace` parameter, when turned to `true` (by default to diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index c7d189a7095..738b8574c56 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -285,6 +285,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -582,6 +593,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -908,6 +930,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1205,6 +1238,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1355,6 +1399,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1652,6 +1707,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 4e40f35c8b7..d9bcbf4ba51 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -285,6 +285,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -582,6 +593,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -908,6 +930,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1205,6 +1238,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1355,6 +1399,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1652,6 +1707,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 191f37c91e0..323b39a6f40 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -221,6 +221,14 @@ type ActionSelector struct { // or hours ('h' suffix). Only valid with the post action. RateLimit string `json:"rateLimit"` // +kubebuilder:validation:Optional + // The scope of the provided rate limit argument. Can be "thread" (default), + // "process" (all threads for the same process), or "global". If "thread" is + // selected then rate limiting applies per thread; if "process" is selected + // then rate limiting applies per process; if "global" is selected then rate + // limiting applies regardless of which process or thread caused the action. + // Only valid with the post action and with a rateLimit specified. + RateLimitScope string `json:"rateLimitScope"` + // +kubebuilder:validation:Optional // Enable stack trace export. Only valid with the post action. StackTrace bool `json:"stackTrace"` } diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/pkg/k8s/apis/cilium.io/v1alpha1/version.go index f54cef27815..3975e80fc12 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.1.2" +const CustomResourceDefinitionSchemaVersion = "1.1.3" diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index 1478587cd4a..2eb91e221e6 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -68,6 +68,18 @@ var actionTypeStringTable = map[uint32]string{ ActionTypeNotifyKiller: "notifykiller", } +const ( + ActionRateLimitScopeThread = iota + ActionRateLimitScopeProcess + ActionRateLimitScopeGlobal +) + +var actionRateLimitScope = map[string]uint32{ + "thread": ActionRateLimitScopeThread, + "process": ActionRateLimitScopeProcess, + "global": ActionRateLimitScopeGlobal, +} + // Action argument table entry (for URL and FQDN arguments) type ActionArgEntry struct { arg string @@ -902,7 +914,7 @@ func ParseMatchArgs(k *KernelSelectorState, args []v1alpha1.ArgSelector, sig []v } // User specifies rateLimit in seconds, minutes or hours, but we store it in milliseconds. -func parseRateLimit(str string) (uint32, error) { +func parseRateLimit(str string, scopeStr string) (uint32, uint32, error) { multiplier := uint32(0) switch str[len(str)-1] { case 's', 'S': @@ -916,7 +928,7 @@ func parseRateLimit(str string) (uint32, error) { var err error if multiplier != 0 { if len(str) == 1 { - return 0, fmt.Errorf("parseRateLimit: rateLimit value %s is invalid", str) + return 0, 0, fmt.Errorf("parseRateLimit: rateLimit value %s is invalid", str) } rateLimit, err = strconv.ParseUint(str[:len(str)-1], 10, 32) } else { @@ -924,13 +936,22 @@ func parseRateLimit(str string) (uint32, error) { multiplier = 1 } if err != nil { - return 0, fmt.Errorf("parseRateLimit: rateLimit value %s is invalid", str) + return 0, 0, fmt.Errorf("parseRateLimit: rateLimit value %s is invalid", str) } + scope := uint32(ActionRateLimitScopeThread) + if scopeStr != "" { + var ok bool + scope, ok = actionRateLimitScope[scopeStr] + if !ok { + return 0, 0, fmt.Errorf("parseRateLimit: rateLimitScope value %s is invalid", scopeStr) + } + } + rateLimit = rateLimit * uint64(multiplier) * 1000 if rateLimit > 0xffffffff { rateLimit = 0xffffffff } - return uint32(rateLimit), nil + return uint32(rateLimit), scope, nil } func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, actionArgTable *idtable.Table) error { @@ -941,12 +962,13 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a WriteSelectorUint32(&k.data, act) rateLimit := uint32(0) + rateLimitScope := uint32(0) if action.RateLimit != "" { if act != ActionTypePost { return fmt.Errorf("rate limiting can only applied to post action (was applied to '%s')", action.Action) } var err error - rateLimit, err = parseRateLimit(action.RateLimit) + rateLimit, rateLimitScope, err = parseRateLimit(action.RateLimit, action.RateLimitScope) if err != nil { return err } @@ -979,6 +1001,7 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a WriteSelectorUint32(&k.data, action.ArgSock) case ActionTypePost: WriteSelectorUint32(&k.data, rateLimit) + WriteSelectorUint32(&k.data, rateLimitScope) stackTrace := uint32(0) if action.StackTrace { stackTrace = 1 diff --git a/pkg/selectors/kernel_test.go b/pkg/selectors/kernel_test.go index 812246536f3..909af89f6d1 100644 --- a/pkg/selectors/kernel_test.go +++ b/pkg/selectors/kernel_test.go @@ -477,6 +477,7 @@ func TestParseMatchAction(t *testing.T) { expected1 := []byte{ 0x00, 0x00, 0x00, 0x00, // Action = "post" 0x00, 0x00, 0x00, 0x00, // DontRepeatFor = 0 + 0x00, 0x00, 0x00, 0x00, // DontRepeatForScope = 0 0x00, 0x00, 0x00, 0x00, // StackTrace = 0 } if err := ParseMatchAction(k, act1, &actionArgTable); err != nil || bytes.Equal(expected1, d.e[0:d.off]) == false { @@ -488,9 +489,10 @@ func TestParseMatchAction(t *testing.T) { expected2 := []byte{ 0x00, 0x00, 0x00, 0x00, // Action = "post" 0x00, 0x00, 0x00, 0x00, // DontRepeatFor = 0 + 0x00, 0x00, 0x00, 0x00, // DontRepeatForScope = 0 0x00, 0x00, 0x00, 0x00, // StackTrace = 0 } - length := []byte{28, 0x00, 0x00, 0x00} + length := []byte{36, 0x00, 0x00, 0x00} expected := append(length, expected1[:]...) expected = append(expected, expected2[:]...) @@ -593,11 +595,11 @@ func TestInitKernelSelectors(t *testing.T) { } expected_selsize_small := []byte{ - 0xf8, 0x00, 0x00, 0x00, // size = pids + args + actions + namespaces + capabilities + 4 + 0xfc, 0x00, 0x00, 0x00, // size = pids + args + actions + namespaces + capabilities + 4 } expected_selsize_large := []byte{ - 0x2c, 0x01, 0x00, 0x00, // size = pids + args + actions + namespaces + namespacesChanges + capabilities + capabilityChanges + 4 + 0x30, 0x01, 0x00, 0x00, // size = pids + args + actions + namespaces + namespacesChanges + capabilities + capabilityChanges + 4 } expected_filters := []byte{ @@ -682,14 +684,14 @@ func TestInitKernelSelectors(t *testing.T) { expected_last_large := []byte{ // arg header - 88, 0x00, 0x00, 0x00, // size = sizeof(arg2) + sizeof(arg1) + 4 + 88, 0x00, 0x00, 0x00, // size = sizeof(arg2) + sizeof(arg1) + 24 24, 0x00, 0x00, 0x00, // arg[0] offset 64, 0x00, 0x00, 0x00, // arg[1] offset 0x00, 0x00, 0x00, 0x00, // arg[2] offset 0x00, 0x00, 0x00, 0x00, // arg[3] offset 0x00, 0x00, 0x00, 0x00, // arg[4] offset - //arg1 size = 26 + //arg1 size = 40 0x01, 0x00, 0x00, 0x00, // Index == 1 0x03, 0x00, 0x00, 0x00, // operator == equal 32, 0x00, 0x00, 0x00, // length == 32 @@ -710,9 +712,10 @@ func TestInitKernelSelectors(t *testing.T) { 0x02, 0x00, 0x00, 0x00, // value 2 // actions header - 28, 0x00, 0x00, 0x00, // size = (3 * sizeof(uint32) * number of actions) + args + 32, 0x00, 0x00, 0x00, // size = (4 * sizeof(uint32) * number of actions) + args 0x00, 0x00, 0x00, 0x00, // post to userspace 0x00, 0x00, 0x00, 0x00, // DontRepeatFor = 0 + 0x00, 0x00, 0x00, 0x00, // DontRepeatForScope = 0 0x00, 0x00, 0x00, 0x00, // StackTrace = 0 0x01, 0x00, 0x00, 0x00, // fdinstall 0x00, 0x00, 0x00, 0x00, // arg index of fd @@ -721,14 +724,14 @@ func TestInitKernelSelectors(t *testing.T) { expected_last_small := []byte{ // arg header - 64, 0x00, 0x00, 0x00, // size = sizeof(arg2) + sizeof(arg1) + 4 + 64, 0x00, 0x00, 0x00, // size = sizeof(arg2) + sizeof(arg1) + 32 24, 0x00, 0x00, 0x00, // arg[0] offset 0x00, 0x00, 0x00, 0x00, // arg[1] offset 0x00, 0x00, 0x00, 0x00, // arg[2] offset 0x00, 0x00, 0x00, 0x00, // arg[3] offset 0x00, 0x00, 0x00, 0x00, // arg[4] offset - //arg1 size = 26 + //arg1 size = 40 0x01, 0x00, 0x00, 0x00, // Index == 1 0x03, 0x00, 0x00, 0x00, // operator == equal 32, 0x00, 0x00, 0x00, // length == 32 @@ -741,9 +744,10 @@ func TestInitKernelSelectors(t *testing.T) { 0xff, 0xff, 0xff, 0xff, // map ID for strings 121-144 // actions header - 28, 