Make cgroup-based policy filter mapping optional

By adding a command line argument (and the appropriate configmap option).

Signed-off-by: Anastasios Papagiannis <[email protected]>

Author: tpapagian

cmd/tetra/debug/dump.go

@@ -200,18 +200,20 @@ func PolicyfilterState(fname string) {
 		fmt.Printf("%d: %s\n", polId, strings.Join(ids, ","))
 	}
 
-	fmt.Println("--- CgroupID to PolicyIDs mapping ---")
+	if data.Cgroup != nil {
+		fmt.Println("--- CgroupID to PolicyIDs mapping ---")
 
-	if len(data.Cgroup) == 0 {
-		fmt.Printf("(empty)\n")
-	}
+		if len(data.Cgroup) == 0 {
+			fmt.Printf("(empty)\n")
+		}
 
-	for cgIDs, polIds := range data.Cgroup {
-		ids := make([]string, 0, len(polIds))
-		for id := range polIds {
-			ids = append(ids, strconv.FormatUint(uint64(id), 10))
+		for cgIDs, polIds := range data.Cgroup {
+			ids := make([]string, 0, len(polIds))
+			for id := range polIds {
+				ids = append(ids, strconv.FormatUint(uint64(id), 10))
+			}
+			fmt.Printf("%d: %s\n", cgIDs, strings.Join(ids, ","))
 		}
-		fmt.Printf("%d: %s\n", cgIDs, strings.Join(ids, ","))
 	}
 }
 

docs/content/en/docs/reference/helm-chart.md

@@ -59,6 +59,9 @@ data:
 {{- if .Values.tetragon.enablePolicyFilter }}
   enable-policy-filter: "true"
 {{- end }}
+{{- if .Values.tetragon.enablePolicyFilterCgroupMap }}
+  enable-policy-filter-cgroup-map: "true"
+{{- end }}
 {{- if .Values.tetragon.enablePolicyFilterDebug }}
   enable-policy-filter-debug: "true"
 {{- end }}

docs/data/tetragon_flags.yaml

@@ -193,6 +193,8 @@ tetragon:
     port: 6060
   # -- Enable policy filter. This is required for K8s namespace and pod-label filtering.
   enablePolicyFilter: True
+  # -- Enable policy filter cgroup map.
+  enablePolicyFilterCgroupMap: false
   # -- Enable policy filter debug messages.
   enablePolicyFilterDebug: false
   # -- Enable latency monitoring in message handling

install/kubernetes/tetragon/README.md

@@ -77,8 +77,9 @@ type config struct {
 
 	ReleasePinned bool
 
-	EnablePolicyFilter      bool
-	EnablePolicyFilterDebug bool
+	EnablePolicyFilter          bool
+	EnablePolicyFilterCgroupMap bool
+	EnablePolicyFilterDebug     bool
 
 	EnablePidSetFilter bool
 

install/kubernetes/tetragon/templates/tetragon_configmap.yaml

@@ -81,8 +81,9 @@ const (
 
 	KeyReleasePinnedBPF = "release-pinned-bpf"
 
-	KeyEnablePolicyFilter      = "enable-policy-filter"
-	KeyEnablePolicyFilterDebug = "enable-policy-filter-debug"
+	KeyEnablePolicyFilter          = "enable-policy-filter"
+	KeyEnablePolicyFilterCgroupMap = "enable-policy-filter-cgroup-map"
+	KeyEnablePolicyFilterDebug     = "enable-policy-filter-debug"
 
 	KeyEnablePidSetFilter = "enable-pid-set-filter"
 
@@ -202,6 +203,7 @@ func ReadAndSetFlags() error {
 
 	Config.ReleasePinned = viper.GetBool(KeyReleasePinnedBPF)
 	Config.EnablePolicyFilter = viper.GetBool(KeyEnablePolicyFilter)
+	Config.EnablePolicyFilterCgroupMap = viper.GetBool(KeyEnablePolicyFilterCgroupMap)
 	Config.EnablePolicyFilterDebug = viper.GetBool(KeyEnablePolicyFilterDebug)
 	Config.EnableMsgHandlingLatency = viper.GetBool(KeyEnableMsgHandlingLatency)
 
@@ -378,6 +380,7 @@ func AddFlags(flags *pflag.FlagSet) {
 	// Provide option to enable policy filtering. Because the code is new,
 	// this is set to false by default.
 	flags.Bool(KeyEnablePolicyFilter, false, "Enable policy filter code")
+	flags.Bool(KeyEnablePolicyFilterCgroupMap, false, "Enable cgroup mappings for policy filter maps")
 	flags.Bool(KeyEnablePolicyFilterDebug, false, "Enable policy filter debug messages")
 
 	// Provide option to enable the pidSet export filters.

install/kubernetes/tetragon/values.yaml

@@ -739,7 +739,7 @@ func TestK8s(t *testing.T) {
 
 	// testState implements cgFinder
 	ts := newTestState(client)
-	st, err := newState(log, ts)
+	st, err := newState(log, ts, true)
 	if err != nil {
 		t.Skipf("failed to initialize policy filter state: %s", err)
 	}

pkg/option/config.go

@@ -60,7 +60,7 @@ func openMap(spec *ebpf.CollectionSpec, mapName string, innerMaxEntries uint32)
 }
 
 // newMap returns a new policy filter map.
-func newPfMap() (PfMap, error) {
+func newPfMap(enableCgroupMap bool) (PfMap, error) {
 	// use the generic kprobe program, to find the policy filter map spec
 	objName, _ := kernels.GenericKprobeObjs()
 	objPath := path.Join(option.Config.HubbleLib, objName)
@@ -73,14 +73,23 @@ func newPfMap() (PfMap, error) {
 	if ret.policyMap, err = openMap(spec, MapName, polMapSize); err != nil {
 		return PfMap{}, fmt.Errorf("opening map %s failed: %w", MapName, err)
 	}
-	if ret.cgroupMap, err = openMap(spec, CgroupMapName, polMaxPolicies); err != nil {
-		releaseMap(ret.policyMap)
-		return PfMap{}, fmt.Errorf("opening cgroup map %s failed: %w", MapName, err)
+
+	if enableCgroupMap {
+		if ret.cgroupMap, err = openMap(spec, CgroupMapName, polMaxPolicies); err != nil {
+			releaseMap(ret.policyMap)
+			return PfMap{}, fmt.Errorf("opening cgroup map %s failed: %w", MapName, err)
+		}
 	}
+
 	return ret, nil
 }
 
 func releaseMap(m *ebpf.Map) error {
+	// this may happen in the case where the cgroup map is not enabled
+	if m == nil {
+		return nil
+	}
+
 	if err := m.Close(); err != nil {
 		return err
 	}
@@ -111,6 +120,11 @@ func (m polMap) addPolicyIDs(polID PolicyID, cgIDs []CgroupID) error {
 }
 
 func addPolicyIDMapping(m *ebpf.Map, polID PolicyID, cgID CgroupID) error {
+	// cgroup map does not exist, so nothing to do here
+	if m == nil {
+		return nil
+	}
+
 	var id uint32
 	err := m.Lookup(cgID, &id)
 	if err == nil { // inner map exists
@@ -218,6 +232,11 @@ func getMapSize(m *ebpf.Map) (uint32, error) {
 }
 
 func (m PfMap) deletePolicyIDInCgroupMap(polID PolicyID) error {
+	// cgroup map does not exist, so nothing to do here
+	if m.cgroupMap == nil {
+		return nil
+	}
+
 	var key CgroupID
 	var id uint32
 
@@ -315,9 +334,12 @@ func (m PfMap) readAll() (PfMapDump, error) {
 		return PfMapDump{}, fmt.Errorf("error reading direct map: %w", err)
 	}
 
-	r, err := readAll[CgroupID, PolicyID](m.cgroupMap)
-	if err != nil {
-		return PfMapDump{}, fmt.Errorf("error reading cgroup map: %w", err)
+	var r map[CgroupID]map[PolicyID]struct{}
+	if m.cgroupMap != nil {
+		r, err = readAll[CgroupID, PolicyID](m.cgroupMap)
+		if err != nil {
+			return PfMapDump{}, fmt.Errorf("error reading cgroup map: %w", err)
+		}
 	}
 
 	return PfMapDump{Policy: d, Cgroup: r}, nil
@@ -362,6 +384,11 @@ func (m polMap) addCgroupIDs(cgIDs []CgroupID) error {
 // delCgroupIDs delete cgroups ids from the policy map
 // todo: use batch operations when supported
 func (m polMap) delCgroupIDs(polID PolicyID, cgIDs []CgroupID) error {
+	// cgroup map does not exist, so nothing to do here
+	if m.cgroupMap == nil {
+		return nil
+	}
+
 	rmRevCgIDs := []CgroupID{}
 	for i, cgID := range cgIDs {
 		if err := m.Inner.Delete(&cgID); err != nil {
@@ -425,21 +452,29 @@ func OpenMap(fname string) (PfMap, error) {
 
 	dir := filepath.Dir(fname)
 	cgroupMapPath := filepath.Join(dir, CgroupMapName)
-	r, err := ebpf.LoadPinnedMap(cgroupMapPath, &ebpf.LoadPinOptions{
-		ReadOnly: true,
-	})
 
-	if err != nil {
-		d.Close()
-		return PfMap{}, err
+	// check if the cgroup map exists
+	// the cgroup map may not exist in the case where
+	// enable-policy-filter-cgroup-map is false
+	var r *ebpf.Map
+	if _, err := os.Stat(cgroupMapPath); err == nil {
+		r, err = ebpf.LoadPinnedMap(cgroupMapPath, &ebpf.LoadPinOptions{
+			ReadOnly: true,
+		})
+		if err != nil {
+			d.Close()
+			return PfMap{}, err
+		}
 	}
 
 	return PfMap{policyMap: d, cgroupMap: r}, err
 }
 
 func (m PfMap) Close() {
 	m.policyMap.Close()
-	m.cgroupMap.Close()
+	if m.cgroupMap != nil {
+		m.cgroupMap.Close()
+	}
 }
 
 func (m PfMap) Dump() (PfMapDump, error) {