stackrox · Molter73 · Apr 15, 2024 · Mar 19, 2024 · Apr 1, 2024 · Apr 2, 2024
@@ -50,7 +50,7 @@ include_directories(/usr/local/include/civetweb)
 include_directories(/usr/local/include/prometheus)
 set(DRIVER_HEADERS ${FALCO_DIR}/driver/ppm_events_public.h ${FALCO_DIR}/driver/ppm_fillers.h)
 
-add_definitions(-DUSE_PROTO_ARENAS -DMINIMAL_BUILD)
+add_definitions(-DUSE_PROTO_ARENAS)
 
 add_definitions(-DASSERT_TO_LOG)
 
@@ -83,7 +83,7 @@ set(USE_BUNDLED_DEPS OFF CACHE BOOL "Enable bundled dependencies instead of usin
 set(USE_BUNDLED_CARES OFF CACHE BOOL "Enable bundled dependencies instead of using the system ones" FORCE)
 set(WITH_CHISEL OFF CACHE BOOL "Include chisel implementation" FORCE)
 set(BUILD_LIBSCAP_GVISOR OFF CACHE BOOL "Do not build gVisor support" FORCE)
-set(MINIMAL_BUILD ON CACHE BOOL "Minimal" FORCE)
+set(MINIMAL_BUILD OFF CACHE BOOL "Minimal" FORCE)
 set(BUILD_SHARED_LIBS OFF CACHE BOOL "Build position independent libraries and executables" FORCE)
 set(LIBELF_LIB_SUFFIX ".so" CACHE STRING "Use libelf.so" FORCE)
 

@@ -46,6 +46,11 @@ BoolEnvVar enable_connection_stats("ROX_COLLECTOR_ENABLE_CONNECTION_STATS", true
 
 BoolEnvVar enable_detailed_metrics("ROX_COLLECTOR_ENABLE_DETAILED_METRICS", true);
 
+BoolEnvVar enable_runtime_filters("ROX_COLLECTOR_RUNTIME_FILTERS_ENABLED", false);
+
+BoolEnvVar use_docker_ce("ROX_COLLECTOR_CE_USE_DOCKER", false);
+BoolEnvVar use_podman_ce("ROX_COLLECTOR_CE_USE_PODMAN", false);
+
 }  // namespace
 
 constexpr bool CollectorConfig::kTurnOffScrape;
@@ -71,6 +76,9 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) {
   enable_external_ips_ = enable_external_ips.value();
   enable_connection_stats_ = enable_connection_stats.value();
   enable_detailed_metrics_ = enable_detailed_metrics.value();
+  enable_runtime_filters_ = enable_runtime_filters.value();
+  use_docker_ce_ = use_docker_ce.value();
+  use_podman_ce_ = use_podman_ce.value();
 
   for (const auto& syscall : kSyscalls) {
     syscalls_.push_back(syscall);

@@ -75,6 +75,9 @@ class CollectorConfig {
   bool EnableExternalIPs() const { return enable_external_ips_; }
   bool EnableConnectionStats() const { return enable_connection_stats_; }
   bool EnableDetailedMetrics() const { return enable_detailed_metrics_; }
+  bool EnableRuntimeFilters() const { return enable_runtime_filters_; }
+  bool UseDockerCe() const { return use_docker_ce_; }
+  bool UsePodmanCe() const { return use_podman_ce_; }
   const std::vector<double>& GetConnectionStatsQuantiles() const { return connection_stats_quantiles_; }
   double GetConnectionStatsError() const { return connection_stats_error_; }
   unsigned int GetConnectionStatsWindow() const { return connection_stats_window_; }
@@ -107,6 +110,9 @@ class CollectorConfig {
   bool enable_external_ips_;
   bool enable_connection_stats_;
   bool enable_detailed_metrics_;
+  bool enable_runtime_filters_;
+  bool use_docker_ce_;
+  bool use_podman_ce_;
   std::vector<double> connection_stats_quantiles_;
   double connection_stats_error_;
   unsigned int connection_stats_window_;

