Dev/rre #594
Merged
Dev/rre #594
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
Signed-off-by: Amit Schendel <58078857+amitschendel@users.noreply.github.com>
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
amitschendel
merged commit 7a9f009
into
feature/refactor_rule_engine
4 of 24 checks passed
matthyx
added a commit
that referenced
this pull request
Dec 18, 2025
* added interfaces for rule manager refactor Signed-off-by: Afek Berger <afekb@armosec.io> * added structure Signed-off-by: Afek Berger <afekb@armosec.io> * added profile validator Signed-off-by: Afek Berger <afekb@armosec.io> * added v1 Signed-off-by: Afek Berger <afekb@armosec.io> * added profile validators Signed-off-by: Afek Berger <afekb@armosec.io> * go mod tidy Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding base helpers pkg Signed-off-by: Amit Schendel <amitschendel@gmail.com> * added rule failure creator and changed rule_manager logic Signed-off-by: Afek Berger <afekb@armosec.io> * Adding lib Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Caching programs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * integrate new rule manager Signed-off-by: Afek Berger <afekb@armosec.io> * Resolving conflicts Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding crd Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Dev/rre (#594) * go mod tidy Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding base helpers pkg Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding lib Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Caching programs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Resolving conflicts Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding crd Signed-off-by: Amit Schendel <amitschendel@gmail.com> --------- Signed-off-by: Amit Schendel <amitschendel@gmail.com> Signed-off-by: Amit Schendel <58078857+amitschendel@users.noreply.github.com> * organized imports Signed-off-by: Afek Berger <afekb@armosec.io> * added watcher & tests Signed-off-by: Afek Berger <afekb@armosec.io> * added watcher and integration with binding Signed-off-by: Afek Berger <afekb@armosec.io> * Changing types Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Defining types Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing code Signed-off-by: Amit Schendel <amitschendel@gmail.com> * merged Signed-off-by: Afek Berger <afekb@armosec.io> * fixed container name Signed-off-by: Afek Berger <afekb@armosec.io> * separated mock Signed-off-by: Afek Berger <afekb@armosec.io> * fixed watcher & create event with check struct Signed-off-by: Afek Berger <afekb@armosec.io> * Changing event Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Updating code Signed-off-by: Amit Schendel <amitschendel@gmail.com> * modify cel arguments & events check struct Signed-off-by: Afek Berger <afekb@armosec.io> * Adding some code Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding opt Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding fixed code Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing nested event check Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Updating struct to support list of rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> * updated rule struct Signed-off-by: Afek Berger <afekb@armosec.io> * removed logs and fixed nil Signed-off-by: Afek Berger <afekb@armosec.io> * set process tree correctly Signed-off-by: Afek Berger <afekb@armosec.io> * added ap library Signed-off-by: Afek Berger <afekb@armosec.io> * added exec libraries Signed-off-by: Afek Berger <afekb@armosec.io> * added open library functions Signed-off-by: Afek Berger <afekb@armosec.io> * added ap syscall & capability libs Signed-off-by: Afek Berger <afekb@armosec.io> * added network functions Signed-off-by: Afek Berger <afekb@armosec.io> * added network functions Signed-off-by: Afek Berger <afekb@armosec.io> * implement interface Signed-off-by: Afek Berger <afekb@armosec.io> * Doing some cleanups Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Changing event serialize interface Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding extra check for deprecated field Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding api server helper Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding validation for event type Signed-off-by: Amit Schendel <amitschendel@gmail.com> * added profile metadata Signed-off-by: Afek Berger <afekb@armosec.io> * added cache for cel profile checks libraries Signed-off-by: Afek Berger <afekb@armosec.io> * added cache config Signed-off-by: Afek Berger <afekb@armosec.io> * reorganized cel libraries structure Signed-off-by: Afek Berger <afekb@armosec.io> * added parse lib and moved k8s lib Signed-off-by: Afek Berger <afekb@armosec.io> * added net library Signed-off-by: Afek Berger <afekb@armosec.io> * added network helper functions Signed-off-by: Afek Berger <afekb@armosec.io> * removed cache for k8s and parse functions Signed-off-by: Afek Berger <afekb@armosec.io> * added support for rule policy Signed-off-by: Afek Berger <afekb@armosec.io> * set wlid details Signed-off-by: Afek Berger <afekb@armosec.io> * added strings model Signed-off-by: Afek Berger <afekb@armosec.io> * removed profile validator & fixed rule policy logic Signed-off-by: Afek Berger <afekb@armosec.io> * hash unique id Signed-off-by: Afek Berger <afekb@armosec.io> * added mock & fixed rule cooldown Signed-off-by: Afek Berger <afekb@armosec.io> * remove log Signed-off-by: Afek Berger <afekb@armosec.io> * added process lib and get container by name Signed-off-by: Afek Berger <afekb@armosec.io> * added process lib Signed-off-by: Afek Berger <afekb@armosec.io> * fixed rules Signed-off-by: Afek Berger <afekb@armosec.io> * Updating chart Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing old interface Signed-off-by: Amit Schendel <amitschendel@gmail.com> * fixed rule cooldown Signed-off-by: Afek Berger <afekb@armosec.io> * added logs and reduced cachee Signed-off-by: Afek Berger <afekb@armosec.io> * fixed get container by name Signed-off-by: Afek Berger <afekb@armosec.io> * bump rules Signed-off-by: Afek Berger <afekb@armosec.io> * Feature/cpu (#602) * Fixing serialize Signed-off-by: Amit Schendel <amitschendel@gmail.com> * go mod tidy Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Updating rulles Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding new rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> --------- Signed-off-by: Amit Schendel <amitschendel@gmail.com> Signed-off-by: Amit Schendel <58078857+amitschendel@users.noreply.github.com> * added rule adapters Signed-off-by: Afek Berger <afekb@armosec.io> * added tomap to rule adapters and event as cel Signed-off-by: Afek Berger <afekb@armosec.io> * update rules Signed-off-by: Afek Berger <afekb@armosec.io> * fixed config Signed-off-by: Afek Berger <afekb@armosec.io> * remove comments Signed-off-by: Afek Berger <afekb@armosec.io> * added third party tracers initialzation Signed-off-by: Afek Berger <afekb@armosec.io> * use ResultCallBack Signed-off-by: Afek Berger <afekb@armosec.io> * fixed tests Signed-off-by: Afek Berger <afekb@armosec.io> * rule adapters as argument Signed-off-by: Afek Berger <afekb@armosec.io> * fixed deadlock bug Signed-off-by: Afek Berger <afekb@armosec.io> * initialize cel from outside Signed-off-by: Afek Berger <afekb@armosec.io> * set http rule alert Signed-off-by: Afek Berger <afekb@armosec.io> * Feature/cel efficiency (#623) * added efficency Signed-off-by: Afek Berger <afekb@armosec.io> * drop reflect Signed-off-by: Afek Berger <afekb@armosec.io> * more efficieny maps Signed-off-by: Afek Berger <afekb@armosec.io> --------- Signed-off-by: Afek Berger <afekb@armosec.io> * added a comment regarding 3rd party tracers Signed-off-by: Afek Berger <afekb@armosec.io> * Perf enhancements (#624) * Adding New methods Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding perf enhancments Signed-off-by: Amit Schendel <amitschendel@gmail.com> --------- Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding metrics and cooldown check (#628) * Adding metrics and cooldown check Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Moving rule cooldown check to be before rule evaluation Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Revert Signed-off-by: Amit Schendel <amitschendel@gmail.com> --------- Signed-off-by: Amit Schendel <amitschendel@gmail.com> * CEL evaluate native types with xcel (#621) * CEL evaluate native types with xcel Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * CEL evaluate native types with xcel Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding new rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing logs Signed-off-by: Amit Schendel <amitschendel@gmail.com> --------- Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> Signed-off-by: Amit Schendel <amitschendel@gmail.com> Co-authored-by: Amit Schendel <amitschendel@gmail.com> * Updating rule struct with AgentVersionRequirement Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding semver for rules (#631) Signed-off-by: Amit Schendel <amitschendel@gmail.com> * added extra to rule failure (#632) Signed-off-by: Afek Berger <afekb@armosec.io> * ignore rulebinding configurable (#629) Signed-off-by: Afek Berger <afekb@armosec.io> * http evaluation by map (#633) * http evaluation by map Signed-off-by: Afek Berger <afekb@armosec.io> * added event type Signed-off-by: Afek Berger <afekb@armosec.io> * return err instead of logs Signed-off-by: Afek Berger <afekb@armosec.io> --------- Signed-off-by: Afek Berger <afekb@armosec.io> * Adding option to register custom types (#634) Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fix http evaluation by map (#635) * http evaluation by map Signed-off-by: Afek Berger <afekb@armosec.io> * added event type Signed-off-by: Afek Berger <afekb@armosec.io> * return err instead of logs Signed-off-by: Afek Berger <afekb@armosec.io> * support ToMap for http Signed-off-by: Afek Berger <afekb@armosec.io> * unique id & message for http Signed-off-by: Afek Berger <afekb@armosec.io> --------- Signed-off-by: Afek Berger <afekb@armosec.io> * added error log on enrichment Signed-off-by: Afek Berger <afekb@armosec.io> * added rule policy test Signed-off-by: Afek Berger <afekb@armosec.io> * added event type Signed-off-by: Afek Berger <afekb@armosec.io> * Removing log Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fix custom type registration Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Bumping to go 1.25 Signed-off-by: Amit Schendel <amitschendel@gmail.com> * added container receivers Signed-off-by: Afek Berger <afekb@armosec.io> * updated rule names Signed-off-by: Afek Berger <afekb@armosec.io> * Fixing Identifiers of http Signed-off-by: Amit Schendel <amitschendel@gmail.com> * add RuleManagerMock Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding http profile checks Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding host check for http Signed-off-by: Amit Schendel <amitschendel@gmail.com> * refactor: update tracer configuration to use typed config parameters Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add nil check for config.Exporters.HTTPExporterConfig Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * don't start nodeprofilemanager without an http exported config Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Switch to image-based gadgets (#650) * bump inspektor gadget Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * cleaning up code Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add open tracer Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * wip add other tracers Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add CEL accessors Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Fixing dns tracer (#653) Signed-off-by: Amit Schendel <amitschendel@gmail.com> * bump ig to v0.45.0 Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * fix sbom_manager with sqlite import Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * refactor interfaces and CEL accessors Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding initial eBPF refactor Signed-off-by: Amit Schendel <amitschendel@gmail.com> * add Makefile target for