stackrox
diff --git a/‎central/sensor/service/pipeline/virtualmachineindex/pipeline.go‎
Lines changed: 80 additions & 3 deletions b/‎central/sensor/service/pipeline/virtualmachineindex/pipeline.go‎
Lines changed: 80 additions & 3 deletions
diff --git a/‎central/sensor/service/pipeline/virtualmachineindex/pipeline_test.go‎
Lines changed: 94 additions & 2 deletions b/‎central/sensor/service/pipeline/virtualmachineindex/pipeline_test.go‎
Lines changed: 94 additions & 2 deletions
@@ -2,6 +2,7 @@ package virtualmachineindex
 
 import (
 	"context"
+	"strconv"
 
 	"github.com/pkg/errors"
 	countMetrics "github.com/stackrox/rox/central/metrics"
@@ -12,12 +13,19 @@ import (
 	"github.com/stackrox/rox/generated/internalapi/central"
 	"github.com/stackrox/rox/generated/storage"
 	"github.com/stackrox/rox/pkg/centralsensor"
+	"github.com/stackrox/rox/pkg/env"
 	"github.com/stackrox/rox/pkg/features"
 	"github.com/stackrox/rox/pkg/logging"
 	"github.com/stackrox/rox/pkg/metrics"
+	"github.com/stackrox/rox/pkg/rate"
 	vmEnricher "github.com/stackrox/rox/pkg/virtualmachine/enricher"
 )
 
+const (
+	// rateLimiterWorkload is the workload name used for rate limiting VM index reports.
+	rateLimiterWorkload = "vm_index_report"
+)
+
 var (
 	log = logging.LoggerForModule()
 
@@ -26,26 +34,43 @@ var (
 
 // GetPipeline returns an instantiation of this particular pipeline
 func GetPipeline() pipeline.Fragment {
+	rateLimit, err := strconv.ParseFloat(env.VMIndexReportRateLimit.Setting(), 64)
+	if err != nil {
+		log.Panicf("Invalid %s value: %v", env.VMIndexReportRateLimit.EnvVar(), err)
+	}
+	rateLimiter, err := rate.RegisterLimiter(
+		rateLimiterWorkload,
+		rateLimit,
+		env.VMIndexReportBucketCapacity.IntegerSetting(),
+	)
+	if err != nil {
+		log.Panicf("Failed to create rate limiter for %s: %v", rateLimiterWorkload, err)
+	}
 	return newPipeline(
 		vmDatastore.Singleton(),
 		vmEnricher.Singleton(),
+		rateLimiter,
 	)
 }
 
 // newPipeline returns a new instance of Pipeline.
-func newPipeline(vms vmDatastore.DataStore, enricher vmEnricher.VirtualMachineEnricher) pipeline.Fragment {
+func newPipeline(vms vmDatastore.DataStore, enricher vmEnricher.VirtualMachineEnricher, rateLimiter *rate.Limiter) pipeline.Fragment {
 	return &pipelineImpl{
 		vmDatastore: vms,
 		enricher:    enricher,
+		rateLimiter: rateLimiter,
 	}
 }
 
 type pipelineImpl struct {
 	vmDatastore vmDatastore.DataStore
 	enricher    vmEnricher.VirtualMachineEnricher
+	rateLimiter *rate.Limiter
 }
 
-func (p *pipelineImpl) OnFinish(_ string) {
+func (p *pipelineImpl) OnFinish(clusterID string) {
+	// Notify rate limiter that this sensor disconnected so it can rebalance
+	p.rateLimiter.OnSensorDisconnect(clusterID)
 }
 
 func (p *pipelineImpl) Capabilities() []centralsensor.CentralCapability {
@@ -60,7 +85,7 @@ func (p *pipelineImpl) Match(msg *central.MsgFromSensor) bool {
 	return msg.GetEvent().GetVirtualMachineIndexReport() != nil
 }
 
-func (p *pipelineImpl) Run(ctx context.Context, _ string, msg *central.MsgFromSensor, _ common.MessageInjector) error {
+func (p *pipelineImpl) Run(ctx context.Context, _ string, msg *central.MsgFromSensor, injector common.MessageInjector) error {
 	defer countMetrics.IncrementResourceProcessedCounter(pipeline.ActionToOperation(msg.GetEvent().GetAction()), metrics.VirtualMachineIndex)
 
 	if !features.VirtualMachines.Enabled() {
@@ -82,6 +107,18 @@ func (p *pipelineImpl) Run(ctx context.Context, _ string, msg *central.MsgFromSe
 
 	log.Debugf("Received virtual machine index report: %s", index.GetId())
 
+	// Extract cluster ID from injector (connection metadata)
+	clusterID := extractClusterID(injector)
+
+	// Rate limit check
+	allowed, reason := p.rateLimiter.TryConsume(clusterID)
+	if !allowed {
+		log.Infof("Rate limit exceeded for VM %s from cluster %s: %s",
+			index.GetId(), clusterID, reason)
+		sendVMIndexReportResponse(ctx, index.GetId(), central.SensorACK_NACK, reason, injector)
+		return nil // Don't return error - would cause pipeline retry
+	}
+
 	// Get or create VM
 	vm := &storage.VirtualMachine{Id: index.GetId()}
 
