From 24f0d6ac19904f08b6c0bbd1dc42e7f536554143 Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Sat, 15 Jun 2024 21:27:54 -0700 Subject: [PATCH] tetragon: include workloadID in the podInfo Signed-off-by: John Fastabend --- pkg/policyfilter/disabled.go | 4 ++-- pkg/policyfilter/policyfilter.go | 4 ++-- pkg/policyfilter/rthooks/rthooks.go | 6 +++++- pkg/policyfilter/state.go | 20 ++++++++++++++------ pkg/policyfilter/state_test.go | 18 +++++++++--------- 5 files changed, 32 insertions(+), 20 deletions(-) diff --git a/pkg/policyfilter/disabled.go b/pkg/policyfilter/disabled.go index 3282af4e31f..ce0b56e9233 100644 --- a/pkg/policyfilter/disabled.go +++ b/pkg/policyfilter/disabled.go @@ -31,12 +31,12 @@ func (s *disabled) DelPolicy(polID PolicyID) error { return fmt.Errorf("policyfilter is disabled") } -func (s *disabled) AddPodContainer(podID PodID, namespace string, podLabels labels.Labels, +func (s *disabled) AddPodContainer(podID PodID, namespace, workload string, podLabels labels.Labels, containerID string, cgID CgroupID, containerName string) error { return nil } -func (s *disabled) UpdatePod(podID PodID, namespace string, podLabels labels.Labels, +func (s *disabled) UpdatePod(podID PodID, namespace, workload string, podLabels labels.Labels, containerIDs []string, containerNames []string) error { return nil } diff --git a/pkg/policyfilter/policyfilter.go b/pkg/policyfilter/policyfilter.go index 71128481188..5afb54febcb 100644 --- a/pkg/policyfilter/policyfilter.go +++ b/pkg/policyfilter/policyfilter.go @@ -98,12 +98,12 @@ type State interface { // AddPodContainer informs policyfilter about a new container and its cgroup id in a pod. // The pod might or might not have been encountered before. // This method is intended to update policyfilter state from container hooks - AddPodContainer(podID PodID, namespace string, podLabels labels.Labels, + AddPodContainer(podID PodID, namespace, workload string, podLabels labels.Labels, containerID string, cgID CgroupID, containerName string) error // UpdatePod updates the pod state for a pod, where containerIDs contains all the container ids for the given pod. // This method is intended to be used from k8s watchers (where no cgroup information is available) - UpdatePod(podID PodID, namespace string, podLabels labels.Labels, + UpdatePod(podID PodID, namespace, workload string, podLabels labels.Labels, containerIDs []string, containerNames []string) error // DelPodContainer informs policyfilter that a container was deleted from a pod diff --git a/pkg/policyfilter/rthooks/rthooks.go b/pkg/policyfilter/rthooks/rthooks.go index 4a91b79151e..0d8702e8bcf 100644 --- a/pkg/policyfilter/rthooks/rthooks.go +++ b/pkg/policyfilter/rthooks/rthooks.go @@ -12,6 +12,7 @@ import ( "github.com/cilium/tetragon/pkg/logger" "github.com/cilium/tetragon/pkg/metrics/policyfiltermetrics" "github.com/cilium/tetragon/pkg/policyfilter" + "github.com/cilium/tetragon/pkg/process" "github.com/cilium/tetragon/pkg/rthooks" "github.com/google/uuid" "github.com/sirupsen/logrus" @@ -93,6 +94,8 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err } namespace := pod.ObjectMeta.Namespace + workloadMeta, _ := process.GetWorkloadMetaFromPod(pod) + workload := workloadMeta.Name containerName := arg.Req.ContainerName if containerName == "" { @@ -103,12 +106,13 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err log.WithFields(logrus.Fields{ "pod-id": podID, "namespace": namespace, + "workload": workload, "container-id": containerID, "cgroup-id": cgID, "container-name": containerName, }).Trace("policyfilter: add pod container") cgid := policyfilter.CgroupID(cgID) - err = pfState.AddPodContainer(policyfilter.PodID(podID), namespace, pod.Labels, containerID, cgid, containerName) + err = pfState.AddPodContainer(policyfilter.PodID(podID), namespace, workload, pod.Labels, containerID, cgid, containerName) policyfiltermetrics.OpInc(policyfiltermetrics.RTHooksSubsys, policyfiltermetrics.AddContainerOperation, policyfilter.ErrorLabel(err)) if err != nil { diff --git a/pkg/policyfilter/state.go b/pkg/policyfilter/state.go index 1761c5be899..253ece7bdaa 100644 --- a/pkg/policyfilter/state.go +++ b/pkg/policyfilter/state.go @@ -13,6 +13,7 @@ import ( "github.com/cilium/tetragon/pkg/logger" "github.com/cilium/tetragon/pkg/metrics/policyfiltermetrics" "github.com/cilium/tetragon/pkg/podhooks" + "github.com/cilium/tetragon/pkg/process" "github.com/google/uuid" "github.com/sirupsen/logrus" @@ -100,6 +101,7 @@ type podInfo struct { id PodID namespace string labels labels.Labels + workload string containers []containerInfo // cache of matched policies @@ -302,12 +304,16 @@ func (m *state) updatePodHandler(pod *v1.Pod) error { } namespace := pod.Namespace - err = m.UpdatePod(PodID(podID), namespace, pod.Labels, containerIDs, containerNames) + workloadMeta, _ := process.GetWorkloadMetaFromPod(pod) + workload := workloadMeta.Name + + err = m.UpdatePod(PodID(podID), namespace, workload, pod.Labels, containerIDs, containerNames) if err != nil { m.log.WithError(err).WithFields(logrus.Fields{ "pod-id": podID, "container-ids": containerIDs, "namespace": namespace, + "workload": workload, }).Warn("policyfilter, UpdatePod failed") return err } @@ -590,10 +596,11 @@ func (m *state) addPodContainers(pod *podInfo, containerIDs []string, } } -func (m *state) addNewPod(podID PodID, namespace string, podLabels labels.Labels) *podInfo { +func (m *state) addNewPod(podID PodID, namespace, workload string, podLabels labels.Labels) *podInfo { m.pods = append(m.pods, podInfo{ id: podID, namespace: namespace, + workload: workload, labels: podLabels, containers: nil, }) @@ -611,17 +618,18 @@ func (m *state) addNewPod(podID PodID, namespace string, podLabels labels.Labels // if the cgroup id of the container is known, cgID is not nil and it contains its value. // // The pod might or might not have been encountered before. -func (m *state) AddPodContainer(podID PodID, namespace string, podLabels labels.Labels, +func (m *state) AddPodContainer(podID PodID, namespace, workload string, podLabels labels.Labels, containerID string, cgID CgroupID, containerName string) error { m.mu.Lock() defer m.mu.Unlock() pod := m.findPod(podID) if pod == nil { - pod = m.addNewPod(podID, namespace, podLabels) + pod = m.addNewPod(podID, namespace, workload, podLabels) m.debugLogWithCallers(4).WithFields(logrus.Fields{ "pod-id": podID, "namespace": namespace, + "workload": workload, "container-id": containerID, "cgroup-id": cgID, "container-name": containerName, @@ -813,7 +821,7 @@ func (pod *podInfo) containerDiff(newContainerIDs []string) ([]string, []string) // - add the ones that do not exist in the current state // // It is intended to be used from k8s watchers (where no cgroup information is available) -func (m *state) UpdatePod(podID PodID, namespace string, podLabels labels.Labels, +func (m *state) UpdatePod(podID PodID, namespace, workload string, podLabels labels.Labels, containerIDs []string, containerNames []string) error { m.mu.Lock() defer m.mu.Unlock() @@ -827,7 +835,7 @@ func (m *state) UpdatePod(podID PodID, namespace string, podLabels labels.Labels pod := m.findPod(podID) if pod == nil { - pod = m.addNewPod(podID, namespace, podLabels) + pod = m.addNewPod(podID, namespace, workload, podLabels) dlog.Info("UpdatePod: added pod") } else if pod.namespace != namespace { // sanity check: old and new namespace should match diff --git a/pkg/policyfilter/state_test.go b/pkg/policyfilter/state_test.go index 5550b49dcad..b00d3888eb2 100644 --- a/pkg/policyfilter/state_test.go +++ b/pkg/policyfilter/state_test.go @@ -17,36 +17,36 @@ func TestState(t *testing.T) { } defer s.Close() - err = s.AddPolicy(PolicyID(1), "ns1", nil, nil) + err = s.AddPolicy(PolicyID(1), "ns1", "wl1", nil, nil) require.NoError(t, err) - err = s.AddPolicy(PolicyID(2), "ns2", nil, nil) + err = s.AddPolicy(PolicyID(2), "ns2", "wl2", nil, nil) require.NoError(t, err) - err = s.AddPolicy(PolicyID(3), "ns3", nil, nil) + err = s.AddPolicy(PolicyID(3), "ns3", "wl3", nil, nil) require.NoError(t, err) pod1 := PodID(uuid.New()) cgidi1 := CgroupID(2001) - err = s.AddPodContainer(pod1, "ns2", nil, "cont1", cgidi1, "main1") + err = s.AddPodContainer(pod1, "ns2", "wl2", nil, "cont1", cgidi1, "main1") require.NoError(t, err) cgidi2 := CgroupID(2002) - err = s.AddPodContainer(pod1, "ns2", nil, "cont2", cgidi2, "main2") + err = s.AddPodContainer(pod1, "ns2", "wl2", nil, "cont2", cgidi2, "main2") require.NoError(t, err) pod2 := PodID(uuid.New()) cgidi3 := CgroupID(1001) - err = s.AddPodContainer(pod2, "ns1", nil, "cont3", cgidi3, "main3") + err = s.AddPodContainer(pod2, "ns1", "wl1", nil, "cont3", cgidi3, "main3") require.NoError(t, err) cgidi4 := CgroupID(3001) pod3 := PodID(uuid.New()) - err = s.AddPodContainer(pod3, "ns3", nil, "cont4", cgidi4, "main4") + err = s.AddPodContainer(pod3, "ns3", "wl3", nil, "cont4", cgidi4, "main4") require.NoError(t, err) pod4 := PodID(uuid.New()) cgidi5 := CgroupID(3002) - err = s.AddPodContainer(pod4, "ns3", nil, "cont5", cgidi5, "main5") + err = s.AddPodContainer(pod4, "ns3", "wl3", nil, "cont5", cgidi5, "main5") require.NoError(t, err) cgidi6 := CgroupID(3003) - err = s.AddPodContainer(pod4, "ns3", nil, "cont6", cgidi6, "main6") + err = s.AddPodContainer(pod4, "ns3", "wl3", nil, "cont6", cgidi6, "main6") require.NoError(t, err) requirePfmEqualTo(t, s.pfMap, map[uint64][]uint64{