tetragon: include workloadID in the podInfo

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
cilium · Jun 17, 2024 · 24f0d6a · 24f0d6a
1 parent 0c28a7e
commit 24f0d6a
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 20 deletions.
diff --git a/pkg/policyfilter/disabled.go b/pkg/policyfilter/disabled.go
@@ -31,12 +31,12 @@ func (s *disabled) DelPolicy(polID PolicyID) error {
 	return fmt.Errorf("policyfilter is disabled")
 }
 
-func (s *disabled) AddPodContainer(podID PodID, namespace string, podLabels labels.Labels,
+func (s *disabled) AddPodContainer(podID PodID, namespace, workload string, podLabels labels.Labels,
 	containerID string, cgID CgroupID, containerName string) error {
 	return nil
 }
 
-func (s *disabled) UpdatePod(podID PodID, namespace string, podLabels labels.Labels,
+func (s *disabled) UpdatePod(podID PodID, namespace, workload string, podLabels labels.Labels,
 	containerIDs []string, containerNames []string) error {
 	return nil
 }

diff --git a/pkg/policyfilter/policyfilter.go b/pkg/policyfilter/policyfilter.go
@@ -98,12 +98,12 @@ type State interface {
 	// AddPodContainer informs policyfilter about a new container and its cgroup id in a pod.
 	// The pod might or might not have been encountered before.
 	// This method is intended to update policyfilter state from container hooks
-	AddPodContainer(podID PodID, namespace string, podLabels labels.Labels,
+	AddPodContainer(podID PodID, namespace, workload string, podLabels labels.Labels,
 		containerID string, cgID CgroupID, containerName string) error
 
 	// UpdatePod updates the pod state for a pod, where containerIDs contains all the container ids for the given pod.
 	// This method is intended to be used from k8s watchers (where no cgroup information is available)
-	UpdatePod(podID PodID, namespace string, podLabels labels.Labels,
+	UpdatePod(podID PodID, namespace, workload string, podLabels labels.Labels,
 		containerIDs []string, containerNames []string) error
 
 	// DelPodContainer informs policyfilter that a container was deleted from a pod

diff --git a/pkg/policyfilter/rthooks/rthooks.go b/pkg/policyfilter/rthooks/rthooks.go
@@ -12,6 +12,7 @@ import (
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/metrics/policyfiltermetrics"
 	"github.com/cilium/tetragon/pkg/policyfilter"
+	"github.com/cilium/tetragon/pkg/process"
 	"github.com/cilium/tetragon/pkg/rthooks"
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
@@ -93,6 +94,8 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err
 	}
 
 	namespace := pod.ObjectMeta.Namespace
+	workloadMeta, _ := process.GetWorkloadMetaFromPod(pod)
+	workload := workloadMeta.Name
 
 	containerName := arg.Req.ContainerName
 	if containerName == "" {
@@ -103,12 +106,13 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err
 	log.WithFields(logrus.Fields{
 		"pod-id":         podID,
 		"namespace":      namespace,
+		"workload": workload,
 		"container-id":   containerID,
 		"cgroup-id":      cgID,
 		"container-name": containerName,
 	}).Trace("policyfilter: add pod container")
 	cgid := policyfilter.CgroupID(cgID)
-	err = pfState.AddPodContainer(policyfilter.PodID(podID), namespace, pod.Labels, containerID, cgid, containerName)
+	err = pfState.AddPodContainer(policyfilter.PodID(podID), namespace, workload, pod.Labels, containerID, cgid, containerName)
 	policyfiltermetrics.OpInc(policyfiltermetrics.RTHooksSubsys, policyfiltermetrics.AddContainerOperation, policyfilter.ErrorLabel(err))
 
 	if err != nil {

diff --git a/pkg/policyfilter/state.go b/pkg/policyfilter/state.go
@@ -13,6 +13,7 @@ import (
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/metrics/policyfiltermetrics"
 	"github.com/cilium/tetragon/pkg/podhooks"
+	"github.com/cilium/tetragon/pkg/process"
 
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
@@ -100,6 +101,7 @@ type podInfo struct {
 	id         PodID
 	namespace  string
 	labels     labels.Labels
+	workload   string
 	containers []containerInfo
 
 	// cache of matched policies
@@ -302,12 +304,16 @@ func (m *state) updatePodHandler(pod *v1.Pod) error {
 	}
 
 	namespace := pod.Namespace
-	err = m.UpdatePod(PodID(podID), namespace, pod.Labels, containerIDs, containerNames)
+	workloadMeta, _ := process.GetWorkloadMetaFromPod(pod)
+	workload := workloadMeta.Name
+
+	err = m.UpdatePod(PodID(podID), namespace, workload, pod.Labels, containerIDs, containerNames)
 	if err != nil {
 		m.log.WithError(err).WithFields(logrus.Fields{
 			"pod-id":        podID,
 			"container-ids": containerIDs,
 			"namespace":     namespace,
+			"workload":      workload,
 		}).Warn("policyfilter, UpdatePod failed")
 		return err
 	}
@@ -590,10 +596,11 @@ func (m *state) addPodContainers(pod *podInfo, containerIDs []string,
 	}
 }
 