@@ -105,5 +142,45 @@ func (p *pipelineImpl) Run(ctx context.Context, _ string, msg *central.MsgFromSe
 	log.Infof("Successfully enriched and stored VM %s with %d components",
 		vm.GetId(), len(vm.GetScan().GetComponents()))
 
+	// Send ACK to Sensor
+	sendVMIndexReportResponse(ctx, index.GetId(), central.SensorACK_ACK, "", injector)
+
 	return nil
 }
+
+// extractClusterID extracts the cluster ID from the message injector (connection metadata).
+func extractClusterID(injector common.MessageInjector) string {
+	// MessageInjector is actually a SensorConnection which has ClusterID()
+	if conn, ok := injector.(interface{ ClusterID() string }); ok {
+		return conn.ClusterID()
+	}
+	log.Warn("Unable to extract cluster ID from injector, using unknown")
+	return "unknown"
+}
+
+// sendVMIndexReportResponse sends an ACK or NACK for a VM index report.
+func sendVMIndexReportResponse(ctx context.Context, vmID string, action central.SensorACK_Action, reason string, injector common.MessageInjector) {
+	conn, ok := injector.(interface {
+		HasCapability(centralsensor.SensorCapability) bool
+	})
+	if !ok || !conn.HasCapability(centralsensor.SensorACKSupport) {
+		log.Debugf("Sensor does not support SensorACK, skipping VM index report response for %s", vmID)
+		return
+	}
+
+	msg := &central.MsgToSensor{
+		Msg: &central.MsgToSensor_SensorAck{
+			SensorAck: &central.SensorACK{
+				Action:      action,
+				MessageType: central.SensorACK_VM_INDEX_REPORT,
+				ResourceId:  vmID,
+				Reason:      reason,
+			},
+		},
+	}
+	if err := injector.InjectMessage(ctx, msg); err != nil {
+		log.Warnf("Failed sending VM index report %s for %s: %v", action.String(), vmID, err)
+	} else {
+		log.Debugf("Sent VM index report %s for %s (reason=%q)", action.String(), vmID, reason)
+	}
+}
@@ -13,8 +13,10 @@ import (
 	"github.com/stackrox/rox/generated/storage"
 	"github.com/stackrox/rox/pkg/centralsensor"
 	"github.com/stackrox/rox/pkg/features"
+	"github.com/stackrox/rox/pkg/rate"
 	vmEnricherMocks "github.com/stackrox/rox/pkg/virtualmachine/enricher/mocks"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 	"go.uber.org/mock/gomock"
 )
@@ -25,6 +27,13 @@ const (
 
 var ctx = context.Background()
 
+// mustNewLimiter creates a rate limiter or fails the test.
+func mustNewLimiter(t require.TestingT, workloadName string, globalRate float64, bucketCapacity int) *rate.Limiter {
+	limiter, err := rate.NewLimiter(workloadName, globalRate, bucketCapacity)
+	require.NoError(t, err)
+	return limiter
+}
+
 func TestPipeline(t *testing.T) {
 	suite.Run(t, new(PipelineTestSuite))
 }
@@ -43,9 +52,12 @@ func (suite *PipelineTestSuite) SetupTest() {
 	suite.mockCtrl = gomock.NewController(suite.T())
 	suite.vmDatastore = vmDatastoreMocks.NewMockDataStore(suite.mockCtrl)
 	suite.enricher = vmEnricherMocks.NewMockVirtualMachineEnricher(suite.mockCtrl)
+	// Use unlimited rate limiter for tests (rate=0)
+	rateLimiter := mustNewLimiter(suite.T(), "test", 0, 50)
 	suite.pipeline = &pipelineImpl{
 		vmDatastore: suite.vmDatastore,
 		enricher:    suite.enricher,
+		rateLimiter: rateLimiter,
 	}
 }
 
@@ -176,13 +188,15 @@ func (suite *PipelineTestSuite) TestGetPipeline() {
 func (suite *PipelineTestSuite) TestNewPipeline() {
 	mockDatastore := vmDatastoreMocks.NewMockDataStore(suite.mockCtrl)
 	mockEnricher := vmEnricherMocks.NewMockVirtualMachineEnricher(suite.mockCtrl)
-	pipeline := newPipeline(mockDatastore, mockEnricher)
+	rateLimiter := mustNewLimiter(suite.T(), "test", 0, 50)
+	pipeline := newPipeline(mockDatastore, mockEnricher, rateLimiter)
 	suite.NotNil(pipeline)
 
 	impl, ok := pipeline.(*pipelineImpl)
 	suite.True(ok, "Should return pipelineImpl instance")
 	suite.Equal(mockDatastore, impl.vmDatastore)
 	suite.Equal(mockEnricher, impl.enricher)
+	suite.Equal(rateLimiter, impl.rateLimiter)
 }
 
