pkg/option: allow policy-filter-map-entries configurable via flag

kyledong-suse · kyledong-suse · commit 7475a979f1b4 · 2025-11-11T12:06:44.000-05:00
This commit introduces a new flag to configure the number of entries in policy filter maps. This allows users to tune the map size based on workload scale and system resources, improving flexibility in policy handling. Note: this commit only affects policies with k8s segmentation primitives (i.e., either podSelectors or namespaced policies). Fixes: #4260 Signed-off-by: Kyle Dong <kyle.dong@suse.com>
diff --git a/bpf/process/policy_filter.h b/bpf/process/policy_filter.h
@@ -20,7 +20,7 @@ struct {
 
 struct {
 	__uint(type, BPF_MAP_TYPE_HASH_OF_MAPS);
-	__uint(max_entries, POLICY_FILTER_MAX_POLICIES);
+	__uint(max_entries, 1); // will be resized by agent when needed
 	__type(key, u32); /* policy id */
 	__array(
 		values, struct {
diff --git a/docs/data/tetragon_flags.yaml b/docs/data/tetragon_flags.yaml
diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go
@@ -59,6 +59,9 @@ const (
 
 	// defaults for the {k,u}retprobes lru cache
 	DefaultRetprobesCacheSize = 4096
+
+	// defaults for the policy filter map
+	DefaultPolicyFilterMapEntries = 128
 )
 
 var (
diff --git a/pkg/defaults/defaults_windows.go b/pkg/defaults/defaults_windows.go
@@ -51,4 +51,7 @@ const (
 
 	// defaults for the {k,u}retprobes lru cache
 	DefaultRetprobesCacheSize = 4096
+
+	// defaults for the policy filter map
+	DefaultPolicyFilterMapEntries = 128
 )
diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -130,6 +130,8 @@ type config struct {
 	ExecveMapSize    string
 
 	RetprobesCacheSize int
+
+	PolicyFilterMapEntries int
 }
 
 var (
@@ -155,6 +157,9 @@ var (
 
 		// Set default value for {k,u}retprobes lru events cache
 		RetprobesCacheSize: defaults.DefaultRetprobesCacheSize,
+
+		// set default value for the policy filter map
+		PolicyFilterMapEntries: defaults.DefaultPolicyFilterMapEntries,
 	}
 )
 
diff --git a/pkg/option/flags.go b/pkg/option/flags.go
@@ -135,6 +135,8 @@ const (
 	KeyExecveMapSize    = "execve-map-size"
 
 	KeyRetprobesCacheSize = "retprobes-cache-size"
+
+	KeyPolicyFilterMapEntries = "policy-filter-map-entries"
 )
 
 type UsernameMetadaCode int
@@ -289,6 +291,8 @@ func ReadAndSetFlags() error {
 	Config.ExecveMapSize = viper.GetString(KeyExecveMapSize)
 
 	Config.RetprobesCacheSize = viper.GetInt(KeyRetprobesCacheSize)
+
+	Config.PolicyFilterMapEntries = viper.GetInt(KeyPolicyFilterMapEntries)
 	return nil
 }
 
@@ -483,4 +487,6 @@ func AddFlags(flags *pflag.FlagSet) {
 	flags.String(KeyExecveMapSize, "", "Set size for execve_map table (allows K/M/G suffix)")
 
 	flags.Int(KeyRetprobesCacheSize, defaults.DefaultRetprobesCacheSize, "Set {k,u}retprobes events cache maximum size")
+
+	flags.Int(KeyPolicyFilterMapEntries, defaults.DefaultPolicyFilterMapEntries, "Set entries for policy_filter_map table (default 128)")
 }
diff --git a/pkg/policyfilter/map.go b/pkg/policyfilter/map.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/cilium/tetragon/pkg/bpf"
 	"github.com/cilium/tetragon/pkg/config"
+	"github.com/cilium/tetragon/pkg/option"
 )
 
 const (
@@ -72,6 +73,10 @@ func newPfMap(enableCgroupMap bool) (PfMap, error) {
 		return PfMap{}, fmt.Errorf("loading spec for %s failed: %w", objPath, err)
 	}
 
