Merge pull request #1852 from Prateeknandle/throttling

enabling alert throttling by default

.github/workflows/ci-latest-release.yml

@@ -109,7 +109,8 @@ jobs:
       - name: Test KubeArmor using Ginkgo
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
-          make -C tests/k8s_env/
+          make
+        working-directory: ./tests/k8s_env
         timeout-minutes: 30
 
       - name: Get karmor sysdump

.github/workflows/ci-test-controllers.yml

@@ -116,8 +116,8 @@ jobs:
       - name: Test KubeArmor using Ginkgo
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
-          cd tests/k8s_env
           ginkgo --vv --flake-attempts=10 --timeout=10m smoke/
+        working-directory: ./tests/k8s_env
         timeout-minutes: 30
 
       - name: Get karmor sysdump

KubeArmor/config/config.go

@@ -153,7 +153,7 @@ func readCmdLineParams() {
 
 	stateAgent := flag.Bool(ConfigStateAgent, false, "enabling KubeArmor State Agent client")
 
-	alertThrottling := flag.Bool(ConfigAlertThrottling, false, "enabling Alert Throttling")
+	alertThrottling := flag.Bool(ConfigAlertThrottling, true, "enabling Alert Throttling")
 
 	maxAlertPerSec := flag.Int(ConfigMaxAlertPerSec, 10, "Maximum alerts allowed per second")
 

KubeArmor/monitor/systemMonitor.go

@@ -286,13 +286,21 @@ func (mon *SystemMonitor) UpdateThrottlingConfig() {
 		if err := mon.BpfConfigMap.Update(uint32(3), uint32(1), cle.UpdateAny); err != nil {
 			mon.Logger.Errf("Error Updating System Monitor Config Map to enable alert throttling : %s", err.Error())
 		}
+	} else {
+		if err := mon.BpfConfigMap.Update(uint32(3), uint32(0), cle.UpdateAny); err != nil {
+			mon.Logger.Errf("Error Updating System Monitor Config Map to enable alert throttling : %s", err.Error())
+		}
 	}
 	if err := mon.BpfConfigMap.Update(uint32(4), uint32(cfg.GlobalCfg.MaxAlertPerSec), cle.UpdateAny); err != nil {
 		mon.Logger.Errf("Error Updating System Monitor Config Map to set max alerts per sec : %s", err.Error())
 	}
 	if err := mon.BpfConfigMap.Update(uint32(5), uint32(cfg.GlobalCfg.ThrottleSec), cle.UpdateAny); err != nil {
 		mon.Logger.Errf("Error Updating System Monitor Config Map to set time interval for dropping subsequent alerts : %s", err.Error())
 	}
+	mon.Logger.Printf("Alert Throttling configured {alertThrottling:%v, maxAlertPerSec:%v, throttleSec:%v}",
+		cfg.GlobalCfg.AlertThrottling,
+		cfg.GlobalCfg.MaxAlertPerSec,
+		cfg.GlobalCfg.ThrottleSec)
 }
 
 // UpdateNsKeyMap Function

KubeArmor/packaging/kubearmor.yaml

@@ -4,3 +4,6 @@ hostVisibility: "process,file,network,capabilities"
 enableKubeArmorHostPolicy: true
 enableKubeArmorVm: false
 k8s: false
+alertThrottling: true
+maxAlertPerSec: 10
+throttleSec: 30

deployments/get/objects.go

@@ -973,6 +973,9 @@ func GetKubearmorConfigMap(namespace, name string) *corev1.ConfigMap {
 	data[cfg.ConfigDefaultCapabilitiesPosture] = "audit"
 	data[cfg.ConfigDefaultNetworkPosture] = "audit"
 	data[cfg.ConfigDefaultPostureLogs] = "true"
+	data[cfg.ConfigAlertThrottling] = "true"
+	data[cfg.ConfigMaxAlertPerSec] = "10"
+	data[cfg.ConfigThrottleSec] = "30"
 
 	return &corev1.ConfigMap{
 		TypeMeta: metav1.TypeMeta{

deployments/helm/KubeArmor/values.yaml

@@ -94,7 +94,7 @@ kubearmorConfigMap:
   defaultCapabilitiesPosture: audit
   defaultNetworkPosture: audit
   visibility: process,network
-  alertThrottling: false
+  alertThrottling: true
   maxAlertPerSec: 10
   throttleSec: 30
 

deployments/helm/KubeArmorOperator/values.yaml

@@ -47,7 +47,7 @@ kubearmorConfig:
   enableStdOutAlerts: false
   enableStdOutMsgs: false
   seccompEnabled: true
-  alertThrottling: false
+  alertThrottling: true
   maxAlertPerSec: 10
   throttleSec: 30
 

getting-started/alert_throttling.md

@@ -10,7 +10,7 @@ Throttling conditions can be configured through the config map, `kubearmor-confi
 
 Three configurable conditions for throttling are:
 
-1. enabling alert throttling, by default alert throttling will not be available. In order to enable throttling we need to set `alertThrottling` to `true`.
+1. enabling/disabling alert throttling, by default alert throttling will be enabled. In order to disable throttling we need to set `alertThrottling` to `false`.
 
 2. set the threshold frequency for the alerts generated, by default it is set to `10` alerts(after enabling throttling), which means 10 alerts would be allowed to be generated per second. After the threshold frequency is crossed an alert will be generated which will notify that threshold frequency is crossed and for next few seconds we will not recieve alerts for this container. In order to set threshold frequency we need to set `maxAlertPerSec` to an int value, which decribes the number of maximum alerts that could be generated per sec.
 

pkg/KubeArmorOperator/common/defaults.go

@@ -129,7 +129,7 @@ var ConfigMapData = map[string]string{
 	ConfigDefaultNetworkPosture:      "audit",
 	ConfigVisibility:                 "process,network,capabilities",
 	ConfigDefaultPostureLogs:         "true",
-	ConfigAlertThrottling:            "false",
+	ConfigAlertThrottling:            "true",
 	ConfigMaxAlertPerSec:             "10",
 	ConfigThrottleSec:                "30",
 }

pkg/KubeArmorOperator/config/samples/sample-config.yml

@@ -18,7 +18,7 @@ spec:
   enableStdOutAlerts: false
   enableStdOutMsgs: false
   seccompEnabled: false
-  alertThrottling: false
+  alertThrottling: true
   maxAlertPerSec: 10
   throttleSec: 30
   kubearmorImage: