proposal: use strong types for events

.github/workflows/bypass.yaml

@@ -26,7 +26,7 @@ jobs:
       CGO_ENABLED: 0
       GO111MODULE: "on"
       BUILD_PLATFORM: linux/amd64,linux/arm64
-      GO_VERSION: "1.24"
+      GO_VERSION: "1.25"
       REQUIRED_TESTS: ''
       FORCE: true
       COSIGN: true

.github/workflows/component-tests.yaml

@@ -19,6 +19,15 @@ jobs:
           registry: quay.io/kubescape
           username: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
           password: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+      - name: Install IG
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq curl
+          IG_ARCH=amd64
+          IG_VERSION=$(curl -s https://api.github.com/repos/inspektor-gadget/inspektor-gadget/releases/latest | jq -r .tag_name)
+          echo "Installing IG version: ${IG_VERSION}"
+          curl -sL https://github.com/inspektor-gadget/inspektor-gadget/releases/download/${IG_VERSION}/ig-linux-${IG_ARCH}-${IG_VERSION}.tar.gz | sudo tar -C /usr/local/bin -xzf - ig
+          sudo chmod +x /usr/local/bin/ig
       - name: Build the Image and Push to Quay.io
         id: build-and-push-image
         run: |
@@ -104,7 +113,7 @@ jobs:
           CGO_ENABLED: 0
         uses: actions/setup-go@v4
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: Run test
         run: |
           cd tests && go test -v ./... -run ${{ matrix.test }} --timeout=20m --tags=component

.github/workflows/pr-created.yaml

@@ -15,6 +15,6 @@ jobs:
   pr-created:
     uses: kubescape/workflows/.github/workflows/incluster-comp-pr-created.yaml@main
     with:
-      GO_VERSION: "1.24"
+      GO_VERSION: "1.25"
       CGO_ENABLED: 0
     secrets: inherit

.github/workflows/pr-merged.yaml

@@ -35,7 +35,7 @@ jobs:
       CGO_ENABLED: 0
       GO111MODULE: "on"
       BUILD_PLATFORM: linux/amd64,linux/arm64
-      GO_VERSION: "1.24"
+      GO_VERSION: "1.25"
       REQUIRED_TESTS: '[
                         "relevantCVEs",
                         "relevancy_enabled_stop_sniffing",

.gitignore

@@ -4,3 +4,4 @@ temp
 resources/ebpf/falco/*
 node-agent
 __pycache__
+tracers.tar

Makefile

@@ -2,14 +2,25 @@ DOCKERFILE_PATH=./build/Dockerfile
 BINARY_NAME=node-agent
 
 IMAGE?=quay.io/kubescape/$(BINARY_NAME)
+GADGETS=advise_seccomp trace_capabilities trace_dns trace_exec trace_open
+VERSION=:v0.45.0
+KUBESCAPE_GADGETS=exit fork hardlink http iouring_new iouring_old network ptrace randomx ssh symlink kmod unshare bpf
 TAG?=test
 # TAG?=v0.0.1
 
 binary:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o $(BINARY_NAME) ./cmd/main.go
 
-docker-build:
+docker-build-only:
+	docker buildx build --platform linux/amd64 -t $(IMAGE):$(TAG) -f $(DOCKERFILE_PATH) --load .
+
+docker-build: gadgets
 	docker buildx build --platform linux/amd64 -t $(IMAGE):$(TAG) -f $(DOCKERFILE_PATH) --load .
 
 docker-push:
-	docker push $(IMAGE):$(TAG)
+	docker push $(IMAGE):$(TAG)
+
+gadgets:
+	$(foreach img,$(KUBESCAPE_GADGETS),$(MAKE) -C ./pkg/ebpf/gadgets/$(img) build IMAGE=$(img) TAG=latest;)
+	$(foreach img,$(GADGETS),sudo ig image pull $(img)$(VERSION);)
+	sudo ig image export $(foreach img,$(GADGETS),$(img)$(VERSION)) $(foreach img,$(KUBESCAPE_GADGETS),$(img):latest) tracers.tar

build/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.24-bookworm AS builder
+FROM --platform=$BUILDPLATFORM golang:1.25-bookworm AS builder
 
 ENV GO111MODULE=on CGO_ENABLED=0
 WORKDIR /work
@@ -12,6 +12,7 @@ RUN --mount=target=. \
 FROM gcr.io/distroless/static-debian12:latest
 
 COPY --from=builder /out/node-agent /usr/bin/node-agent
+COPY tracers.tar /root/tracers.tar
 COPY configuration/ig-config.yaml /root/.ig/config.yaml
 
 ARG image_version

build/Dockerfile.debug

@@ -0,0 +1,24 @@
+FROM --platform=$BUILDPLATFORM golang:1.25-bookworm AS builder
+
+ENV GO111MODULE=on CGO_ENABLED=0
+WORKDIR /work
+ARG TARGETOS TARGETARCH
+
+RUN go install github.com/go-delve/delve/cmd/dlv@latest
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/node-agent ./cmd/main.go
+
+FROM gcr.io/distroless/static-debian12:debug
+
+COPY --from=builder /go/bin/dlv /usr/bin/dlv
+COPY --from=builder /out/node-agent /usr/bin/node-agent
+COPY tracers.tar /root/tracers.tar
+COPY configuration/ig-config.yaml /root/.ig/config.yaml
+
+ARG image_version
+ENV RELEASE=$image_version
+
+WORKDIR /root
+ENTRYPOINT ["/usr/bin/dlv", "--listen=:40000", "--headless=true", "--continue", "--accept-multiclient", "--api-version=2", "--log", "exec", "/usr/bin/node-agent"]

cmd/main.go

@@ -13,7 +13,10 @@ import (
 	apitypes "github.com/armosec/armoapi-go/armotypes"
 	utilsmetadata "github.com/armosec/utils-k8s-go/armometadata"
 	"github.com/cilium/ebpf/rlimit"
+	mapset "github.com/deckarep/golang-set/v2"
+	"github.com/goradd/maps"
 	"github.com/grafana/pyroscope-go"
+
 	igconfig "github.com/inspektor-gadget/inspektor-gadget/pkg/config"
 	containercollection "github.com/inspektor-gadget/inspektor-gadget/pkg/container-collection"
 	beUtils "github.com/kubescape/backend/pkg/utils"
@@ -24,6 +27,7 @@ import (
 	"github.com/kubescape/node-agent/pkg/config"
 	"github.com/kubescape/node-agent/pkg/containerprofilemanager"
 	containerprofilemanagerv1 "github.com/kubescape/node-agent/pkg/containerprofilemanager/v1"
+	"github.com/kubescape/node-agent/pkg/containerwatcher"
 	containerwatcherv2 "github.com/kubescape/node-agent/pkg/containerwatcher/v2"
 	"github.com/kubescape/node-agent/pkg/dnsmanager"
 	"github.com/kubescape/node-agent/pkg/exporters"
@@ -42,14 +46,17 @@ import (
 	"github.com/kubescape/node-agent/pkg/objectcache/k8scache"
 	"github.com/kubescape/node-agent/pkg/objectcache/networkneighborhoodcache"
 	objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1"
-	processtree "github.com/kubescape/node-agent/pkg/processtree"
+	"github.com/kubescape/node-agent/pkg/processtree"
 	containerprocesstree "github.com/kubescape/node-agent/pkg/processtree/container"
 	processtreecreator "github.com/kubescape/node-agent/pkg/processtree/creator"
 	rulebinding "github.com/kubescape/node-agent/pkg/rulebindingmanager"
 	rulebindingcachev1 "github.com/kubescape/node-agent/pkg/rulebindingmanager/cache"
 	"github.com/kubescape/node-agent/pkg/rulemanager"
-	rulemanagerv1 "github.com/kubescape/node-agent/pkg/rulemanager/v1"
-	"github.com/kubescape/node-agent/pkg/rulemanager/v1/rulecooldown"
+	"github.com/kubescape/node-agent/pkg/rulemanager/cel"
+	"github.com/kubescape/node-agent/pkg/rulemanager/ruleadapters"
+	"github.com/kubescape/node-agent/pkg/rulemanager/rulecooldown"
+	"github.com/kubescape/node-agent/pkg/rulemanager/rulecreator"
+	"github.com/kubescape/node-agent/pkg/rulemanager/ruleswatcher"
 	"github.com/kubescape/node-agent/pkg/sbommanager"
 	sbommanagerv1 "github.com/kubescape/node-agent/pkg/sbommanager/v1"
 	"github.com/kubescape/node-agent/pkg/seccompmanager"
@@ -167,7 +174,6 @@ func main() {
 