tracers.tar Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * enable our tracers Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding http eBPF image based Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding randmox refactor Signed-off-by: Amit Schendel <amitschendel@gmail.com> * plug http and randomx tracers Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding network gadget Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding network tracer to Makefile Signed-off-by: Amit Schendel <amitschendel@gmail.com> * use network tracer instead of trace_tcp Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * removing GetPort in favor of GetDstPort Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * enable paths option in dns and exec tracers Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add missing datasource accessors Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * remove full path from open events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Switching map type to LRU Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing make file Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding new rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing CI Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing make file Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Update socket enricher initialization to set parameters for cwd and exepath Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * enable io-uring tracer Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * check for nils in datasource, add logs for unimplemented Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * enable procfs tracer Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add debug logs for events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * remove EverythingEvent for strict interface safety Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add missing bindings Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Commenting out json format Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing potential panic Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing nil deref Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing comm access Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding dns proto Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing proto Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding protocol translation Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding more fixes Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing ip raw translation Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing the bpf_htonl call to maintain the network byte order Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing bpf_htonl Signed-off-by: Amit Schendel <amitschendel@gmail.com> * handle exit events, replicate datasource changes to struct event Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Switching to CamelCase Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing enum of event types Signed-off-by: Amit Schendel <amitschendel@gmail.com> * trigger one callback call for each syscall in event Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding annotations for struct event Signed-off-by: Amit Schendel <amitschendel@gmail.com> * use IG patch for wrong container attribution of events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * update rules Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * update rules Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * use IG patch for wrong container attribution of events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding some logs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing buffer Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding some fixes Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing http Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Pushing some debug loogs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * complain when containerID is empty Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * fix http event enrichment Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Fixing types Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding upper layer event types Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Doing some fixes in field access of fork events Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing pid Signed-off-by: Amit Schendel <amitschendel@gmail.com> * comment out missing fields in syscall events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * enabling again all rules Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Removing old eBPF infra Signed-off-by: Amit Schendel <amitschendel@gmail.com> * use container name as comm for syscall events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Switching to uint32_t Signed-off-by: Amit Schendel <amitschendel@gmail.com> * add info log for syscall fields override Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * getting rid of GetCommFromEvent Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add log for syscall reporting Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add log for syscall reporting Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding gadgets Signed-off-by: Amit Schendel <amitschendel@gmail.com> * add log for syscall reporting Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * disambiguate child and parent pid for fork events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * do not fail test if PrintAppLogs finds no pod Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * fix syscall callbacks by using new events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * adding logs for processtree test Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Removing event from stdout and http logs Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding tracers Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding new rules Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding new exit fields Signed-off-by: Amit Schendel <amitschendel@gmail.com> * add log for exec event Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding