policyfiltermetrics: add policyfilter_hook_container_name_missing_total

metric After adding the support for filtering policies by container name, we decided not to abort the OCI hook when this detail is not present for some reason not to break other filtering methods like pod labels. However, we need to monitor such operations when the container name is missing. This patch aims to do this by adding a new "policyfilter_hook_container_name_missing_total" metric. The counter will be increased when the container name cannot be found in the "createContainerHook" function. Besides, this patch adds a missing return statement for the case when adding a container to pod from OCI hook fails and we inform the user that we are aborting the hook. In order to still have a counter increase upon error, we run the counter increase logic before checking the error. Fixes: #1879 Signed-off-by: Oleh Neichev <[email protected]>
cilium · Apr 4, 2024 · 3904aea · 3904aea
1 parent e7f44b0
commit 3904aea
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/pkg/metrics/policyfiltermetrics/policyfiltermetrics.go b/pkg/metrics/policyfiltermetrics/policyfiltermetrics.go
@@ -53,8 +53,17 @@ var (
 	}, []string{"subsys", "op"})
 )
 
+var (
+	PolicyFilterHookContainerNameMissingMetrics = prometheus.NewCounter(prometheus.CounterOpts{
+		Namespace:   consts.MetricsNamespace,
+		Name:        "policyfilter_hook_container_name_missing_total",
+		Help:        "The total number of operations when the container name was missing in the OCI hook",
+		ConstLabels: nil,
+	})
+)
+
 func InitMetrics(registry *prometheus.Registry) {
-	registry.MustRegister(PolicyFilterOpMetrics)
+	registry.MustRegister(PolicyFilterOpMetrics, PolicyFilterHookContainerNameMissingMetrics)
 
 	// Initialize metrics with labels
 	PolicyFilterOpMetrics.WithLabelValues(RTHooksSubsys.String(), AddContainerOperation.String()).Add(0)
@@ -73,3 +82,7 @@ func OpInc(subsys Subsys, op Operation) {
 		subsys.String(), op.String(),
 	).Inc()
 }
+
+func ContNameMissInc() {
+	PolicyFilterHookContainerNameMissingMetrics.Inc()
+}
diff --git a/pkg/policyfilter/rthooks/rthooks.go b/pkg/policyfilter/rthooks/rthooks.go
@@ -97,6 +97,7 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err
 	containerName := arg.Req.ContainerName
 	if containerName == "" {
 		log.Warnf("failed to find container information for %s, but will continue", containerID)
+		policyfiltermetrics.ContNameMissInc()
 	}
 
 	log.WithFields(logrus.Fields{
@@ -107,10 +108,13 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err
 		"container-name": containerName,
 	}).Trace("policyfilter: add pod container")
 	cgid := policyfilter.CgroupID(cgID)
-	if err := pfState.AddPodContainer(policyfilter.PodID(podID), namespace, pod.Labels, containerID, cgid, containerName); err != nil {
+	err = pfState.AddPodContainer(policyfilter.PodID(podID), namespace, pod.Labels, containerID, cgid, containerName)
+	policyfiltermetrics.OpInc(policyfiltermetrics.RTHooksSubsys, policyfiltermetrics.AddContainerOperation)
+
+	if err != nil {
 		log.WithError(err).Warn("failed to update policy filter, aborting hook.")
+		return err
 	}
-	policyfiltermetrics.OpInc(policyfiltermetrics.RTHooksSubsys, policyfiltermetrics.AddContainerOperation)
 
 	return nil
 }