Make reverse policy filter mapping optional

By adding a command line argument (and the appropriate configmap option).

Signed-off-by: Anastasios Papagiannis <[email protected]>

Author: tpapagian

cmd/tetra/debug/dump.go

@@ -200,18 +200,20 @@ func PolicyfilterState(fname string) {
 		fmt.Printf("%d: %s\n", polId, strings.Join(ids, ","))
 	}
 
-	fmt.Println("--- Reverse Map ---")
+	if data.Reverse != nil {
+		fmt.Println("--- Reverse Map ---")
 
-	if len(data.Reverse) == 0 {
-		fmt.Printf("(empty)\n")
-	}
+		if len(data.Reverse) == 0 {
+			fmt.Printf("(empty)\n")
+		}
 
-	for cgIDs, polIds := range data.Reverse {
-		ids := make([]string, 0, len(polIds))
-		for id := range polIds {
-			ids = append(ids, strconv.FormatUint(uint64(id), 10))
+		for cgIDs, polIds := range data.Reverse {
+			ids := make([]string, 0, len(polIds))
+			for id := range polIds {
+				ids = append(ids, strconv.FormatUint(uint64(id), 10))
+			}
+			fmt.Printf("%d: %s\n", cgIDs, strings.Join(ids, ","))
 		}
-		fmt.Printf("%d: %s\n", cgIDs, strings.Join(ids, ","))
 	}
 }
 

docs/content/en/docs/reference/helm-chart.md

@@ -59,6 +59,9 @@ data:
 {{- if .Values.tetragon.enablePolicyFilter }}
   enable-policy-filter: "true"
 {{- end }}
+{{- if .Values.tetragon.enablePolicyFilterReverseMap }}
+  enable-policy-filter-reverse-map: "true"
+{{- end }}
 {{- if .Values.tetragon.enablePolicyFilterDebug }}
   enable-policy-filter-debug: "true"
 {{- end }}

docs/data/tetragon_flags.yaml

@@ -193,6 +193,8 @@ tetragon:
     port: 6060
   # -- Enable policy filter. This is required for K8s namespace and pod-label filtering.
   enablePolicyFilter: True
+  # -- Enable policy filter reverse map.
+  enablePolicyFilterReverseMap: false
   # -- Enable policy filter debug messages.
   enablePolicyFilterDebug: false
   # -- Enable latency monitoring in message handling

install/kubernetes/tetragon/README.md

@@ -77,8 +77,9 @@ type config struct {
 
 	ReleasePinned bool
 
-	EnablePolicyFilter      bool
-	EnablePolicyFilterDebug bool
+	EnablePolicyFilter           bool
+	EnablePolicyFilterReverseMap bool
+	EnablePolicyFilterDebug      bool
 
 	EnablePidSetFilter bool
 

install/kubernetes/tetragon/templates/tetragon_configmap.yaml

@@ -81,8 +81,9 @@ const (
 
 	KeyReleasePinnedBPF = "release-pinned-bpf"
 
-	KeyEnablePolicyFilter      = "enable-policy-filter"
-	KeyEnablePolicyFilterDebug = "enable-policy-filter-debug"
+	KeyEnablePolicyFilter           = "enable-policy-filter"
+	KeyEnablePolicyFilterReverseMap = "enable-policy-filter-reverse-map"
+	KeyEnablePolicyFilterDebug      = "enable-policy-filter-debug"
 
 	KeyEnablePidSetFilter = "enable-pid-set-filter"
 
@@ -202,6 +203,7 @@ func ReadAndSetFlags() error {
 
 	Config.ReleasePinned = viper.GetBool(KeyReleasePinnedBPF)
 	Config.EnablePolicyFilter = viper.GetBool(KeyEnablePolicyFilter)
+	Config.EnablePolicyFilterReverseMap = viper.GetBool(KeyEnablePolicyFilterReverseMap)
 	Config.EnablePolicyFilterDebug = viper.GetBool(KeyEnablePolicyFilterDebug)
 	Config.EnableMsgHandlingLatency = viper.GetBool(KeyEnableMsgHandlingLatency)
 
@@ -378,6 +380,7 @@ func AddFlags(flags *pflag.FlagSet) {
 	// Provide option to enable policy filtering. Because the code is new,
 	// this is set to false by default.
 	flags.Bool(KeyEnablePolicyFilter, false, "Enable policy filter code")
+	flags.Bool(KeyEnablePolicyFilterReverseMap, false, "Enable reverse mappings for policy filter maps")
 	flags.Bool(KeyEnablePolicyFilterDebug, false, "Enable policy filter debug messages")
 
 	// Provide option to enable the pidSet export filters.

install/kubernetes/tetragon/values.yaml

@@ -739,7 +739,7 @@ func TestK8s(t *testing.T) {
 
 	// testState implements cgFinder
 	ts := newTestState(client)
-	st, err := newState(log, ts)
+	st, err := newState(log, ts, true)
 	if err != nil {
 		t.Skipf("failed to initialize policy filter state: %s", err)
 	}

pkg/option/config.go

@@ -59,7 +59,7 @@ func openMap(spec *ebpf.CollectionSpec, mapName string, innerMaxEntries uint32)
 }
 