some types Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding buffer for container eol notifications Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing config test Signed-off-by: Amit Schendel <amitschendel@gmail.com> * print logs of process-tree pod after test 24 Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * increase waiting time for alerts Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * increase map-fetch-interval for syscall tracer Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * refactor: update process event handling and clean up unused methods Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * try to avoid race in AlertManagerExporter Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Fixing mntnsid Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing args extraction Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding small fixes for process tree Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding check for empty comm Signed-off-by: Amit Schendel <amitschendel@gmail.com> * add log to AddEventDirect Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * print bogus events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Fixing timestamp of ebpf Signed-off-by: Amit Schendel <amitschendel@gmail.com> * add process tree logs Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * deep copy data before creating a DatasourceEvent Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding fields Signed-off-by: Amit Schendel <amitschendel@gmail.com> * wip add missing getPID for call stack Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add missing getPID for call stack Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * fixing some of the TODOs Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * fixing more TODOs Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add fields test for syscall tracer Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add nil check for config.Exporters.HTTPExporterConfig Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * disable syscall_test.go Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add all field tests Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * fix CI Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * disable collect-kstack in capabilities tracer Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * disable wasm operator Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * use go based DnsOperator for resolution Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * use greentea GC Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * use improved DeepCopy for event data Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * remove Basic-Test from actions Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * use "reuse records of readers" PR from Michael Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * don't start nodeprofilemanager without an http exported config Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * cache field accessors for DatasourceEvent Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * use IG with disabled kallsyms.NewKAllSyms() loading Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * wip use sync.Pool for datasource.Data Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * wip do not pool Syscall events (until bug fixed) Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Fixing iouring verifer compatability Signed-off-by: Amit Schendel <amitschendel@gmail.com> * use a sync.Pool per event type Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * fix third-party tracer initialization Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * refactor HTTP event handling to include external IP address Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add ToMap evaluation for http events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * refactor DNS operator to use simple.New and simplify initialization Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add event handling for dropped events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * fix test by using NewDnsOperator Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * remove unused OtherIp field and related methods from HTTP event handling Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add MountNsID field and accessor methods to DatasourceEvent and StructEvent Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * update build command in Makefile to use TMPDIR environment variable Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add OtherIp field and accessor methods to DatasourceEvent and StructEvent Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * fix IP header parsing in ssh and network gadgets and adapt accessors Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add exec operator to handle execution tracing data Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Fixing ssh Signed-off-by: Amit Schendel <amitschendel@gmail.com> * use unreleased open gadget, add full path handling in open events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding eBPF support for src and dst for http Signed-off-by: Amit Schendel <amitschendel@gmail.com> * add full path tracing support to OpenTracer and DatasourceEvent Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * add destination and source fields handling to DNS and HTTP gadget Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * use recompiled gadgets with ptid Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * refactor: remove unused IP handling and improve full path tracing in HTTP and datasource events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * revert to trace_dns:v0.45.0 to avoid bad CO-RE relocation error Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * refactor: change TID retrieval methods to use Uint32 for reading ebpf u32 Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Changing alert type to http when setting http details Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Changing http ips Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing