tetragon: map cgroups to workload IDs

In the future we want to push filters down to BPF metrics into BPF codes. And metrics include a workloadID so lets create logic to track workload ID as well. Signed-off-by: John Fastabend <[email protected]>
cilium · Jun 17, 2024 · 03b7cd5 · 03b7cd5
1 parent 4f9a178
commit 03b7cd5
Showing 1 changed file with 22 additions and 10 deletions.
diff --git a/pkg/policyfilter/namespace.go b/pkg/policyfilter/namespace.go
@@ -22,11 +22,16 @@ const (
  namespaceCacheSize = 1024
 )
 
+type nsId struct {
+ namespace string
+ workload string
+}
+
 // NamespaceMap is a simple wrapper for ebpf.Map so that we can write methods for it
 type NamespaceMap struct {
  cgroupIdMap *ebpf.Map
- nsIdMap *lru.Cache[uint64, string]
- nsNameMap *lru.Cache[string, uint64]
+ nsIdMap *lru.Cache[uint64, nsId]
+ nsNameMap *lru.Cache[nsId, uint64]
  id uint64
 }
 
@@ -40,11 +45,11 @@ func newNamespaceMap() (*NamespaceMap, error) {
  return global, nil
  }
 
- idCache, err := lru.New[uint64, string](namespaceCacheSize)
+ idCache, err := lru.New[uint64, nsId](namespaceCacheSize)
  if err != nil {
  return nil, fmt.Errorf("create namespace ID cache failed")
  }
- nameCache, err := lru.New[string, uint64](namespaceCacheSize)
+ nameCache, err := lru.New[nsId, uint64](namespaceCacheSize)
  if err != nil {
  return nil, fmt.Errorf("create namespace name cache failed")
  }
@@ -84,20 +89,27 @@ func newNamespaceMap() (*NamespaceMap, error) {
  return global, err
 }
 
-func GetNamespaceFromId(id uint64) (string, bool) {
+func GetNamespaceWorkloadFromId(id uint64) (string, string, bool) {
  if global == nil {
- return "", false
+ return "", "", false
  }
 
- return global.nsIdMap.Get(id)
+ if ns, ok := global.nsIdMap.Get(id); ok {
+ return ns.namespace, ns.workload, true
+ }
+ return "", "", false
 }
 
 // addCgroupIDs add cgroups ids to the policy map
 // todo: use batch operations when supported
 func addCgroupIDs(cinfo []containerInfo, pod *podInfo) error {
  m := global
  for _, c := range cinfo {
- id, ok := m.nsNameMap.Get(pod.namespace)
+ key := nsId{
+ namespace: pod.namespace,
+ workload: pod.workload,
+ }
+ id, ok := m.nsNameMap.Get(key)
  if ok == true {
  if err := m.cgroupIdMap.Update(&c.cgID, id, ebpf.UpdateAny); err != nil {
  logger.GetLogger().WithError(err).Warn("Unable to assign cgroup to existing namespace")
@@ -112,10 +124,10 @@ func addCgroupIDs(cinfo []containerInfo, pod *podInfo) error {
  continue
  }
  logger.GetLogger().Warn("nsIdMap.Add(%d %s\n", m.id, pod.namespace)
- if ok := m.nsIdMap.Add(m.id, pod.namespace); ok != false {
+ if ok := m.nsIdMap.Add(m.id, key); ok != false {
  logger.GetLogger().WithField("cgid", c.cgID).WithField("id", m.id).WithField("ns", c.name).Warn("Id to namespace map caused eviction")
  }
- if ok := m.nsNameMap.Add(pod.namespace, m.id); ok != false {
+ if ok := m.nsNameMap.Add(key, m.id); ok != false {
  logger.GetLogger().WithField("cgid", c.cgID).WithField("id", m.id).WithField("ns", c.name).Warn("Namespace to Id map caused eviction")
  }
  m.id++