From 85b8663f7f2e9ee7c4e24ae564a5c192eb86b684 Mon Sep 17 00:00:00 2001
From: Oleh Neichev <oleg.neichev@gmail.com>
Date: Wed, 3 Apr 2024 12:31:28 +0300
Subject: [PATCH] policyfiltermetrics: add
 policyfilter_hook_container_name_missing_total metric

After adding the support for filtering policies by container name, we
decided not to abort the OCI hook when this detail is not present for
some reason not to break other filtering methods like pod labels.
However, we need to monitor such operations when the container name is
missing.

This patch aims to do this by adding a new "policyfilter_hook_container_name_missing_total" metric.
The counter will be increased when the container name cannot be found in
the "createContainerHook" function.

Besides, this patch adds a missing return statement for the case when
adding a container to pod from OCI hook fails and we inform the user
that we are aborting the hook.
In order to still have a counter increase upon error, we run the counter
increase logic before checking the error.

Fixes: #1879

Signed-off-by: Oleh Neichev <oleg.neichev@gmail.com>
---
 .../policyfiltermetrics/policyfiltermetrics.go  | 17 ++++++++++++++++-
 pkg/policyfilter/rthooks/rthooks.go             |  8 ++++++--
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/pkg/metrics/policyfiltermetrics/policyfiltermetrics.go b/pkg/metrics/policyfiltermetrics/policyfiltermetrics.go
index 0f3b8693734..1dc8b4058cb 100644
--- a/pkg/metrics/policyfiltermetrics/policyfiltermetrics.go
+++ b/pkg/metrics/policyfiltermetrics/policyfiltermetrics.go
@@ -53,8 +53,17 @@ var (
 	}, []string{"subsys", "op"})
 )
 
+var (
+	PolicyFilterHookContainerNameMissingMetrics = prometheus.NewCounterVec(prometheus.CounterOpts{
+		Namespace:   consts.MetricsNamespace,
+		Name:        "policyfilter_hook_container_name_missing_total",
+		Help:        "The total number of operations when the container name was missing in the OCI hook",
+		ConstLabels: nil,
+	}, []string{})
+)
+
 func InitMetrics(registry *prometheus.Registry) {
-	registry.MustRegister(PolicyFilterOpMetrics)
+	registry.MustRegister(PolicyFilterOpMetrics, PolicyFilterHookContainerNameMissingMetrics)
 
 	// Initialize metrics with labels
 	PolicyFilterOpMetrics.WithLabelValues(RTHooksSubsys.String(), AddContainerOperation.String()).Add(0)
@@ -62,6 +71,8 @@ func InitMetrics(registry *prometheus.Registry) {
 	PolicyFilterOpMetrics.WithLabelValues(PodHandlersSubsys.String(), UpdatePodOperation.String()).Add(0)
 	PolicyFilterOpMetrics.WithLabelValues(PodHandlersSubsys.String(), DeletePodOperation.String()).Add(0)
 
+	PolicyFilterHookContainerNameMissingMetrics.WithLabelValues().Add(0)
+
 	// NOTES:
 	// * error, error_type, type - standardize on a label
 	// * Don't confuse op in policyfilter_metrics_total with ops.OpCode
@@ -73,3 +84,7 @@ func OpInc(subsys Subsys, op Operation) {
 		subsys.String(), op.String(),
 	).Inc()
 }
+
+func ContNameMissInc() {
+	PolicyFilterHookContainerNameMissingMetrics.WithLabelValues().Inc()
+}
diff --git a/pkg/policyfilter/rthooks/rthooks.go b/pkg/policyfilter/rthooks/rthooks.go
index 65c6d1eac5b..8a97d16041e 100644
--- a/pkg/policyfilter/rthooks/rthooks.go
+++ b/pkg/policyfilter/rthooks/rthooks.go
@@ -97,6 +97,7 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err
 	containerName := arg.Req.ContainerName
 	if containerName == "" {
 		log.Warnf("failed to find container information for %s, but will continue", containerID)
+		policyfiltermetrics.ContNameMissInc()
 	}
 
 	log.WithFields(logrus.Fields{
@@ -107,10 +108,13 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err
 		"container-name": containerName,
 	}).Trace("policyfilter: add pod container")
 	cgid := policyfilter.CgroupID(cgID)
-	if err := pfState.AddPodContainer(policyfilter.PodID(podID), namespace, pod.Labels, containerID, cgid, containerName); err != nil {
+	err = pfState.AddPodContainer(policyfilter.PodID(podID), namespace, pod.Labels, containerID, cgid, containerName)
+	policyfiltermetrics.OpInc(policyfiltermetrics.RTHooksSubsys, policyfiltermetrics.AddContainerOperation)
+
+	if err != nil {
 		log.WithError(err).Warn("failed to update policy filter, aborting hook.")
+		return err
 	}
-	policyfiltermetrics.OpInc(policyfiltermetrics.RTHooksSubsys, policyfiltermetrics.AddContainerOperation)
 
 	return nil
 }