GetOtherIp Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding direction aware src/dst Signed-off-by: Amit Schendel <amitschendel@gmail.com> * add AP checksum to runtime alert arguments Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Removing unused map Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding response body fix Signed-off-by: Amit Schendel <amitschendel@gmail.com> * revert Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding some fixes Signed-off-by: Amit Schendel <amitschendel@gmail.com> * feature: implement alert bulking for HTTP exporter (#660) * feat: implement alert bulking for HTTP exporter - Add AlertBulkManager to batch alerts per container - Implement ProcessTree merging for comprehensive context - Add configurable size and time-based flush triggers - Integrate with container lifecycle for immediate flush on termination - Add comprehensive unit tests with full coverage - Update documentation with implementation details Bulking reduces HTTP overhead by batching up to 50 alerts or 10 seconds of alerts per container while maintaining temporal ordering. * Added component tests for testing bulk delivery Signed-off-by: Ben <ben@armosec.io> * Implementing a send queue and simplifying process tree merging Signed-off-by: Ben <ben@armosec.io> * improving docs Signed-off-by: Ben <ben@armosec.io> * removing unused file Signed-off-by: Ben <ben@armosec.io> * FIxing unit tests Signed-off-by: Ben <ben@armosec.io> * Moving the defaults to the config package Signed-off-by: Ben <ben@armosec.io> * Fix unit test Signed-off-by: Ben <ben@armosec.io> * Fixing disjoined process trees Signed-off-by: Ben <ben@armosec.io> --------- Signed-off-by: Ben <ben@armosec.io> Signed-off-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com> * fixing merge error Signed-off-by: Ben <ben@armosec.io> * Adding support for state passing Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Making bpf tracer less noisy Signed-off-by: Amit Schendel <amitschendel@gmail.com> * refactor: merge Arguments map for baseRuntimeAlert in event handlers Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Respect runtime detection when unregistering (#665) Add ruleBindingsInitialized to ContainerWatcher to track whether any rule binding notifications have been processed. When runtime detection is enabled, only unregister containers after rule bindings have been initialized and the pod is not in ruleManagedPods. Update tests to exercise these cases. Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * processtree: return typed errors and use strconv for cache key Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * update docs * add missing errors.go Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * containerized_env: reparent children of container init process to shim Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Adding some fixes Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding fixes for process tree Signed-off-by: Amit Schendel <amitschendel@gmail.com> * refactor: replace kskubemanager with operators.DataOperator in tracer implementations Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Handling cases of container restarts Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fix pre-running container indicator Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Renaming field Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Fixing logic Signed-off-by: Amit Schendel <amitschendel@gmail.com> * debug: enhance logging for mountnsmap presence and file descriptor Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * debug: enhance error logging for container tracing to aid diagnosis Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * debug: add probe map creation for diagnosing map clone/FD failures Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * ci: update component tests to use Ubuntu 22.04 Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * debug: remove unnecessary logging for ignored exec events Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Sending containerProfile even if no data in some cases Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding rev shell Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Trying ulimit Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Adding ulimit Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Trying things Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Removing Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Trying to fix core Signed-off-by: Amit Schendel <amitschendel@gmail.com> * revert Signed-off-by: Amit Schendel <amitschendel@gmail.com> * deps: update ig fork Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * Test 16 fix Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Test 16 Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Test 16 Signed-off-by: Amit Schendel <amitschendel@gmail.com> * Increase time Signed-off-by: Amit Schendel <amitschendel@gmail.com> --------- Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> Signed-off-by: Amit Schendel <amitschendel@gmail.com> Signed-off-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com> Signed-off-by: Ben <ben@armosec.io> Co-authored-by: Amit Schendel <58078857+amitschendel@users.noreply.github.com> Co-authored-by: Amit Schendel <amitschendel@gmail.com> Co-authored-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com> Co-authored-by: Ben <ben@armosec.io> --------- Signed-off-by: Afek Berger <afekb@armosec.io> Signed-off-by: Amit Schendel <amitschendel@gmail.com> Signed-off-by: Amit Schendel <58078857+amitschendel@users.noreply.github.com> Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> Signed-off-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com> Signed-off-by: Ben <ben@armosec.io> Co-authored-by: Amit Schendel <amitschendel@gmail.com> Co-authored-by: Amit Schendel <58078857+amitschendel@users.noreply.github.com> Co-authored-by: Matthias Bertschy <matthias.bertschy@gmail.com> Co-authored-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com> Co-authored-by: Ben <ben@armosec.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview