policyfilter: Apply Policy Only to Specific Containers in a Pod #2231

When running Tetragon in Kubernetes, it's possible to filter pods that the policy will be applied to by pod labels and namespaces. This change adds support for filtering by the container name inside the pod or potentially a different field in the future. The filtering happens in the "containerMatches" method. We construct a map of key value pairs that represent different fields in the container. Then, we apply the same label filtering as in the "podMatches" method. At the moment, only the "name" field is supported. Since we are dealing with multiple containers inside a pod and we only need their cgroup ids to add to the policyfilter map, the "matchingContainersCgroupIDs" method was added. It iterates over a slice of containers, finds matching containers using "containerMatches", and returns their cgroup ids. This method is used for all operations where we need to change cgroup ids in the policyfilter map including applying policy diff, adding a new policy, etc. This patch makes the following changes: 1. Adds the containerSelector field to the policyfilter package. 2. Updates CRD schema for tracing policies with containerSelector. 3. Bumps the CRD version. Fixes: cilium#1879 Signed-off-by: Oleh Neichev <[email protected]>

This change adds multiple unit tests to cover the addition of containerSelector in the policyfilter. Fixes: cilium#1879 Signed-off-by: Oleh Neichev <[email protected]>

This patch generates CRDs with the support for containerSelector Fixes: cilium#1879 Signed-off-by: Oleh Neichev <[email protected]>

This patch performs the following changes: 1. Bump the default image version for e2e tests to v1.29.2. Current image doesn't work with kind v0.22.0. 2. Delete an excessive whitespace from the Makefile. Signed-off-by: Oleh Neichev <[email protected]>

This change adds an integration test for the containerSelector field section in the tracing policy. Fixes: cilium#1879 Signed-off-by: Oleh Neichev <[email protected]>

This change describes how to use the container selector in tracing policies. Also, this change renames the "K8s namespace and pod label filtering" page to "K8s Policy Filtering" to make the name more generic. Fixes: cilium#1879 Signed-off-by: Oleh Neichev <[email protected]>

We cannot use arg.Watcher.FindContainer() because it uses k8s API where the container is still not available. Instead, we extract the name of the container from arg.Req.ContainerName. If the name is not found, we do not abort the hook because we can do other types of filtering, e.g. by pod labels. Fixes: cilium#1879 Signed-off-by: Oleh Neichev <[email protected]>

After adding the support for filtering policies by container name, we decided not to abort the OCI hook when this detail is not present for some reason not to break other filtering methods like pod labels. However, we need to monitor such operations when the container name is missing. This patch aims to do this by adding a new "policyfilter_hook_container_name_missing_total" metric. The counter will be increased when the container name cannot be found in the "createContainerHook" function. Besides, this patch adds a missing return statement for the case when adding a container to pod from OCI hook fails and we inform the user that we are aborting the hook. In order to still have a counter increase upon error, we run the counter increase logic before checking the error. Fixes: cilium#1879 Signed-off-by: Oleh Neichev <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

policyfilter: Apply Policy Only to Specific Containers in a Pod #2231

policyfilter: Apply Policy Only to Specific Containers in a Pod #2231

Commits on Apr 6, 2024