heimdall (per-pod metering agent)

Documentation Index

Fetch the complete documentation index at: https://engineering.unkey.com/llms.txt

Use this file to discover all available pages before exploring further.

​

What this is

​

What ships, and where

• The eBPF program lives at svc/heimdall/internal/network/bpf/network.bpf.c. bpf2go compiles it into a .o and a Go bindings file (bpf_bpfel.go), both committed to the repo. The bindings file uses //go:embed to bake the .o into the Go binary at compile time.
• The Go agent (the binary) is the same unkey monolith we ship for everything else, invoked as unkey run heimdall. Image tag ghcr.io/unkeyed/unkey:<tag>.
• The DaemonSet runs that image. On startup the agent extracts the embedded .o, loads it via libbpf, and attaches it to each pod’s eth0 inside the pod’s netns.

• There is no host-side install. No script runs on the node. No package gets baked into the AMI for heimdall. The kernel just needs to be ≥ 6.6 for TCX attach support (which the current eks-gvisor AMI already provides).
• There is no separate “deploy the eBPF program” step. Updating heimdall is the same as updating the rest of the monolith: bump the image tag in the Helm chart, ArgoCD rolls the DaemonSet, the new pod loads the new embedded .o on first attach.
• The dev-only TopoLVM bootstrap script under dev/k8s/topolvm/setup-vg.sh is unrelated. It runs inside minikube to fake the EBS-backed PVC story we have in prod, never on a production node. See the Local dev section for what it actually does.

Collection must never inflate a reading. Undercount is acceptable.

Heimdall stores snapshots of monotone counters, not rates or events.

​

Why snapshots and not rates

​

How a tick works

​

Network: tc-eBPF on the pod-side eth0

​

Networking background (skip if you know this)

• Network namespace (netns). A Linux kernel feature that gives a process its own isolated view of networking: its own interfaces, its own routing table, its own firewall rules. Every Kubernetes pod runs in its own netns, so from the pod’s perspective it has its own eth0, its own IP, its own everything. The host sits in its own separate netns.
• veth pair. Literally a virtual ethernet cable with two ends. You plug one end into the pod’s netns (shows up as eth0 inside the pod), and the other end into the host’s netns (typically lxc<hash> under Cilium). Packets written to one end normally come out the other.
• CNI (Container Network Interface). The plugin model Kubernetes uses for networking. Our CNI is Cilium in BPF host-routing mode. When a pod starts, Cilium creates the veth pair, puts one end in the pod, and keeps the other end on the host.
• bpf_redirect_peer. A Cilium fastpath helper. In BPF host-routing mode, packets arriving on the node’s physical NIC are punted directly into the target pod’s netns via this helper, bypassing the host-side veth entirely. The host end never sees those skbs, which is why the first version of heimdall (attached to lxc<hash>) read ~zero while pods were doing MB/s.
• ifindex. Every network interface has a small integer ID unique within its namespace. Pod-side eth0 happens to be ifindex 3 in every CNI netns, which means we cannot use ifindex as our BPF map key (every pod would collide on the same slot).
• Netns cookie. A 64-bit kernel-maintained identifier that is unique per netns and stable over that netns’s lifetime. Readable from BPF via bpf_get_netns_cookie(skb) and from userspace via getsockopt(SOL_SOCKET, SO_NETNS_COOKIE) on a socket created inside the netns. We use this as the map key so one pinned map serves every pod on the node with no collisions.
• tc (traffic control). A kernel subsystem with hook points where you can attach programs that run on every packet passing through a specific network interface. Two directions: tc-ingress (packets arriving at the interface) and tc-egress (packets leaving). You can attach an eBPF program to either, and the kernel runs it for every packet.
• TCX. The newer (Linux 6.6+) attachment mechanism for tc eBPF programs. Supports multiple programs on the same hook in a chain, with clean ordering. We use it so we can coexist with whatever Cilium eventually installs on the pod-side device without terminating its chain.
• cgroup_skb. An older kernel hook type that runs a BPF program when a packet is sent or received by a process inside a specific cgroup. Works fine for normal containers, but is useless for gVisor pods (customer syscalls never reach the host kernel, so the hook sees nothing).

​

Why the obvious approaches don’t work

• cgroup_skb at the pod cgroup (the first thing we built) is useless under gVisor. runsc is a userspace kernel. Customer syscalls are trapped inside it and never reach the host’s socket layer, so the cgroup hook sees only whatever runsc does on its own sockets, not per-packet customer traffic. Verified in local dev: every BPF map entry showed zero for every public counter even with pods doing real downloads. This is why we never shipped it.
• Reading Cilium’s per-endpoint counters looks attractive since Cilium already tags traffic by pod. But Cilium has declined per-endpoint byte counters four separate times (cilium#13173, cilium#29586, cilium#32193, cilium#21252); cilium_forward_bytes_total is node-aggregated only. Not a supported per-pod surface.
• tc-eBPF on the host-side veth (the second thing we built, and what we shipped first to prod) is silently broken on EKS with Cilium in BPF host-routing mode. Cilium’s bpf_redirect_peer (see bpf/lib/local_delivery.h and bpf_lxc.c) punts packets from cil_from_netdev on the host NIC straight into the target pod’s netns, so the per-pod host-side veth (lxc<hash> / eni<hash>) sees ~zero data packets. Production incident: host-side veth RX/TX counters sat at a few hundred bytes while the pod was actively moving MBs. Sentinel nodes worked because sentinels run kube-proxy without host-routing; untrusted workload nodes did not. Unusable at scale.

