Kev Sheldrake

Hello Rate limiting is per thread and your test involves starting numerous 'cat' processes one after the other, each with a different thread ID. As such, no rate limiting occurs....

I've updated the docs in this PR. https://github.com/cilium/tetragon/pull/1961

Also, I made this PR that lets you change the scope of the rate limiting from thread to "process" or "global". LMK if it helps in your case. Thanks! https://github.com/cilium/tetragon/pull/1962

These have been merged. They will be available in the next release. Otherwise, take a ci:latest tag if you want to try them out.

Thanks for testing. Rate limiting itself shouldn't be expensive, but maybe there were other changes between 1.0.0 and the ci:latest that have impacted RAM and CPU. I'm less concerned about...

> * I've noticed a different CPU and RAM usage profile for the tetragon pod. With rate limiting enabled I noticed ~30% increase in RAM usage and spikes on the...

filter_file_buf() in basic.h limits the number of file matches to MAX_MATCH_FILE_VALUES. This is 8 on kernels >=5.2 and 2 on kernels

Postfix file match limited to 50 chars on kernels >=5.2 and 40 on kernels

File match equal and prefix limited to 128 chars on kernels >=5.2 and 32 on kernels

#1408 will alleviate some of these limitations. e.g. number of matches becomes unbounded; equal and prefix lengths become 128 on all kernels; and postfix length becomes 128 characters on kernels...