diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml index 8287774126b..0524ff9df29 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml index 2578bb937a6..f7aed86615b 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 8287774126b..0524ff9df29 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 2578bb937a6..f7aed86615b 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 76cb339679c..2c2059684ac 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -90,7 +90,7 @@ type KProbeArg struct { } type BinarySelector struct { - // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix + // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix;Postfix;NotPostfix // Filter operation. Operator string `json:"operator"` // Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/pkg/k8s/apis/cilium.io/v1alpha1/version.go index 72d1c52eb9d..8d62932e8be 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.2.3" +const CustomResourceDefinitionSchemaVersion = "1.2.4" diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index a4eb84ef385..105118c7baa 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -712,7 +712,7 @@ func writePrefixStrings(k *KernelSelectorState, values []string) error { return nil } -func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) error { +func writePostfix(k *KernelSelectorState, values []string, ty uint32, selector string) (uint32, error) { mid, m := k.newStringPostfixMap() for _, v := range values { var value []byte @@ -725,7 +725,7 @@ func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) err // Due to the constraints of the reverse copy in BPF, we will not be able to match a postfix // longer than 127 characters, so throw an error if the user specified one. if size >= StringPostfixMaxLength { - return fmt.Errorf("MatchArgs value %s invalid: string is longer than %d characters", v, StringPostfixMaxLength-1) + return 0, fmt.Errorf("%s value %s invalid: string is longer than %d characters", selector, v, StringPostfixMaxLength-1) } val := KernelLPMTrieStringPostfix{prefixLen: size * 8} // postfix is in bits, but size is in bytes // Copy postfix in reverse order, so that it can be used in LPM map @@ -734,7 +734,18 @@ func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) err } m[val] = struct{}{} } - // write the map id into the selector + return mid, nil +} + +func writePostfixBinaries(k *KernelSelectorState, values []string) (uint32, error) { + return writePostfix(k, values, gt.GenericCharBuffer, "MatchBinaries") +} + +func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) error { + mid, err := writePostfix(k, values, ty, "MatchArgs") + if err != nil { + return err + } WriteSelectorUint32(&k.data, mid) return nil } @@ -1209,8 +1220,16 @@ func ParseMatchBinary(k *KernelSelectorState, b *v1alpha1.BinarySelector, selIdx if err != nil { return fmt.Errorf("failed to write the prefix operator for the matchBinaries selector: %w", err) } + case SelectorOpPostfix, SelectorOpNotPostfix: + if !kernels.EnableLargeProgs() { + return fmt.Errorf("matchBinary error: \"Postfix\" and \"NotPostfix\" operators need large BPF progs (kernel>5.3)") + } + sel.MapID, err = writePostfixBinaries(k, b.Values) + if err != nil { + return fmt.Errorf("failed to write the prefix operator for the matchBinaries selector: %w", err) + } default: - return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\", \"Prefix\" and \"NotPrefix\" operators are supported") + return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\", \"Prefix\", \"NotPrefix\", \"Postfix\" and \"NotPostfix\" operators are supported") } k.AddMatchBinaries(selIdx, sel) diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 8287774126b..0524ff9df29 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 2578bb937a6..f7aed86615b 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 76cb339679c..2c2059684ac 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -90,7 +90,7 @@ type KProbeArg struct { } type BinarySelector struct { - // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix + // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix;Postfix;NotPostfix // Filter operation. Operator string `json:"operator"` // Value to compare the argument against. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go index 72d1c52eb9d..8d62932e8be 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.2.3" +const CustomResourceDefinitionSchemaVersion = "1.2.4"