 // Test table-driven approach for different actions
@@ -229,9 +243,11 @@ func TestPipelineRun_DifferentActions(t *testing.T) {
 
 			vmDatastore := vmDatastoreMocks.NewMockDataStore(ctrl)
 			enricher := vmEnricherMocks.NewMockVirtualMachineEnricher(ctrl)
+			rateLimiter := mustNewLimiter(t, "test", 0, 50)
 			pipeline := &pipelineImpl{
 				vmDatastore: vmDatastore,
 				enricher:    enricher,
+				rateLimiter: rateLimiter,
 			}
 
 			vmID := "vm-1"
@@ -272,7 +288,11 @@ func TestPipelineEdgeCases(t *testing.T) {
 	defer ctrl.Finish()
 
 	vmDatastore := vmDatastoreMocks.NewMockDataStore(ctrl)
-	pipeline := &pipelineImpl{vmDatastore: vmDatastore}
+	rateLimiter := mustNewLimiter(t, "test", 0, 50)
+	pipeline := &pipelineImpl{
+		vmDatastore: vmDatastore,
+		rateLimiter: rateLimiter,
+	}
 
 	t.Run("nil message", func(t *testing.T) {
 		result := pipeline.Match(nil)
@@ -328,9 +348,11 @@ func TestPipelineRun_DisabledFeature(t *testing.T) {
 
 	vmDatastore := vmDatastoreMocks.NewMockDataStore(ctrl)
 	enricher := vmEnricherMocks.NewMockVirtualMachineEnricher(ctrl)
+	rateLimiter := mustNewLimiter(t, "test", 0, 50)
 	pipeline := &pipelineImpl{
 		vmDatastore: vmDatastore,
 		enricher:    enricher,
+		rateLimiter: rateLimiter,
 	}
 
 	vmID := "vm-1"
@@ -340,3 +362,73 @@ func TestPipelineRun_DisabledFeature(t *testing.T) {
 
 	assert.NoError(t, err)
 }
+
+// TestPipelineRun_RateLimitDisabled tests that rate limiting is disabled when configured with 0
+func TestPipelineRun_RateLimitDisabled(t *testing.T) {
+	t.Setenv(features.VirtualMachines.EnvVar(), "true")
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	vmDatastore := vmDatastoreMocks.NewMockDataStore(ctrl)
+	enricher := vmEnricherMocks.NewMockVirtualMachineEnricher(ctrl)
+	rateLimiter := mustNewLimiter(t, "test", 0, 50) // Disabled
+
+	pipeline := &pipelineImpl{
+		vmDatastore: vmDatastore,
+		enricher:    enricher,
+		rateLimiter: rateLimiter,
+	}
+
+	vmID := "vm-1"
+	msg := createVMIndexMessage(vmID, central.ResourceAction_SYNC_RESOURCE)
+
+	// Should process all 100 requests without rate limiting
+	for i := 0; i < 100; i++ {
+		enricher.EXPECT().
+			EnrichVirtualMachineWithVulnerabilities(gomock.Any(), gomock.Any()).
+			Return(nil)
+		vmDatastore.EXPECT().
+			UpdateVirtualMachineScan(ctx, vmID, gomock.Any()).
+			Return(nil)
+
+		err := pipeline.Run(ctx, testClusterID, msg, nil)
+		assert.NoError(t, err, "request %d should succeed with rate limiting disabled", i)
+	}
+}
+
+// TestPipelineRun_RateLimitEnabled tests that rate limiting rejects requests when enabled
+func TestPipelineRun_RateLimitEnabled(t *testing.T) {
+	t.Setenv(features.VirtualMachines.EnvVar(), "true")
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	vmDatastore := vmDatastoreMocks.NewMockDataStore(ctrl)
+	enricher := vmEnricherMocks.NewMockVirtualMachineEnricher(ctrl)
+	rateLimiter := mustNewLimiter(t, "test", 5, 5) // 5 req/s, bucket capacity=5
+
+	pipeline := &pipelineImpl{
+		vmDatastore: vmDatastore,
+		enricher:    enricher,
+		rateLimiter: rateLimiter,
+	}
+
+	vmID := "vm-1"
+	msg := createVMIndexMessage(vmID, central.ResourceAction_SYNC_RESOURCE)
+
+	// First 5 requests should succeed (burst capacity)
+	for i := 0; i < 5; i++ {
+		enricher.EXPECT().
+			EnrichVirtualMachineWithVulnerabilities(gomock.Any(), gomock.Any()).
+			Return(nil)
+		vmDatastore.EXPECT().
+			UpdateVirtualMachineScan(ctx, vmID, gomock.Any()).
+			Return(nil)
+
+		err := pipeline.Run(ctx, testClusterID, msg, nil)
+		assert.NoError(t, err, "request %d should succeed within burst", i)
+	}
+
+	// 6th request should be rejected (no NACK sent since injector is nil in test)
+	err := pipeline.Run(ctx, testClusterID, msg, nil)
+	assert.NoError(t, err, "rate limited request should not return error (NACK sent instead)")
+}