​

The eBPF program

• count_egress attaches to tc-egress of pod-side eth0. Packets leaving this hook originate from the pod (the pod’s egress direction). Classify by iph->daddr.
• count_ingress attaches to tc-ingress of pod-side eth0. Packets arriving here are about to be delivered to the pod (the pod’s ingress direction). Classify by iph->saddr.

• IPv4 — is_v4_private matches RFC1918 (10/8, 172.16/12, 192.168/16), CGNAT (100.64/10), link-local (169.254/16), and loopback (127/8).
• IPv6 — is_v6_private matches ULA (fc00::/7, which is Cilium’s default for dual-stack pod IPs), link-local (fe80::/10), multicast (ff00::/8), and loopback (::1).

​

The TCX return-code trap

• TC_ACT_UNSPEC (-1) is TCX_NEXT. Non-terminating; hand off to the next program in the chain.
• TC_ACT_OK (0) is TCX_PASS. Accept the packet AND terminate the chain.

​

Safety invariants

1. Read-only. The BPF program reads skb->len and the IP header. It never calls a helper that mutates the skb (no bpf_skb_store_bytes, no checksum helpers, no redirect helpers). The packet is byte-identical before and after our program runs.
2. Unconditionally non-terminating. Every code path (truncated packet, non-IP protocol, classifier failure, map-full) exits through a single return TC_ACT_UNSPEC at the bottom of each program. There is no path that returns TC_ACT_SHOT or TC_ACT_OK. The verifier will not accept a program that drops the invariant, so this is enforced at load time.
3. Stateless packet processing. No conntrack, no flow tables, no packet buffering. An atomic increment failing (wouldn’t happen; __sync_fetch_and_add on a per-cgroup map entry can’t fail) would only undercount, never drop.
4. Userspace failures never touch the datapath. A link.AttachTCX error, a containerd gRPC timeout, a netns lookup failure: all surface as Attach returning an error to heimdall. The pod simply ends up not attached. Uncounted, but running normally.
5. Detach is never forced. When the pod netns goes away (pod teardown), pod-side eth0 is destroyed with it and the kernel auto-detaches the TCX links. Heimdall’s Detach path is best-effort cleanup.

​

What counts, what doesn’t

• TCP retransmits count each transmission. skb->len increments for every re-sent packet, so a flow that retransmits 3× shows 3× the bytes. This is “wire bytes,” which is the industry-standard thing to bill for (AWS, Cloudflare, GCP all do the same). Customers don’t get a refund for their own packet loss.
• GSO/TSO packets count pre-segmentation bytes. On egress, a large skb (up to 64 KiB) represents a single transport-layer write before the NIC splits it into MTU-sized wire packets. skb->len is the pre-split size, so we miss the few per-segment L2+IP+TCP header bytes that get replicated on the real wire. Effectively a ~1–2 % undercount on TCP-heavy workloads. Safe direction per the never-inflate invariant.
• IP fragments count each fragment. Each fragment is its own skb with its own length, and they share the same saddr/daddr, so the classifier bills each fragment to the right pair of counters. Total bytes are correct.
• ARP, LLDP, and other non-IP L2 traffic is not counted. skb->protocol matches only ETH_P_IP and ETH_P_IPV6; everything else returns early. Control-plane L2 chatter doesn’t count against a customer’s egress number.
• VLAN-tagged traffic is silently skipped. skb->protocol is ETH_P_8021Q (0x8100) for tagged frames and neither IPv4 nor IPv6 matches. Pod-side eth0 under Cilium’s native pod networking doesn’t see VLAN tags (tags, if any, are stripped before the packet reaches the pod netns) so this doesn’t fire today — but if the network config ever changes (e.g. a multi-tenant overlay with VLAN separation), we’d undercount. Worth catching via sample-density alerts if it ever happens.

​

Resolving the pod netns

• PIDs in the pod’s cgroup live in gVisor’s sandbox netns, not the CNI netns where eth0 lives. The usual trick of /proc/<pid>/ns/net lands you in runsc’s internal netstack, not the Cilium netns.
• The CNI netns has no IP assigned to eth0 under gVisor (the IP lives in runsc’s userspace stack), so you can’t match by pod IP either.