 // newMap returns a new policy filter map.
-func newPfMap() (PfMap, error) {
+func newPfMap(enableReverseMap bool) (PfMap, error) {
 	// use the generic kprobe program, to find the policy filter map spec
 	objName, _ := kernels.GenericKprobeObjs()
 	objPath := path.Join(option.Config.HubbleLib, objName)
@@ -72,13 +72,22 @@ func newPfMap() (PfMap, error) {
 	if ret.dir, err = openMap(spec, MapName, polMapSize); err != nil {
 		return PfMap{}, fmt.Errorf("opening map %s failed: %w", MapName, err)
 	}
-	if ret.rev, err = openMap(spec, RevMapName, polMaxPolicies); err != nil {
-		return PfMap{}, fmt.Errorf("opening reverse map %s failed: %w", MapName, err)
+
+	if enableReverseMap {
+		if ret.rev, err = openMap(spec, RevMapName, polMaxPolicies); err != nil {
+			return PfMap{}, fmt.Errorf("opening reverse map %s failed: %w", MapName, err)
+		}
 	}
+
 	return ret, nil
 }
 
 func releaseMap(m *ebpf.Map) error {
+	// this may happen in the case where the reverse map is not enabled
+	if m == nil {
+		return nil
+	}
+
 	if err := m.Close(); err != nil {
 		return err
 	}
@@ -114,6 +123,11 @@ func (m polMap) addCgroupIDsReverse(polID PolicyID, cgIDs []CgroupID) error {
 }
 
 func addReverseMapping(m *ebpf.Map, polID PolicyID, cgID CgroupID) error {
+	// reverse map does not exist, so nothing to do here
+	if m == nil {
+		return nil
+	}
+
 	var id uint32
 	err := m.Lookup(cgID, &id)
 	if err == nil { // inner map exists
@@ -221,6 +235,11 @@ func getMapSize(m *ebpf.Map) (uint32, error) {
 }
 
 func (m PfMap) deletePolicyIdInReverse(polID PolicyID) error {
+	// reverse map does not exist, so nothing to do here
+	if m.rev == nil {
+		return nil
+	}
+
 	var key CgroupID
 	var id uint32
 
@@ -318,9 +337,12 @@ func (m PfMap) readAll() (PfMapDump, error) {
 		return PfMapDump{}, fmt.Errorf("error reading direct map: %w", err)
 	}
 
-	r, err := readAll[CgroupID, PolicyID](m.rev)
-	if err != nil {
-		return PfMapDump{}, fmt.Errorf("error reading reverse map: %w", err)
+	var r map[CgroupID]map[PolicyID]struct{}
+	if m.rev != nil {
+		r, err = readAll[CgroupID, PolicyID](m.rev)
+		if err != nil {
+			return PfMapDump{}, fmt.Errorf("error reading reverse map: %w", err)
+		}
 	}
 
 	return PfMapDump{Direct: d, Reverse: r}, nil
@@ -365,6 +387,11 @@ func (m polMap) addCgroupIDs(cgIDs []CgroupID) error {
 // delCgroupIDs delete cgroups ids from the policy map
 // todo: use batch operations when supported
 func (m polMap) delCgroupIDs(polID PolicyID, cgIDs []CgroupID) error {
+	// reverse map does not exist, so nothing to do here
+	if m.Reverse == nil {
+		return nil
+	}
+
 	rmRevCgIDs := []CgroupID{}
 	for i, cgID := range cgIDs {
 		if err := m.Inner.Delete(&cgID); err != nil {
@@ -428,21 +455,29 @@ func OpenMap(fname string) (PfMap, error) {
 
 	dir := filepath.Dir(fname)
 	reverseMapPath := filepath.Join(dir, RevMapName)
-	r, err := ebpf.LoadPinnedMap(reverseMapPath, &ebpf.LoadPinOptions{
-		ReadOnly: true,
-	})
 
-	if err != nil {
-		d.Close()
-		return PfMap{}, err
+	// check if the reverse map exists
+	// the reverse map may not exist in the case where
+	// enable-policy-filter-reverse-map is false
+	var r *ebpf.Map
+	if _, err := os.Stat(reverseMapPath); err == nil {
+		r, err = ebpf.LoadPinnedMap(reverseMapPath, &ebpf.LoadPinOptions{
+			ReadOnly: true,
+		})
+		if err != nil {
+			d.Close()
+			return PfMap{}, err
+		}
 	}
 
 	return PfMap{dir: d, rev: r}, err
 }
 
 func (m PfMap) Close() {
 	m.dir.Close()
-	m.rev.Close()
+	if m.rev != nil {
+		m.rev.Close()
+	}
 }
 
 func (m PfMap) Dump() (PfMapDump, error) {