From 766143a9803332d5591fb8a382b2aaca7b99d1df Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Tue, 5 Sep 2023 12:45:32 +0200 Subject: [PATCH] docs: update doc related to rate limiting feature The feature was changed in 92a76520e7c5a8c9714bcfd6f7a05aa9fe1d1b9e to only work on the Post action which was not reflected in the doc. This commit changes that. Signed-off-by: Mahe Tardy --- .../docs/concepts/tracing-policy/selectors.md | 40 +++++++++++-------- .../v1alpha1/cilium.io_tracingpolicies.yaml | 21 +++++----- .../cilium.io_tracingpoliciesnamespaced.yaml | 21 +++++----- pkg/k8s/apis/cilium.io/v1alpha1/types.go | 7 ++-- .../v1alpha1/cilium.io_tracingpolicies.yaml | 21 +++++----- .../cilium.io_tracingpoliciesnamespaced.yaml | 21 +++++----- .../pkg/k8s/apis/cilium.io/v1alpha1/types.go | 7 ++-- 7 files changed, 79 insertions(+), 59 deletions(-) diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md index fdbaef30a0e..cfbac545c22 100644 --- a/docs/content/en/docs/concepts/tracing-policy/selectors.md +++ b/docs/content/en/docs/concepts/tracing-policy/selectors.md @@ -509,20 +509,6 @@ executed directly in the kernel BPF code while `GetUrl` and `DnsLookup` are happening in userspace after the reception of events. {{< /note >}} -All actions can be rate limited by adding the rateLimit parameter with a -time value. This value defaults to seconds, but post-fixing 'm' or 'h' will -cause the value to be interpreted in minutes or hours. When this parameter is -specified for an action, that action will check if the same action has fired -within the time window, with the same inspected arguments. (Only the first 16 -bytes of each inspected argument is used in the matching. Only supported on -kernels v5.3 onwards.) - -```yaml -matchActions: -- action: Post - rateLimit: 5m -``` - ### Sigkill action `Sigkill` action terminates synchronously the process that made the call that @@ -800,9 +786,29 @@ matchActions: ### Post action -The `Post` action is intended to create an event but at the moment should be -considered as deprecated as all `TracingPolicy` will generate an event by -default. +The `Post` action allows an event to be transmitted to the agent, from +kernelspace to userspace. By default, all `TracingPolicy` hook will create an +event with the `Post` action except in those situations: +- a `NoPost` action was specified in a `matchActions`; +- a rate-limiting parameter is in place, see details below. + +This action allows you to specify parameters for the `Post` action. + +`Post` takes the `rateLimit` parameter with a time value. This value defaults +to seconds, but post-fixing 'm' or 'h' will cause the value to be interpreted +in minutes or hours. When this parameter is specified for an action, that +action will check if the same action has fired within the time window, with the +same inspected arguments. (Only the first 16 bytes of each inspected argument +is used in the matching. Only supported on kernels v5.3 onwards.) + +For example, you can specify a selector to only generate an event every 5 +minutes with adding the following action and its paramater: + +```yaml +matchActions: +- action: Post + rateLimit: 5m +``` ### NoPost action diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index d9f5cf706f0..a898151fcf9 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -253,11 +253,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action @@ -775,11 +776,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action @@ -1143,11 +1145,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 64b048a15ef..2b1d7de2669 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -253,11 +253,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action @@ -775,11 +776,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action @@ -1143,11 +1145,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 0b86bb6c741..52cc9aa2ff5 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -208,11 +208,12 @@ type ActionSelector struct { // An arg index for the sock for trackSock and untrackSock actions ArgSock uint32 `json:"argSock"` // +kubebuilder:validation:Optional - // A time period within which repeated messages will not be posted. Can be specified in seconds (default or with - // 's' suffix), minutes ('m' suffix) or hours ('h' suffix). + // A time period within which repeated messages will not be posted. Can be + // specified in seconds (default or with 's' suffix), minutes ('m' suffix) + // or hours ('h' suffix). Only valid with the post action. RateLimit string `json:"rateLimit"` // +kubebuilder:validation:Optional - // Enable stack trace export, only valid with for the post action + // Enable stack trace export. Only valid with the post action. StackTrace bool `json:"stackTrace"` } diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index d9f5cf706f0..a898151fcf9 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -253,11 +253,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action @@ -775,11 +776,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action @@ -1143,11 +1145,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 64b048a15ef..2b1d7de2669 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -253,11 +253,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action @@ -775,11 +776,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action @@ -1143,11 +1145,12 @@ spec: description: A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes - ('m' suffix) or hours ('h' suffix). + ('m' suffix) or hours ('h' suffix). Only valid + with the post action. type: string stackTrace: - description: Enable stack trace export, only valid - with for the post action + description: Enable stack trace export. Only valid + with the post action. type: boolean required: - action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 0b86bb6c741..3f387fd10f1 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -208,11 +208,12 @@ type ActionSelector struct { // An arg index for the sock for trackSock and untrackSock actions ArgSock uint32 `json:"argSock"` // +kubebuilder:validation:Optional - // A time period within which repeated messages will not be posted. Can be specified in seconds (default or with - // 's' suffix), minutes ('m' suffix) or hours ('h' suffix). + // A time period within which repeated messages will not be posted. Can be + // specified in seconds (default or with 's' suffix), minutes ('m' suffix) + // or hours ('h' suffix). Only valid with the post action. RateLimit string `json:"rateLimit"` // +kubebuilder:validation:Optional - // Enable stack trace export, only valid with for the post action + // Enable stack trace export. Only valid with the post action. StackTrace bool `json:"stackTrace"` }