 	// Create watchers
 	dWatcher := dynamicwatcher.NewWatchHandler(k8sClient, storageClient.StorageClient, cfg.SkipNamespace)
-	// create k8sObject cache
 	k8sObjectCache, err := k8scache.NewK8sObjectCache(cfg.NodeName, k8sClient)
 	if err != nil {
 		logger.L().Ctx(ctx).Fatal("error creating K8sObjectCache", helpers.Error(err))
@@ -189,7 +195,12 @@ func main() {
 
 	var ruleBindingCache *rulebindingcachev1.RBCache
 	if cfg.EnableRuntimeDetection {
-		ruleBindingCache = rulebindingcachev1.NewCache(cfg.NodeName, k8sClient)
+		ruleCreator := rulecreator.NewRuleCreator()
+		ruleBindingCache = rulebindingcachev1.NewCache(cfg, k8sClient, ruleCreator)
+		rulesWatcher := ruleswatcher.NewRulesWatcher(k8sClient, ruleCreator, func() {
+			ruleBindingCache.RefreshRuleBindingsRules()
+		})
+		dWatcher.AddAdaptor(rulesWatcher)
 	}
 
 	// Create and DNS managers
@@ -268,8 +279,15 @@ func main() {
 
 		ruleCooldown := rulecooldown.NewRuleCooldown(cfg.RuleCoolDown)
 
+		adapterFactory := ruleadapters.NewEventRuleAdapterFactory()
+
+		celEvaluator, err := cel.NewCEL(objCache, cfg)
+		if err != nil {
+			logger.L().Ctx(ctx).Fatal("error creating CEL evaluator", helpers.Error(err))
+		}
+
 		// create runtimeDetection managers
-		ruleManager, err = rulemanagerv1.CreateRuleManager(ctx, cfg, k8sClient, ruleBindingCache, objCache, exporter, prometheusExporter, cfg.NodeName, clusterData.ClusterName, processTreeManager, dnsResolver, nil, ruleCooldown)
+		ruleManager, err = rulemanager.CreateRuleManager(ctx, cfg, k8sClient, ruleBindingCache, objCache, exporter, prometheusExporter, processTreeManager, dnsResolver, nil, ruleCooldown, adapterFactory, celEvaluator)
 		if err != nil {
 			logger.L().Ctx(ctx).Fatal("error creating RuleManager", helpers.Error(err))
 		}
@@ -320,7 +338,7 @@ func main() {
 	if err := igconfig.Config.ReadInConfig(); err != nil {
 		logger.L().Warning("reading IG config", helpers.Error(err))
 	}
-	igK8sClient, err := containercollection.NewK8sClient(cfg.NodeName)
+	igK8sClient, err := containercollection.NewK8sClient(cfg.NodeName, "", "")
 	if err != nil {
 		logger.L().Fatal("error creating IG Kubernetes client", helpers.Error(err))
 	}
@@ -339,11 +357,16 @@ func main() {
 		sbomManager = sbommanager.CreateSbomManagerMock()
 	}
 
+	thirdPartyTracers := containerwatcher.ThirdPartyTracers{
+		ThirdPartyTracersInitializers: mapset.NewSet[containerwatcher.CustomTracerInitializer](),
+		ThirdPartyEventReceivers:      maps.NewSafeMap[utils.EventType, mapset.Set[containerwatcher.GenericEventReceiver]](),
+	}
+
 	// Create the container handler
 	mainHandler, err := containerwatcherv2.CreateIGContainerWatcher(cfg, containerProfileManager, k8sClient,
 		igK8sClient, dnsManagerClient, prometheusExporter, ruleManager,
-		malwareManager, sbomManager, &ruleBindingNotify, igK8sClient.RuntimeConfig, nil, nil,
-		processTreeManager, clusterData.ClusterName, objCache, networkStreamClient, containerProcessTree)
+		malwareManager, sbomManager, &ruleBindingNotify, igK8sClient.RuntimeConfig, nil,
+		processTreeManager, clusterData.ClusterName, objCache, networkStreamClient, containerProcessTree, thirdPartyTracers)
 	if err != nil {
 		logger.L().Ctx(ctx).Fatal("error creating the container watcher", helpers.Error(err))
 	}