From eaf003bdd4d6f2dbaeb5c16885e08ea1d9d31115 Mon Sep 17 00:00:00 2001 From: Yakir Oren Date: Wed, 25 Mar 2026 11:19:54 +0200 Subject: [PATCH 1/2] add pprof labels for rules Signed-off-by: Yakir Oren --- .../v2/event_handler_factory.go | 23 +++++++++++-------- pkg/rulemanager/rule_manager.go | 13 +++++++++-- 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/pkg/containerwatcher/v2/event_handler_factory.go b/pkg/containerwatcher/v2/event_handler_factory.go index 668a91881..b6d0a65d0 100644 --- a/pkg/containerwatcher/v2/event_handler_factory.go +++ b/pkg/containerwatcher/v2/event_handler_factory.go @@ -1,6 +1,9 @@ package containerwatcher import ( + "context" + "runtime/pprof" + mapset "github.com/deckarep/golang-set/v2" "github.com/goradd/maps" containercollection "github.com/inspektor-gadget/inspektor-gadget/pkg/container-collection" @@ -194,17 +197,19 @@ func (ehf *EventHandlerFactory) ProcessEvent(enrichedEvent *events.EnrichedEvent return } - // Process event through each handler - for _, handler := range handlers { - if enrichedHandler, ok := handler.(containerwatcher.EnrichedEventReceiver); ok { - enrichedHandler.ReportEnrichedEvent(enrichedEvent) - } else if handler, ok := handler.(containerwatcher.EventReceiver); ok { - handler.ReportEvent(eventType, enrichedEvent.Event) + pprof.Do(context.Background(), pprof.Labels("event", string(eventType)), func(_ context.Context) { + // Process event through each handler + for _, handler := range handlers { + if enrichedHandler, ok := handler.(containerwatcher.EnrichedEventReceiver); ok { + enrichedHandler.ReportEnrichedEvent(enrichedEvent) + } else if handler, ok := handler.(containerwatcher.EventReceiver); ok { + handler.ReportEvent(eventType, enrichedEvent.Event) + } } - } - // Report to third-party event receivers - ehf.reportEventToThirdPartyTracers(enrichedEvent) + // Report to third-party event receivers + ehf.reportEventToThirdPartyTracers(enrichedEvent) + }) } // registerHandlers registers all handlers for different event types diff --git a/pkg/rulemanager/rule_manager.go b/pkg/rulemanager/rule_manager.go index f08cb8bfa..3ed0c5d65 100644 --- a/pkg/rulemanager/rule_manager.go +++ b/pkg/rulemanager/rule_manager.go @@ -4,6 +4,7 @@ import ( "context" "crypto/md5" "fmt" + "runtime/pprof" "time" "github.com/armosec/armoapi-go/armotypes" @@ -227,7 +228,11 @@ func (rm *RuleManager) ReportEnrichedEvent(enrichedEvent *events.EnrichedEvent) } startTime := time.Now() - shouldAlert, err := rm.celEvaluator.EvaluateRule(enrichedEvent, rule.Expressions.RuleExpression) + var shouldAlert bool + var err error + pprof.Do(context.Background(), pprof.Labels("rule", rule.ID), func(_ context.Context) { + shouldAlert, err = rm.celEvaluator.EvaluateRule(enrichedEvent, rule.Expressions.RuleExpression) + }) evaluationTime := time.Since(startTime) rm.metrics.ReportRuleEvaluationTime(rule.Name, eventType, evaluationTime) @@ -351,7 +356,11 @@ func (rm *RuleManager) EvaluatePolicyRulesForEvent(eventType utils.EventType, ev } startTime := time.Now() - shouldAlert, err := rm.celEvaluator.EvaluateRule(enrichedEvent, ruleExpressions) + var shouldAlert bool + var err error + pprof.Do(context.Background(), pprof.Labels("rule", rule.ID), func(_ context.Context) { + shouldAlert, err = rm.celEvaluator.EvaluateRule(enrichedEvent, ruleExpressions) + }) evaluationTime := time.Since(startTime) rm.metrics.ReportRuleEvaluationTime(rule.ID, eventType, evaluationTime) From 366c6630ff7d68ea09e473fee8dd1a8d65892c83 Mon Sep 17 00:00:00 2001 From: Yakir Oren Date: Wed, 25 Mar 2026 11:35:37 +0200 Subject: [PATCH 2/2] . Signed-off-by: Yakir Oren --- pkg/rulemanager/rule_manager.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/rulemanager/rule_manager.go b/pkg/rulemanager/rule_manager.go index 3ed0c5d65..80f3a760b 100644 --- a/pkg/rulemanager/rule_manager.go +++ b/pkg/rulemanager/rule_manager.go @@ -231,7 +231,7 @@ func (rm *RuleManager) ReportEnrichedEvent(enrichedEvent *events.EnrichedEvent) var shouldAlert bool var err error pprof.Do(context.Background(), pprof.Labels("rule", rule.ID), func(_ context.Context) { - shouldAlert, err = rm.celEvaluator.EvaluateRule(enrichedEvent, rule.Expressions.RuleExpression) + shouldAlert, err = rm.celEvaluator.EvaluateRule(enrichedEvent, ruleExpressions) }) evaluationTime := time.Since(startTime) rm.metrics.ReportRuleEvaluationTime(rule.Name, eventType, evaluationTime)