0x00, 0x00, 0x00, // size = (3 * sizeof(uint32) * number of actions) + args + 4 + 32, 0x00, 0x00, 0x00, // size = (4 * sizeof(uint32) * number of actions) + args + 4 0x00, 0x00, 0x00, 0x00, // post to userspace 0x00, 0x00, 0x00, 0x00, // DontRepeatFor = 0 + 0x00, 0x00, 0x00, 0x00, // DontRepeatForScope = 0 0x00, 0x00, 0x00, 0x00, // StackTrace = 0 0x01, 0x00, 0x00, 0x00, // fdinstall 0x00, 0x00, 0x00, 0x00, // arg index of fd @@ -925,16 +929,17 @@ func TestReturnSelectorArgIntActionFollowfd(t *testing.T) { expU32Push(1) // off: 0 number of selectors expU32Push(4) // off: 4 relative ofset of selector (4 + 4 = 8) - expU32Push(56) // off: 8 selector: length + expU32Push(60) // off: 8 selector: length expU32Push(24) // off: 12 selector: matchReturnArgs length expU32Push(0) // off: 16 selector: matchReturnArgs arg offset[0] expU32Push(0) // off: 20 selector: matchReturnArgs arg offset[1] expU32Push(0) // off: 24 selector: matchReturnArgs arg offset[2] expU32Push(0) // off: 28 selector: matchReturnArgs arg offset[3] expU32Push(0) // off: 32 selector: matchReturnArgs arg offset[4] - expU32Push(28) // off: 36 selector: matchReturnActions length + expU32Push(32) // off: 36 selector: matchReturnActions length expU32Push(0) // off: 40 selector: selectors.ActionTypePost expU32Push(0) // off: 44 selector: rateLimit + expU32Push(0) // off: 44 selector: rateLimitScope expU32Push(0) // off: 48 selector: stackTrace expU32Push(1) // off: 52 selector: selectors.ActionTypeFollowFd expU32Push(7) // off: 56 selector: action.ArgFd diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index c7d189a7095..738b8574c56 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -285,6 +285,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -582,6 +593,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -908,6 +930,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1205,6 +1238,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1355,6 +1399,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1652,6 +1707,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 4e40f35c8b7..d9bcbf4ba51 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -285,6 +285,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -582,6 +593,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -908,6 +930,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1205,6 +1238,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1355,6 +1399,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. @@ -1652,6 +1707,17 @@ spec: ('m' suffix) or hours ('h' suffix). Only valid with the post action. type: string + rateLimitScope: + description: The scope of the provided rate limit + argument. Can be "thread" (default), "process" + (all threads for the same process), or "global". + If "thread" is selected then rate limiting applies + per thread; if "process" is selected then rate + limiting applies per process; if "global" is selected + then rate limiting applies regardless of which + process or thread caused the action. Only valid + with the post action and with a rateLimit specified. + type: string stackTrace: description: Enable stack trace export. Only valid with the post action. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 191f37c91e0..323b39a6f40 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -221,6 +221,14 @@ type ActionSelector struct { // or hours ('h' suffix). Only valid with the post action. RateLimit string `json:"rateLimit"` // +kubebuilder:validation:Optional + // The scope of the provided rate limit argument. Can be "thread" (default), + // "process" (all threads for the same process), or "global". If "thread" is + // selected then rate limiting applies per thread; if "process" is selected + // then rate limiting applies per process; if "global" is selected then rate + // limiting applies regardless of which process or thread caused the action. + // Only valid with the post action and with a rateLimit specified. + RateLimitScope string `json:"rateLimitScope"` + // +kubebuilder:validation:Optional // Enable stack trace export. Only valid with the post action. StackTrace bool `json:"stackTrace"` } diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go index f54cef27815..3975e80fc12 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.1.2" +const CustomResourceDefinitionSchemaVersion = "1.1.3"