​

Data path

​

Deployment requirements

• hostNetwork: true and hostPID: true, since we enter pod netns’s from the host.
• Capabilities CAP_BPF, CAP_NET_ADMIN, CAP_SYS_ADMIN. SYS_ADMIN relaxes the verifier’s pointer-arithmetic restrictions that CAP_BPF alone keeps on (CAP_BPF runs in “unprivileged BPF” mode, which rejects some LRU map update patterns) and is what lets setns(CLONE_NEWNET) into other netns’s.
• Host mounts: /run/containerd/containerd.sock (rw, for sandbox lookups), /var/run/netns (ro, HostToContainer, for the CNI netns files we setns into), /sys/fs/bpf (rw, HostToContainer, for the pinned counter map), /sys/kernel/btf (ro, CO-RE relocations).
• Kernel ≥ 5.12, required for SO_NETNS_COOKIE (userspace side); the BPF helper bpf_get_netns_cookie has been available since 5.7. A zero cookie from the socket getsockopt is treated as fatal for that attach — pre-5.12 kernels would return the init netns cookie for every pod and collapse every pod into one map slot.

• network_linux.go. The Reader interface implementation (lifecycle + async attach worker pool). Keys its per-pod map by types.UID → netns cookie (u64).
• sandbox_linux.go. Resolves the containerd sandbox to its CNI netns path.
• veth_linux.go. One locked-thread block that does everything netns-scoped: setns into the pod netns, find pod-side eth0, read the netns cookie, attach both TCX programs, setns back.
• bpf/network.bpf.c. The eBPF program, compiled by bpf2go into Go bindings and an embedded .o. Run make generate-bpf after editing.

​

What a checkpoint actually contains

identity         workspace_id, project_id, environment_id,
                 resource_type, resource_id,
                 container_uid     (= pod_uid + restart_count, stable per
                                      container lifetime; changes on restart),
                 instance_id       (= pod name, used for filtering charts
                                      to one replica)

when             ts                (unix milliseconds, sourced from
                                      pkg/clock.MonotonicClock so the value
                                      cannot regress on NTP backward jumps)
                 event_kind        (start | stop | checkpoint)

what             cpu_usage_usec               (Int64, raw kernel counter)
                 memory_bytes                 (Int64, working set)
                 cpu_allocated_millicores     (Int32, from pod.Spec.Limits)
                 memory_allocated_bytes       (Int64, from pod.Spec.Limits)
                 disk_allocated_bytes         (Int64, from PVC request)
                 disk_used_bytes              (Int64, statfs on the volume mount)
                 network_{eg,in}gress_{pub,priv}  (Int64, populated by the
                                      tc-eBPF collector on pod-side eth0;
                                      see Network section above)

​

The math, with a worked example

• Memory integration accuracy. Memory is a gauge, not a counter, so consumers have to integrate over samples. More samples means the mean is closer to the true integral. Fewer samples means the same shape, blurrier.
• Worst case undercount on container exit. If the container dies between the last periodic tick and CRI catching the exit event, we miss whatever CPU it used in that gap. Bounded by the tick interval (currently 5 seconds).

​

Replay safety, rolling updates, restarts

1. Replay (same checkpoint written twice)
   → max and min over the window do not change
   → aggregate unchanged

2. Rolling update (two heimdall pods write concurrently)
   → more rows in the window, but max and min are unchanged
   → aggregate unchanged

3. Container restart (kernel counter resets to 0)
   → container_uid changes (pod_uid + restart_count)
   → new container_uid starts its own window
   → we never diff across the reset

​

ClickHouse layout

instance_checkpoints_v1                ← raw, ReplacingMergeTree, 95 day TTL
    │   (daily partitions, bloom filters, Delta/DoubleDelta codecs)
    │
    ├─→ instance_resources_per_15s_v1     ← dashboard MV, 7 day TTL
    ├─→ instance_resources_per_minute_v1  ← dashboard MV, 30 day TTL
    ├─→ instance_resources_per_hour_v1    ← dashboard MV, 90 day TTL
    ├─→ instance_resources_per_day_v1     ← dashboard MV, 365 day TTL
    └─→ instance_resources_per_month_v1   ← dashboard / audit MV, 5 year TTL (NOT for billing — see warning below)

​

Dashboard queries

SELECT time, value FROM (
    -- cold tail: closed buckets from the MV
    SELECT time, agg(...) AS value
    FROM instance_resources_per_15s_v1
    WHERE ... AND time < toStartOfInterval(now(), INTERVAL 15 SECOND)
    GROUP BY time

    UNION ALL

    -- live tip: current bucket, computed on demand from raw
    SELECT toStartOfInterval(now(), INTERVAL 15 SECOND) AS time,
           agg(...) AS value
    FROM instance_checkpoints
    WHERE ... AND ts >= toUnixTimestamp(toStartOfInterval(now(), INTERVAL 15 SECOND)) * 1000
    HAVING value > 0
)
ORDER BY time

​

Failure modes we accept by design

​

Local dev: how it mirrors prod

• statfs inside the container reports the right numbers
• Writes past the allocated size hit ENOSPC
• Heimdall’s statfs path works the same as in prod (no special dev branch needed)

dev/k8s/topolvm/setup-vg.sh        idempotent loopback + VG creation
                                    (also reattaches after `minikube stop/start`)
dev/k8s/topolvm/values.yaml        TopoLVM helm values (cert-manager and
                                    webhooks both off; single-node only needs
                                    the controller and the node DaemonSet)
dev/k8s/topolvm/storageclass.yaml  StorageClass `topolvm-ssd` that krane points at

​

Operational notes

​

Code map