From 27ea572a9ad4e0a7fb020e37254dc9c952983eff Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Tue, 26 Sep 2023 15:55:45 +0200 Subject: [PATCH] cleanup(falco)!: remove `outputs.rate` and `outputs.max_burst` Signed-off-by: Andrea Terzolo --- falco.yaml | 28 ------------------- .../falco/app/actions/process_events.cpp | 20 +------------ userspace/falco/configuration.cpp | 9 ------ userspace/falco/configuration.h | 2 -- 4 files changed, 1 insertion(+), 58 deletions(-) diff --git a/falco.yaml b/falco.yaml index 09bc110d0e3..b563efd1305 100644 --- a/falco.yaml +++ b/falco.yaml @@ -273,34 +273,6 @@ json_include_tags_property: true # output mechanism. By default, buffering is disabled (false). buffered_outputs: false -# [Stable] `outputs` -# -# [DEPRECATED] -# This config is deprecated and it will be removed in Falco 0.37 -# -# A throttling mechanism, implemented as a token bucket, can be used to control -# the rate of Falco outputs. Each event source has its own rate limiter, -# ensuring that alerts from one source do not affect the throttling of others. -# The following options control the mechanism: -# - rate: the number of tokens (i.e. right to send a notification) gained per -# second. When 0, the throttling mechanism is disabled. Defaults to 0. -# - max_burst: the maximum number of tokens outstanding. Defaults to 1000. -# -# For example, setting the rate to 1 allows Falco to send up to 1000 -# notifications initially, followed by 1 notification per second. The burst -# capacity is fully restored after 1000 seconds of no activity. -# -# Throttling can be useful in various scenarios, such as preventing notification -# floods, managing system load, controlling event processing, or complying with -# rate limits imposed by external systems or APIs. It allows for better resource -# utilization, avoids overwhelming downstream systems, and helps maintain a -# balanced and controlled flow of notifications. -# -# With the default settings, the throttling mechanism is disabled. -outputs: - rate: 0 - max_burst: 1000 - # [Experimental] `rule_matching` # # The `rule_matching` configuration key's values are: diff --git a/userspace/falco/app/actions/process_events.cpp b/userspace/falco/app/actions/process_events.cpp index f5fdec4557e..69ed7fa9e20 100644 --- a/userspace/falco/app/actions/process_events.cpp +++ b/userspace/falco/app/actions/process_events.cpp @@ -25,7 +25,6 @@ limitations under the License. #include #include "falco_utils.h" -#include "token_bucket.h" #include "actions.h" #include "helpers.h" @@ -137,8 +136,6 @@ static falco::app::run_result do_inspect( stats_writer::collector stats_collector(statsw); uint64_t duration_start = 0; uint32_t timeouts_since_last_success_or_msg = 0; - token_bucket rate_limiter; - const bool rate_limiter_enabled = s.config->m_notifications_rate > 0; const bool is_capture_mode = source.empty(); size_t source_engine_idx = 0; @@ -156,14 +153,6 @@ static falco::app::run_result do_inspect( source_engine_idx = s.source_infos.at(source)->engine_idx; } - // if enabled, init rate limiter - if (rate_limiter_enabled) - { - rate_limiter.init( - s.config->m_notifications_rate, - s.config->m_notifications_max_burst); - } - // reset event counter num_evts = 0; @@ -333,14 +322,7 @@ static falco::app::run_result do_inspect( { for(auto& rule_res : *res.get()) { - if (!rate_limiter_enabled || rate_limiter.claim()) - { - s.outputs->handle_event(rule_res.evt, rule_res.rule, rule_res.source, rule_res.priority_num, rule_res.format, rule_res.tags); - } - else - { - falco_logger::log(LOG_DEBUG, "Skipping rate-limited notification for rule " + rule_res.rule + "\n"); - } + s.outputs->handle_event(rule_res.evt, rule_res.rule, rule_res.source, rule_res.priority_num, rule_res.format, rule_res.tags); } } diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index a884734a97b..393a3bbeb3e 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -36,8 +36,6 @@ falco_configuration::falco_configuration(): m_json_output(false), m_json_include_output_property(true), m_json_include_tags_property(true), - m_notifications_rate(0), - m_notifications_max_burst(1000), m_rule_matching(falco_common::rule_matching::FIRST), m_watch_config_files(true), m_buffered_outputs(false), @@ -264,13 +262,6 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h m_output_timeout = config.get_scalar("output_timeout", 2000); - m_notifications_rate = config.get_scalar("outputs.rate", 0); - if(m_notifications_rate != 0) - { - falco_logger::log(LOG_WARNING, "'output.rate' config is deprecated and it will be removed in Falco 0.37\n"); - } - m_notifications_max_burst = config.get_scalar("outputs.max_burst", 1000); - std::string rule_matching = config.get_scalar("rule_matching", "first"); if (!falco_common::parse_rule_matching(rule_matching, m_rule_matching)) { diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 2a2ed20cfd8..4710bc62372 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -65,8 +65,6 @@ class falco_configuration bool m_json_include_tags_property; std::string m_log_level; std::vector m_outputs; - uint32_t m_notifications_rate; - uint32_t m_notifications_max_burst; falco_common::priority_type m_min_priority; falco_common::rule_matching m_rule_matching;