diff --git a/collector/lib/K8s.h b/collector/lib/K8s.h
@@ -0,0 +1,56 @@
+#ifndef _K8S_H_
+#define _K8S_H_
+
+#include <sstream>
+#include <string_view>
+
+#include "system-inspector/EventExtractor.h"
+
+namespace collector {
+
+class K8s {
+ public:
+  K8s(sinsp* inspector) : inspector_(inspector) {
+    event_extractor_.Init(inspector);
+  }
+
+  inline std::string_view GetNamespace(sinsp_evt* event) {
+    const char* ns = event_extractor_.get_k8s_namespace(event);
+    return ns != nullptr ? ns : "";
+  }
+
+  inline std::string_view GetNamespace(const std::string& container_id) {
+    return GetContainerLabel(container_id, "io.kubernetes.pod.namespace");
+  }
+
+  std::string GetContainerLabels(const std::string& container_id) {
+    const auto container = inspector_->m_container_manager.get_container(container_id);
+    if (container == nullptr) {
+      return "";
+    }
+
+    std::stringstream ss;
+
+    for (const auto& [key, value] : container->m_labels) {
+      ss << key << ":" << value << ",";
+    }
+
+    return ss.str();
+  }
+
+  inline std::string_view GetContainerLabel(const std::string& container_id, const std::string& label) {
+    const auto container = inspector_->m_container_manager.get_container(container_id);
+    if (container == nullptr || container->m_labels.count(label) == 0) {
+      return "";
+    }
+    return container->m_labels.at(label);
+  }
+
+ private:
+  system_inspector::EventExtractor event_extractor_;
+  sinsp* inspector_;
+};
+
+}  // namespace collector
+
+#endif  // _K8S_H_
@@ -143,7 +143,7 @@ ProcessSignal* ProcessSignalFormatter::CreateProcessSignal(sinsp_evt* event) {
   }
 
   CLOG(DEBUG) << "Process (" << signal->container_id() << ": " << signal->pid() << "): "
-              << signal->name()
+              << signal->name() << "[" << k8s_.GetNamespace(event) << "] "
               << " (" << signal->exec_file_path() << ")"
               << " " << signal->args();
 

@@ -7,14 +7,15 @@
 
 #include "CollectorStats.h"
 #include "EventNames.h"
+#include "K8s.h"
 #include "ProtoSignalFormatter.h"
 #include "system-inspector/EventExtractor.h"
 
 namespace collector {
 
 class ProcessSignalFormatter : public ProtoSignalFormatter<sensor::SignalStreamMessage> {
  public:
-  ProcessSignalFormatter(sinsp* inspector) : event_names_(EventNames::GetInstance()) {
+  ProcessSignalFormatter(sinsp* inspector) : event_names_(EventNames::GetInstance()), k8s_(inspector) {
     event_extractor_.Init(inspector);
   }
 
@@ -41,6 +42,7 @@ class ProcessSignalFormatter : public ProtoSignalFormatter<sensor::SignalStreamM
 
   const EventNames& event_names_;
   system_inspector::EventExtractor event_extractor_;
+  K8s k8s_;
 };
 
 }  // namespace collector

@@ -108,6 +108,9 @@ class EventExtractor {
   FIELD_RAW(client_port, "fd.cport", uint16_t);
   FIELD_RAW(server_port, "fd.sport", uint16_t);
 
+  // k8s metadata
+  FIELD_CSTR(k8s_namespace, "k8s.ns.name");
+
 #undef TINFO_FIELD
 #undef FIELD_RAW
 #undef FIELD_CSTR

@@ -5,6 +5,7 @@
 
 #include <linux/ioctl.h>
 
+#include "libsinsp/container_engine/sinsp_container_type.h"
 #include "libsinsp/parsers.h"
 
 #include <google/protobuf/util/time_util.h>
@@ -88,9 +89,29 @@ bool Service::InitKernel(const CollectorConfig& config, const DriverCandidate& c
       inspector_->get_parser()->set_track_connection_status(true);
     }
 
-    auto engine = std::make_shared<ContainerEngine>(inspector_->m_container_manager);
-    auto* container_engines = inspector_->m_container_manager.get_container_engines();
-    container_engines->push_back(engine);
+    if (config.EnableRuntimeFilters()) {
+      uint64_t mask = 1 << CT_CRI |
+                      1 << CT_CRIO |
+                      1 << CT_CONTAINERD;
+
+      if (config.UseDockerCe()) {
+        mask |= 1 << CT_DOCKER;
+      }
+
+      if (config.UsePodmanCe()) {
+        mask |= 1 << CT_PODMAN;
+      }
+
+      inspector_->set_container_engine_mask(mask);
+
+      // k8s naming conventions specify that max length be 253 characters
+      // (the extra 2 are just for a nice 0xFF).
+      inspector_->set_container_labels_max_len(255);
+    } else {
+      auto engine = std::make_shared<ContainerEngine>(inspector_->m_container_manager);
+      auto* container_engines = inspector_->m_container_manager.get_container_engines();
+      container_engines->push_back(engine);
+    }
 
     inspector_->set_filter("container.id != 'host'");