+	if _, ok := spec.Maps["policy_filter_maps"]; ok {
+		spec.Maps["policy_filter_maps"].MaxEntries = uint32(option.Config.PolicyFilterMapEntries)
+	}
+
 	var ret PfMap
 	if ret.policyMap, err = openMap(spec, MapName, polMapSize); err != nil {
 		return PfMap{}, fmt.Errorf("opening map %s failed: %w", MapName, err)
@@ -80,7 +85,7 @@ func newPfMap(enableCgroupMap bool) (PfMap, error) {
 	if enableCgroupMap {
 		if ret.cgroupMap, err = openMap(spec, CgroupMapName, polMaxPolicies); err != nil {
 			releaseMap(ret.policyMap)
-			return PfMap{}, fmt.Errorf("opening cgroup map %s failed: %w", MapName, err)
+			return PfMap{}, fmt.Errorf("opening cgroup map %s failed: %w", CgroupMapName, err)
 		}
 	}
 
diff --git a/pkg/sensors/program/loader_linux.go b/pkg/sensors/program/loader_linux.go
@@ -18,6 +18,7 @@ import (
 	cachedbtf "github.com/cilium/tetragon/pkg/btf"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/logger/logfields"
+	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/sensors/unloader"
 )
 
@@ -976,6 +977,12 @@ func doLoadProgram(
 		}
 	}
 
+	// Set MaxEntries for policy_filter_maps if it exists in the spec.
+	// This ensures the spec matches the user-defined value.
+	if ms, ok := spec.Maps["policy_filter_maps"]; ok {
+		ms.MaxEntries = uint32(option.Config.PolicyFilterMapEntries)
+	}
+
 	// Find all the maps referenced by the program, so we'll rewrite only
 	// the ones used.
 	var progSpec *ebpf.ProgramSpec

