Skip to content

Commit

Permalink
tracing: allow configuring policy mode via options
Browse files Browse the repository at this point in the history 
Example:

```
apiVersion: cilium.io/v1alpha1
kind: TracingPolicyNamespaced
metadata:
  name: "enforce-test"
  namespace: "pizza"
spec:
  options:
    - name: "policy-mode"
      value: "enforce"
  kprobes:
     ...
```

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
  • Loading branch information
@kkourt
kkourt committed Feb 14, 2025
1 parent d968a05 commit 259cc53
Show file tree
Hide file tree
Showing 4 changed files with 56 additions and 0 deletions.
1 change: 1 addition & 0 deletions bpf/lib/policy_conf.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
#ifndef BPF_POLICYCONF_H__
#define BPF_POLICYCONF_H__

// NB: values should match the ones defined in go (EnforceMode, MonitorMode)
enum {
POLICY_MODE_ENFORCE = 0,
POLICY_MODE_MONITOR = 1,
Expand Down
13 changes: 13 additions & 0 deletions pkg/sensors/tracing/options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
"github.com/cilium/tetragon/pkg/logger"
"github.com/cilium/tetragon/pkg/option"
"github.com/cilium/tetragon/pkg/tracingpolicy"
)

type OverrideMethod int
Expand All @@ -18,6 +19,7 @@ const (
keyOverrideMethod = "override-method"
valFmodRet = "fmod-ret"
valOverrideReturn = "override-return"
keyPolicyMode = "policy-mode"
)

const (
Expand All @@ -42,6 +44,7 @@ type specOptions struct {
DisableKprobeMulti bool
DisableUprobeMulti bool
OverrideMethod OverrideMethod
policyMode tracingpolicy.Mode
}

type opt struct {
Expand Down Expand Up @@ -79,6 +82,16 @@ var opts = map[string]opt{
return nil
},
},
keyPolicyMode: opt{
set: func(str string, options *specOptions) (err error) {
mode, err := tracingpolicy.ParseMode(str)
if err != nil {
return err
}
options.policyMode = mode
return nil
},
},
}

func getSpecOptions(specs []v1alpha1.OptionSpec) (*specOptions, error) {
Expand Down
16 changes: 16 additions & 0 deletions pkg/sensors/tracing/policyhandler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"errors"
"fmt"

"github.com/cilium/ebpf"
"github.com/cilium/tetragon/pkg/eventhandler"
"github.com/cilium/tetragon/pkg/policyfilter"
"github.com/cilium/tetragon/pkg/sensors"
Expand Down Expand Up @@ -52,11 +53,26 @@ func newPolicyInfo(
}, nil
}

type policyConf struct {
mode uint8
}

func (pi *policyInfo) policyConfMap(prog *program.Program) *program.Map {
if pi.policyConf != nil {
return program.MapUserFrom(pi.policyConf)
}
pi.policyConf = program.MapBuilderPolicy("policy_conf", prog)
prog.MapLoad = append(prog.MapLoad, &program.MapLoad{
Index: 0,
Name: "policy_conf",
Load: func(m *ebpf.Map, pinPathPrefix string, index uint32) error {
conf := policyConf{
mode: uint8(pi.specOpts.policyMode),
}
key := uint32(0)
return m.Update(key, &conf, ebpf.UpdateAny)
},
})
return pi.policyConf
}

Expand Down
26 changes: 26 additions & 0 deletions pkg/tracingpolicy/mode.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Tetragon

package tracingpolicy

import "fmt"

type Mode uint8

const (
InvalidMode Mode = Mode(^uint8(0))
// NB: values below should match the ones in bpf/lib/policy_conf.h
EnforceMode Mode = 0
MonitorMode Mode = 1
)

func ParseMode(s string) (Mode, error) {
switch s {
case "enforce":
return EnforceMode, nil
case "monitor":
return MonitorMode, nil
}

return InvalidMode, fmt.Errorf("invalid mode: %q", s)
}

0 comments on commit 259cc53

Please sign in to comment.