Skip to content

Commit

Permalink
docs: update doc related to rate limiting feature
Browse files Browse the repository at this point in the history 
The feature was changed in 92a7652 to
only work on the Post action which was not reflected in the doc. This
commit changes that.

Signed-off-by: Mahe Tardy <[email protected]>
  • Loading branch information
@mtardy
mtardy committed Sep 5, 2023
1 parent 60bd1a7 commit 766143a
Show file tree
Hide file tree
Showing 7 changed files with 79 additions and 59 deletions.
40 changes: 23 additions & 17 deletions docs/content/en/docs/concepts/tracing-policy/selectors.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -509,20 +509,6 @@ executed directly in the kernel BPF code while `GetUrl` and `DnsLookup` are
happening in userspace after the reception of events.
{{< /note >}}

All actions can be rate limited by adding the rateLimit parameter with a
time value. This value defaults to seconds, but post-fixing 'm' or 'h' will
cause the value to be interpreted in minutes or hours. When this parameter is
specified for an action, that action will check if the same action has fired
within the time window, with the same inspected arguments. (Only the first 16
bytes of each inspected argument is used in the matching. Only supported on
kernels v5.3 onwards.)

```yaml
matchActions:
- action: Post
rateLimit: 5m
```

### Sigkill action

`Sigkill` action terminates synchronously the process that made the call that
Expand Down Expand Up @@ -800,9 +786,29 @@ matchActions:

### Post action

The `Post` action is intended to create an event but at the moment should be
considered as deprecated as all `TracingPolicy` will generate an event by
default.
The `Post` action allows an event to be transmitted to the agent, from
kernelspace to userspace. By default, all `TracingPolicy` hook will create an
event with the `Post` action except in those situations:
- a `NoPost` action was specified in a `matchActions`;
- a rate-limiting parameter is in place, see details below.

This action allows you to specify parameters for the `Post` action.

`Post` takes the `rateLimit` parameter with a time value. This value defaults
to seconds, but post-fixing 'm' or 'h' will cause the value to be interpreted
in minutes or hours. When this parameter is specified for an action, that
action will check if the same action has fired within the time window, with the
same inspected arguments. (Only the first 16 bytes of each inspected argument
is used in the matching. Only supported on kernels v5.3 onwards.)

For example, you can specify a selector to only generate an event every 5
minutes with adding the following action and its paramater:

```yaml
matchActions:
- action: Post
rateLimit: 5m
```

### NoPost action

Expand Down
21 changes: 12 additions & 9 deletions pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,11 +253,12 @@ spec:
description: A time period within which repeated
messages will not be posted. Can be specified
in seconds (default or with 's' suffix), minutes
('m' suffix) or hours ('h' suffix).
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
stackTrace:
description: Enable stack trace export, only valid
with for the post action
description: Enable stack trace export. Only valid
with the post action.
type: boolean
required:
- action
Expand Down Expand Up @@ -775,11 +776,12 @@ spec:
description: A time period within which repeated
messages will not be posted. Can be specified
in seconds (default or with 's' suffix), minutes
('m' suffix) or hours ('h' suffix).
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
stackTrace:
description: Enable stack trace export, only valid
with for the post action
description: Enable stack trace export. Only valid
with the post action.
type: boolean
required:
- action
Expand Down Expand Up @@ -1143,11 +1145,12 @@ spec:
description: A time period within which repeated
messages will not be posted. Can be specified
in seconds (default or with 's' suffix), minutes
('m' suffix) or hours ('h' suffix).
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
stackTrace:
description: Enable stack trace export, only valid
with for the post action
description: Enable stack trace export. Only valid
with the post action.
type: boolean
required:
- action
Expand Down
21 changes: 12 additions & 9 deletions pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,11 +253,12 @@ spec:
description: A time period within which repeated
messages will not be posted. Can be specified
in seconds (default or with 's' suffix), minutes
('m' suffix) or hours ('h' suffix).
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
stackTrace:
description: Enable stack trace export, only valid
with for the post action
description: Enable stack trace export. Only valid
with the post action.
type: boolean
required:
- action
Expand Down Expand Up @@ -775,11 +776,12 @@ spec:
description: A time period within which repeated
messages will not be posted. Can be specified
in seconds (default or with 's' suffix), minutes
('m' suffix) or hours ('h' suffix).
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
stackTrace:
description: Enable stack trace export, only valid
with for the post action
description: Enable stack trace export. Only valid
with the post action.
type: boolean
required:
- action
Expand Down Expand Up @@ -1143,11 +1145,12 @@ spec:
description: A time period within which repeated
messages will not be posted. Can be specified
in seconds (default or with 's' suffix), minutes
('m' suffix) or hours ('h' suffix).
('m' suffix) or hours ('h' suffix). Only valid
with the post action.
type: string
stackTrace:
description: Enable stack trace export, only valid
with for the post action
description: Enable stack trace export. Only valid
with the post action.
type: boolean
required:
- action
Expand Down
7 changes: 4 additions & 3 deletions pkg/k8s/apis/cilium.io/v1alpha1/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,11 +208,12 @@ type ActionSelector struct {
// An arg index for the sock for trackSock and untrackSock actions
ArgSock uint32 `json:"argSock"`
// +kubebuilder:validation:Optional
// A time period within which repeated messages will not be posted. Can be specified in seconds (default or with
// 's' suffix), minutes ('m' suffix) or hours ('h' suffix).
// A time period within which repeated messages will not be posted. Can be
// specified in seconds (default or with 's' suffix), minutes ('m' suffix)
// or hours ('h' suffix). Only valid with the post action.
RateLimit string `json:"rateLimit"`
// +kubebuilder:validation:Optional
// Enable stack trace export, only valid with for the post action
// Enable stack trace export. Only valid with the post action.
StackTrace bool `json:"stackTrace"`
}

Expand Down
21 changes: 12 additions & 9 deletions ...ilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 12 additions & 9 deletions ...agon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 4 additions & 3 deletions vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 766143a

Please sign in to comment.