Skip to content

add support for specifying the anchor to use when tcx attaching programs to ingress and egress #822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add support for specifying the anchor to use when tcx attaching programs to ingress and egress #822

wants to merge 1 commit into from
+57 −11

Conversation

@awprice
Copy link

@awprice awprice commented Oct 30, 2025
edited by jotak
Loading

Description

As per title, this adds supports for specifying the anchor to use when TCX attaching programs to ingress and egress.

We'd like to use netobserv-ebpf-agent in our clusters, however we've found that when running alongside Cilium, the agent's ingress and egress BPF programs are inserted after Cilium's BPF programs. This is due to no particular anchor being used, which generally results in the program being placed last.

For example:

lxc6e83bd0074e0(10) tcx/ingress cil_from_container prog_id 1310 link_id 260 
lxc6e83bd0074e0(10) tcx/ingress tcx_ingress_flow_parse prog_id 1503 link_id 367 
lxc6e83bd0074e0(10) tcx/egress cil_to_container prog_id 1322 link_id 262 
lxc6e83bd0074e0(10) tcx/egress tcx_egress_flow_parse prog_id 1501 link_id 366

(Cilium's programs are prefixed with cil_)

Due to Cilium's use of TC_ACT_REDIRECT (which is a perfectly fine optimisation) often the agent's BPF program isn't run and we cannot capture flows.

To remedy, we've found placing the agent's BPF program at the head of the program list using anchor.Head(), which allows flows to be captured and then Cilium to continue processing as normal.

When using the new configuration options TCX_ATTACH_ANCHOR_INGRESS=head and TCX_ATTACH_ANCHOR_EGRESS=head we now see:

lxc6e83bd0074e0(10) tcx/ingress tcx_ingress_flow_parse prog_id 1527 link_id 387 
lxc6e83bd0074e0(10) tcx/ingress cil_from_container prog_id 1310 link_id 260 
lxc6e83bd0074e0(10) tcx/egress tcx_egress_flow_parse prog_id 1525 link_id 386 
lxc6e83bd0074e0(10) tcx/egress cil_to_container prog_id 1322 link_id 262

I've kept default behaviour by having a nil anchor when TCX_ATTACH_ANCHOR_INGRESS or TCX_ATTACH_ANCHOR_EGRESS is either not specified or set to none.

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

  • Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist.
  • Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
  • Does this PR require product documentation?
    • If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
  • Does this PR require a product release notes entry?
    • If so, fill in "Release Note Text" in the JIRA.
  • Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
    • If so, make sure it is described in the JIRA ticket.
  • QE requirements (check 1 from the list):
    • Standard QE validation, with pre-merge tests unless stated otherwise.
    • Regression tests only (e.g. refactoring with no user-facing change).
    • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

To run a perfscale test, comment with: /test ebpf-node-density-heavy-25nodes

@openshift-ci
Copy link

openshift-ci bot commented Oct 30, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kalmanmeth for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Oct 30, 2025

Hi @awprice. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@awprice
Copy link
Author

awprice commented Oct 30, 2025

Will need some guidance on the checklist.

@awprice
add support for specifying the anchor to use when tcx attaching progr…
1e71eed 
…ams to ingress and egress

Signed-off-by: Alex Price <aprice@atlassian.com>
@awprice awprice force-pushed the awprice-tcx-anchors branch from c47ac5d to 1e71eed Compare October 30, 2025 00:20
@jotak
Copy link
Member

jotak commented Oct 30, 2025

Sounds like a nice addition, thanks @awprice
/lgtm
cc @msherif1234 if you want to review as well

@openshift-ci openshift-ci bot added the lgtm label Oct 30, 2025
@msherif1234
Copy link
Contributor

Thanks @awprice do u mind while u there to use anchor to pca TCX hooks too, we can use the same configuration knob for both ?

@openshift-ci
Copy link

openshift-ci bot commented Oct 30, 2025

@awprice: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/netobserv-cli-tests 1e71eed link false /test netobserv-cli-tests
ci/prow/qe-e2e-tests 1e71eed link false /test qe-e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@awprice
Copy link
Author

awprice commented Oct 30, 2025

Thanks @awprice do u mind while u there to use anchor to pca TCX hooks too, we can use the same configuration knob for both ?

@msherif1234 Thanks - I've already done this:

@msherif1234
Copy link
Contributor

Thanks @awprice do u mind while u there to use anchor to pca TCX hooks too, we can use the same configuration knob for both ?

@msherif1234 Thanks - I've already done this:

oh sorry somehow I missed them thank you!!
/lgtm

@msherif1234
Copy link
Contributor

@jotak there will be operator work for bpfman plugin to leverage anchor settings, just FYI for tracking

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jotak jotak

@msherif1234 msherif1234

Labels

lgtm needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@awprice @jotak @msherif1234