-func (m *state) addNewPod(podID PodID, namespace string, podLabels labels.Labels) *podInfo {
+func (m *state) addNewPod(podID PodID, namespace, workload string, podLabels labels.Labels) *podInfo {
 	m.pods = append(m.pods, podInfo{
 		id:         podID,
 		namespace:  namespace,
+		workload:   workload,
 		labels:     podLabels,
 		containers: nil,
 	})
@@ -611,17 +618,18 @@ func (m *state) addNewPod(podID PodID, namespace string, podLabels labels.Labels
 // if the cgroup id of the container is known, cgID is not nil and it contains its value.
 //
 // The pod might or might not have been encountered before.
-func (m *state) AddPodContainer(podID PodID, namespace string, podLabels labels.Labels,
+func (m *state) AddPodContainer(podID PodID, namespace, workload string, podLabels labels.Labels,
 	containerID string, cgID CgroupID, containerName string) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
 	pod := m.findPod(podID)
 	if pod == nil {
-		pod = m.addNewPod(podID, namespace, podLabels)
+		pod = m.addNewPod(podID, namespace, workload, podLabels)
 		m.debugLogWithCallers(4).WithFields(logrus.Fields{
 			"pod-id":         podID,
 			"namespace":      namespace,
+			"workload":       workload,
 			"container-id":   containerID,
 			"cgroup-id":      cgID,
 			"container-name": containerName,
@@ -813,7 +821,7 @@ func (pod *podInfo) containerDiff(newContainerIDs []string) ([]string, []string)
 //   - add the ones that do not exist in the current state
 //
 // It is intended to be used from k8s watchers (where no cgroup information is available)
-func (m *state) UpdatePod(podID PodID, namespace string, podLabels labels.Labels,
+func (m *state) UpdatePod(podID PodID, namespace, workload string, podLabels labels.Labels,
 	containerIDs []string, containerNames []string) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
@@ -827,7 +835,7 @@ func (m *state) UpdatePod(podID PodID, namespace string, podLabels labels.Labels
 
 	pod := m.findPod(podID)
 	if pod == nil {
-		pod = m.addNewPod(podID, namespace, podLabels)
+		pod = m.addNewPod(podID, namespace, workload, podLabels)
 		dlog.Info("UpdatePod: added pod")
 	} else if pod.namespace != namespace {
 		// sanity check: old and new namespace should match

diff --git a/pkg/policyfilter/state_test.go b/pkg/policyfilter/state_test.go
@@ -17,36 +17,36 @@ func TestState(t *testing.T) {
 	}
 	defer s.Close()
 
-	err = s.AddPolicy(PolicyID(1), "ns1", nil, nil)
+	err = s.AddPolicy(PolicyID(1), "ns1", "wl1", nil, nil)
 	require.NoError(t, err)
-	err = s.AddPolicy(PolicyID(2), "ns2", nil, nil)
+	err = s.AddPolicy(PolicyID(2), "ns2", "wl2", nil, nil)
 	require.NoError(t, err)
-	err = s.AddPolicy(PolicyID(3), "ns3", nil, nil)
+	err = s.AddPolicy(PolicyID(3), "ns3", "wl3", nil, nil)
 	require.NoError(t, err)
 
 	pod1 := PodID(uuid.New())
 	cgidi1 := CgroupID(2001)
-	err = s.AddPodContainer(pod1, "ns2", nil, "cont1", cgidi1, "main1")
+	err = s.AddPodContainer(pod1, "ns2", "wl2", nil, "cont1", cgidi1, "main1")
 	require.NoError(t, err)
 	cgidi2 := CgroupID(2002)
-	err = s.AddPodContainer(pod1, "ns2", nil, "cont2", cgidi2, "main2")
+	err = s.AddPodContainer(pod1, "ns2", "wl2", nil, "cont2", cgidi2, "main2")
 	require.NoError(t, err)
 
 	pod2 := PodID(uuid.New())
 	cgidi3 := CgroupID(1001)
-	err = s.AddPodContainer(pod2, "ns1", nil, "cont3", cgidi3, "main3")
+	err = s.AddPodContainer(pod2, "ns1", "wl1", nil, "cont3", cgidi3, "main3")
 	require.NoError(t, err)
 
 	cgidi4 := CgroupID(3001)
 	pod3 := PodID(uuid.New())
-	err = s.AddPodContainer(pod3, "ns3", nil, "cont4", cgidi4, "main4")
+	err = s.AddPodContainer(pod3, "ns3", "wl3", nil, "cont4", cgidi4, "main4")
 	require.NoError(t, err)
 	pod4 := PodID(uuid.New())
 	cgidi5 := CgroupID(3002)
-	err = s.AddPodContainer(pod4, "ns3", nil, "cont5", cgidi5, "main5")
+	err = s.AddPodContainer(pod4, "ns3", "wl3", nil, "cont5", cgidi5, "main5")
 	require.NoError(t, err)
 	cgidi6 := CgroupID(3003)
-	err = s.AddPodContainer(pod4, "ns3", nil, "cont6", cgidi6, "main6")
+	err = s.AddPodContainer(pod4, "ns3", "wl3", nil, "cont6", cgidi6, "main6")
 	require.NoError(t, err)
 
 	requirePfmEqualTo(t, s.pfMap, map[uint64][]uint64{