Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Actions: add rateLimitScope #1962

Merged
merged 1 commit into from
Jan 11, 2024
Merged

Actions: add rateLimitScope #1962

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 21 additions & 5 deletions bpf/process/types/basic.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1865,9 +1865,13 @@ do_action_signal(int signal)
*/
#define KEY_BYTES_PER_ARG 40

/* Rate limit scope. */
#define ACTION_RATE_LIMIT_SCOPE_THREAD 0
#define ACTION_RATE_LIMIT_SCOPE_PROCESS 1
#define ACTION_RATE_LIMIT_SCOPE_GLOBAL 2

struct ratelimit_key {
__u64 func_id;
__u64 retprobe_id;
__u64 action;
__u64 tid;
__u8 data[MAX_POSSIBLE_ARGS * KEY_BYTES_PER_ARG];
Expand Down Expand Up @@ -1904,7 +1908,7 @@ struct {

#ifdef __LARGE_BPF_PROG
static inline __attribute__((always_inline)) bool
rate_limit(__u64 ratelimit_interval, struct msg_generic_kprobe *e)
rate_limit(__u64 ratelimit_interval, __u64 ratelimit_scope, struct msg_generic_kprobe *e)
{
__u64 curr_time = ktime_get_ns();
__u64 *last_repeat_entry;
Expand All @@ -1926,9 +1930,20 @@ rate_limit(__u64 ratelimit_interval, struct msg_generic_kprobe *e)
ro_heap = map_lookup_elem(&ratelimit_ro_heap, &zero);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it make sense to memset zero those returned heap entries? (didn't check all the logic)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I overwrite the heap with a read only heap that is all zero, using a probe_read. It should cost about the same as a memset but doesn't cost me the instruction / complexity count.

key->func_id = e->func_id;
key->retprobe_id = e->retprobe_id;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this was never used?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah was overkill.

key->action = e->action;
key->tid = e->tid;
switch (ratelimit_scope) {
case ACTION_RATE_LIMIT_SCOPE_THREAD:
key->tid = e->tid;
break;
case ACTION_RATE_LIMIT_SCOPE_PROCESS:
key->tid = e->current.pid;
break;
case ACTION_RATE_LIMIT_SCOPE_GLOBAL:
key->tid = 0;
break;
default:
return false;
}

// Clean the heap
probe_read(key->data, MAX_POSSIBLE_ARGS * KEY_BYTES_PER_ARG, ro_heap);
Expand Down Expand Up @@ -2093,8 +2108,9 @@ do_action(void *ctx, __u32 i, struct msg_generic_kprobe *e,
break;
case ACTION_POST: {
__u64 ratelimit_interval __maybe_unused = actions->act[++i];
__u64 ratelimit_scope __maybe_unused = actions->act[++i];
#ifdef __LARGE_BPF_PROG
if (rate_limit(ratelimit_interval, e))
if (rate_limit(ratelimit_interval, ratelimit_scope, e))
*post = false;
#endif /* __LARGE_BPF_PROG */
__u32 stack_trace = actions->act[++i];
Expand Down
5 changes: 5 additions & 0 deletions docs/content/en/docs/concepts/tracing-policy/selectors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -825,6 +825,11 @@ matchActions:
rateLimit: 5m
```

By default, the rate limiting is applied per thread, meaning that only repeated
actions by the same thread will be rate limited. This can be expanded to all
threads for a process by specifying a rateLimitScope with value "process"; or
can be expanded to all processes by specifying the same with the value "global".

#### Stack traces

`Post` takes the `stackTrace` parameter, when turned to `true` (by default to
Expand Down
66 changes: 66 additions & 0 deletions pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -582,6 +593,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -908,6 +930,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1205,6 +1238,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1355,6 +1399,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1652,6 +1707,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down
66 changes: 66 additions & 0 deletions pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -582,6 +593,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -908,6 +930,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1205,6 +1238,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1355,6 +1399,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down Expand Up @@ -1652,6 +1707,17 @@ spec:
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
rateLimitScope:
description: The scope of the provided rate limit
argument. Can be "thread" (default), "process"
(all threads for the same process), or "global".
If "thread" is selected then rate limiting applies
per thread; if "process" is selected then rate
limiting applies per process; if "global" is selected
then rate limiting applies regardless of which
process or thread caused the action. Only valid
with the post action and with a rateLimit specified.
type: string
stackTrace:
description: Enable stack trace export. Only valid
with the post action.
Expand Down
8 changes: 8 additions & 0 deletions pkg/k8s/apis/cilium.io/v1alpha1/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,14 @@ type ActionSelector struct {
// or hours ('h' suffix). Only valid with the post action.
RateLimit string `json:"rateLimit"`
// +kubebuilder:validation:Optional
// The scope of the provided rate limit argument. Can be "thread" (default),
// "process" (all threads for the same process), or "global". If "thread" is
// selected then rate limiting applies per thread; if "process" is selected
// then rate limiting applies per process; if "global" is selected then rate
// limiting applies regardless of which process or thread caused the action.
// Only valid with the post action and with a rateLimit specified.
RateLimitScope string `json:"rateLimitScope"`
// +kubebuilder:validation:Optional
// Enable stack trace export. Only valid with the post action.
StackTrace bool `json:"stackTrace"`
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/k8s/apis/cilium.io/v1alpha1/version.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ package v1alpha1
// Used to determine if CRD needs to be updated in cluster
//
// Developers: Bump patch for each change in the CRD schema.
const CustomResourceDefinitionSchemaVersion = "1.1.2"
const CustomResourceDefinitionSchemaVersion = "1.1.3"
Loading
Loading