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,9 @@ const (`
`59`	`59`
`60`	`60`	`// defaults for the {k,u}retprobes lru cache`
`61`	`61`	`DefaultRetprobesCacheSize = 4096`
	`62`	`+`
	`63`	`+ // defaults for the policy filter map`
	`64`	`+ DefaultPolicyFilterMapEntries = 128`
`62`	`65`	`)`
`63`	`66`
`64`	`67`	`var (`
Original file line number	Diff line number	Diff line change
`@@ -51,4 +51,7 @@ const (`
`51`	`51`
`52`	`52`	`// defaults for the {k,u}retprobes lru cache`
`53`	`53`	`DefaultRetprobesCacheSize = 4096`
	`54`	`+`
	`55`	`+ // defaults for the policy filter map`
	`56`	`+ DefaultPolicyFilterMapEntries = 128`
`54`	`57`	`)`
Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,8 @@ type config struct {`
`130`	`130`	`ExecveMapSize string`
`131`	`131`
`132`	`132`	`RetprobesCacheSize int`
	`133`	`+`
	`134`	`+ PolicyFilterMapEntries int`
`133`	`135`	`}`
`134`	`136`
`135`	`137`	`var (`
`@@ -155,6 +157,9 @@ var (`
`155`	`157`
`156`	`158`	`// Set default value for {k,u}retprobes lru events cache`
`157`	`159`	`RetprobesCacheSize: defaults.DefaultRetprobesCacheSize,`
	`160`	`+`
	`161`	`+ // set default value for the policy filter map`
	`162`	`+ PolicyFilterMapEntries: defaults.DefaultPolicyFilterMapEntries,`
`158`	`163`	`}`
`159`	`164`	`)`
`160`	`165`
Original file line number	Diff line number	Diff line change
`@@ -135,6 +135,8 @@ const (`
`135`	`135`	`KeyExecveMapSize = "execve-map-size"`
`136`	`136`
`137`	`137`	`KeyRetprobesCacheSize = "retprobes-cache-size"`
	`138`	`+`
	`139`	`+ KeyPolicyFilterMapEntries = "policy-filter-map-entries"`
`138`	`140`	`)`
`139`	`141`
`140`	`142`	`type UsernameMetadaCode int`
`@@ -289,6 +291,8 @@ func ReadAndSetFlags() error {`
`289`	`291`	`Config.ExecveMapSize = viper.GetString(KeyExecveMapSize)`
`290`	`292`
`291`	`293`	`Config.RetprobesCacheSize = viper.GetInt(KeyRetprobesCacheSize)`
	`294`	`+`
	`295`	`+ Config.PolicyFilterMapEntries = viper.GetInt(KeyPolicyFilterMapEntries)`
`292`	`296`	`return nil`
`293`	`297`	`}`
`294`	`298`
`@@ -483,4 +487,6 @@ func AddFlags(flags *pflag.FlagSet) {`
`483`	`487`	`flags.String(KeyExecveMapSize, "", "Set size for execve_map table (allows K/M/G suffix)")`
`484`	`488`
`485`	`489`	`flags.Int(KeyRetprobesCacheSize, defaults.DefaultRetprobesCacheSize, "Set {k,u}retprobes events cache maximum size")`
	`490`	`+`
	`491`	`+ flags.Int(KeyPolicyFilterMapEntries, defaults.DefaultPolicyFilterMapEntries, "Set entries for policy_filter_map table (default 128)")`
`486`	`492`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ import (`
`14`	`14`
`15`	`15`	`"github.com/cilium/tetragon/pkg/bpf"`
`16`	`16`	`"github.com/cilium/tetragon/pkg/config"`
	`17`	`+ "github.com/cilium/tetragon/pkg/option"`
`17`	`18`	`)`
`18`	`19`
`19`	`20`	`const (`
`@@ -72,6 +73,10 @@ func newPfMap(enableCgroupMap bool) (PfMap, error) {`
`72`	`73`	`return PfMap{}, fmt.Errorf("loading spec for %s failed: %w", objPath, err)`
`73`	`74`	`}`
`74`	`75`
	`76`	`+ if _, ok := spec.Maps["policy_filter_maps"]; ok {`
	`77`	`+ spec.Maps["policy_filter_maps"].MaxEntries = uint32(option.Config.PolicyFilterMapEntries)`
	`78`	`+ }`
	`79`	`+`
`75`	`80`	`var ret PfMap`
`76`	`81`	`if ret.policyMap, err = openMap(spec, MapName, polMapSize); err != nil {`
`77`	`82`	`return PfMap{}, fmt.Errorf("opening map %s failed: %w", MapName, err)`
`@@ -80,7 +85,7 @@ func newPfMap(enableCgroupMap bool) (PfMap, error) {`
`80`	`85`	`if enableCgroupMap {`
`81`	`86`	`if ret.cgroupMap, err = openMap(spec, CgroupMapName, polMaxPolicies); err != nil {`
`82`	`87`	`releaseMap(ret.policyMap)`
`83`		`- return PfMap{}, fmt.Errorf("opening cgroup map %s failed: %w", MapName, err)`
	`88`	`+ return PfMap{}, fmt.Errorf("opening cgroup map %s failed: %w", CgroupMapName, err)`
`84`	`89`	`}`
`85`	`90`	`}`
`86`	`91`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ import (`
`18`	`18`	`cachedbtf "github.com/cilium/tetragon/pkg/btf"`
`19`	`19`	`"github.com/cilium/tetragon/pkg/logger"`
`20`	`20`	`"github.com/cilium/tetragon/pkg/logger/logfields"`
	`21`	`+ "github.com/cilium/tetragon/pkg/option"`
`21`	`22`	`"github.com/cilium/tetragon/pkg/sensors/unloader"`
`22`	`23`	`)`
`23`	`24`
`@@ -976,6 +977,12 @@ func doLoadProgram(`
`976`	`977`	`}`
`977`	`978`	`}`
`978`	`979`
	`980`	`+ // Set MaxEntries for policy_filter_maps if it exists in the spec.`
	`981`	`+ // This ensures the spec matches the user-defined value.`
	`982`	`+ if ms, ok := spec.Maps["policy_filter_maps"]; ok {`
	`983`	`+ ms.MaxEntries = uint32(option.Config.PolicyFilterMapEntries)`
	`984`	`+ }`
	`985`	`+`
`979`	`986`	`// Find all the maps referenced by the program, so we'll rewrite only`
`980`	`987`	`// the ones used.`
`981`	`988`	`var progSpec *ebpf.ProgramSpec`