diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml index d3b14464c16..f9cfa018d93 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml @@ -451,6 +451,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1055,6 +1057,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1690,6 +1694,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2262,6 +2268,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml index 595c2db0235..3ec55f6c227 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml @@ -451,6 +451,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1055,6 +1057,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1690,6 +1694,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2262,6 +2268,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index d3b14464c16..f9cfa018d93 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -451,6 +451,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1055,6 +1057,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1690,6 +1694,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2262,6 +2268,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 595c2db0235..3ec55f6c227 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -451,6 +451,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1055,6 +1057,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1690,6 +1694,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2262,6 +2268,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 9d9c7744281..25e335b750f 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -90,7 +90,7 @@ type KProbeArg struct { } type BinarySelector struct { - // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix + // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix;Postfix;NotPostfix // Filter operation. Operator string `json:"operator"` // Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/pkg/k8s/apis/cilium.io/v1alpha1/version.go index 203377ec2ee..e6e5eb689dd 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.2.1" +const CustomResourceDefinitionSchemaVersion = "1.2.2" diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index 2f6d66b79f3..79b6c730276 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -711,7 +711,7 @@ func writePrefixStrings(k *KernelSelectorState, values []string) error { return nil } -func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) error { +func writePostfix(k *KernelSelectorState, values []string, ty uint32, selector string) (uint32, error) { mid, m := k.newStringPostfixMap() for _, v := range values { var value []byte @@ -724,7 +724,7 @@ func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) err // Due to the constraints of the reverse copy in BPF, we will not be able to match a postfix // longer than 127 characters, so throw an error if the user specified one. if size >= StringPostfixMaxLength { - return fmt.Errorf("MatchArgs value %s invalid: string is longer than %d characters", v, StringPostfixMaxLength-1) + return 0, fmt.Errorf("%s value %s invalid: string is longer than %d characters", selector, v, StringPostfixMaxLength-1) } val := KernelLPMTrieStringPostfix{prefixLen: size * 8} // postfix is in bits, but size is in bytes // Copy postfix in reverse order, so that it can be used in LPM map @@ -733,7 +733,18 @@ func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) err } m[val] = struct{}{} } - // write the map id into the selector + return mid, nil +} + +func writePostfixBinaries(k *KernelSelectorState, values []string) (uint32, error) { + return writePostfix(k, values, gt.GenericCharBuffer, "MatchBinaries") +} + +func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) error { + mid, err := writePostfix(k, values, ty, "MatchArgs") + if err != nil { + return err + } WriteSelectorUint32(&k.data, mid) return nil } @@ -1198,8 +1209,16 @@ func ParseMatchBinary(k *KernelSelectorState, b *v1alpha1.BinarySelector, selIdx if err != nil { return fmt.Errorf("failed to write the prefix operator for the matchBinaries selector: %w", err) } + case SelectorOpPostfix, SelectorOpNotPostfix: + if !kernels.EnableLargeProgs() { + return fmt.Errorf("matchBinary error: \"Postfix\" and \"NotPostfix\" operators need large BPF progs (kernel>5.3)") + } + sel.MapID, err = writePostfixBinaries(k, b.Values) + if err != nil { + return fmt.Errorf("failed to write the prefix operator for the matchBinaries selector: %w", err) + } default: - return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\", \"Prefix\" and \"NotPrefix\" operators are supported") + return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\", \"Prefix\", \"NotPrefix\", \"Postfix\" and \"NotPostfix\" operators are supported") } k.AddMatchBinaries(selIdx, sel) diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index d3b14464c16..f9cfa018d93 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -451,6 +451,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1055,6 +1057,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1690,6 +1694,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2262,6 +2268,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 595c2db0235..3ec55f6c227 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -451,6 +451,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1055,6 +1057,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1690,6 +1694,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2262,6 +2268,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 9d9c7744281..25e335b750f 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -90,7 +90,7 @@ type KProbeArg struct { } type BinarySelector struct { - // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix + // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix;Postfix;NotPostfix // Filter operation. Operator string `json:"operator"` // Value to compare the argument against. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go index 203377ec2ee..e6e5eb689dd 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.2.1" +const CustomResourceDefinitionSchemaVersion = "1.2.2"