Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

K8s metadata from falco #1606

Merged
merged 5 commits into from
Apr 15, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions collector/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ include_directories(/usr/local/include/civetweb)
include_directories(/usr/local/include/prometheus)
set(DRIVER_HEADERS ${FALCO_DIR}/driver/ppm_events_public.h ${FALCO_DIR}/driver/ppm_fillers.h)

add_definitions(-DUSE_PROTO_ARENAS -DMINIMAL_BUILD)
add_definitions(-DUSE_PROTO_ARENAS)

add_definitions(-DASSERT_TO_LOG)

Expand Down Expand Up @@ -83,7 +83,7 @@ set(USE_BUNDLED_DEPS OFF CACHE BOOL "Enable bundled dependencies instead of usin
set(USE_BUNDLED_CARES OFF CACHE BOOL "Enable bundled dependencies instead of using the system ones" FORCE)
set(WITH_CHISEL OFF CACHE BOOL "Include chisel implementation" FORCE)
set(BUILD_LIBSCAP_GVISOR OFF CACHE BOOL "Do not build gVisor support" FORCE)
set(MINIMAL_BUILD ON CACHE BOOL "Minimal" FORCE)
set(MINIMAL_BUILD OFF CACHE BOOL "Minimal" FORCE)
set(BUILD_SHARED_LIBS OFF CACHE BOOL "Build position independent libraries and executables" FORCE)
set(LIBELF_LIB_SUFFIX ".so" CACHE STRING "Use libelf.so" FORCE)

Expand Down
8 changes: 8 additions & 0 deletions collector/lib/CollectorConfig.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,11 @@ BoolEnvVar enable_connection_stats("ROX_COLLECTOR_ENABLE_CONNECTION_STATS", true

BoolEnvVar enable_detailed_metrics("ROX_COLLECTOR_ENABLE_DETAILED_METRICS", true);

BoolEnvVar enable_runtime_filters("ROX_COLLECTOR_RUNTIME_FILTERS_ENABLED", false);

BoolEnvVar use_docker_ce("ROX_COLLECTOR_CE_USE_DOCKER", false);
BoolEnvVar use_podman_ce("ROX_COLLECTOR_CE_USE_PODMAN", false);

} // namespace

constexpr bool CollectorConfig::kTurnOffScrape;
Expand All @@ -71,6 +76,9 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) {
enable_external_ips_ = enable_external_ips.value();
enable_connection_stats_ = enable_connection_stats.value();
enable_detailed_metrics_ = enable_detailed_metrics.value();
enable_runtime_filters_ = enable_runtime_filters.value();
use_docker_ce_ = use_docker_ce.value();
use_podman_ce_ = use_podman_ce.value();

for (const auto& syscall : kSyscalls) {
syscalls_.push_back(syscall);
Expand Down
6 changes: 6 additions & 0 deletions collector/lib/CollectorConfig.h
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@ class CollectorConfig {
bool EnableExternalIPs() const { return enable_external_ips_; }
bool EnableConnectionStats() const { return enable_connection_stats_; }
bool EnableDetailedMetrics() const { return enable_detailed_metrics_; }
bool EnableRuntimeFilters() const { return enable_runtime_filters_; }
bool UseDockerCe() const { return use_docker_ce_; }
bool UsePodmanCe() const { return use_podman_ce_; }
const std::vector<double>& GetConnectionStatsQuantiles() const { return connection_stats_quantiles_; }
double GetConnectionStatsError() const { return connection_stats_error_; }
unsigned int GetConnectionStatsWindow() const { return connection_stats_window_; }
Expand Down Expand Up @@ -107,6 +110,9 @@ class CollectorConfig {
bool enable_external_ips_;
bool enable_connection_stats_;
bool enable_detailed_metrics_;
bool enable_runtime_filters_;
bool use_docker_ce_;
bool use_podman_ce_;
std::vector<double> connection_stats_quantiles_;
double connection_stats_error_;
unsigned int connection_stats_window_;
Expand Down
44 changes: 44 additions & 0 deletions collector/lib/ContainerMetadata.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
#ifndef _CONTAINER_METADATA_H_
#define _CONTAINER_METADATA_H_

#include "system-inspector/EventExtractor.h"

namespace collector {

class ContainerMetadata {
public:
ContainerMetadata(sinsp* inspector) : inspector_(inspector) {
event_extractor_.Init(inspector);
}

inline std::string GetNamespace(sinsp_evt* event) {
const char* ns = event_extractor_.get_k8s_namespace(event);
return ns != nullptr ? ns : "";
}

inline std::string GetNamespace(const std::string& container_id) {
return GetContainerLabel(container_id, "io.kubernetes.pod.namespace");
}

inline std::string GetContainerLabel(const std::string& container_id, const std::string& label) {
const auto& containers = *inspector_->m_container_manager.get_containers();
ovalenti marked this conversation as resolved.
Show resolved Hide resolved
if (containers.count(container_id) == 0) {
return "";
}

const auto& container = containers.at(container_id);
Molter73 marked this conversation as resolved.
Show resolved Hide resolved
if (container->m_labels.count(label) == 0) {
return "";
}

return container->m_labels.at(label);
}

private:
system_inspector::EventExtractor event_extractor_;
sinsp* inspector_;
};

} // namespace collector

#endif // _CONTAINER_METADATA_H_
2 changes: 1 addition & 1 deletion collector/lib/ProcessSignalFormatter.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ ProcessSignal* ProcessSignalFormatter::CreateProcessSignal(sinsp_evt* event) {
}

CLOG(DEBUG) << "Process (" << signal->container_id() << ": " << signal->pid() << "): "
<< signal->name()
<< signal->name() << "[" << container_metadata_.GetNamespace(event) << "] "
<< " (" << signal->exec_file_path() << ")"
<< " " << signal->args();

Expand Down
4 changes: 3 additions & 1 deletion collector/lib/ProcessSignalFormatter.h
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
#include "storage/process_indicator.pb.h"

#include "CollectorStats.h"
#include "ContainerMetadata.h"
#include "EventNames.h"
#include "ProtoSignalFormatter.h"
#include "system-inspector/EventExtractor.h"
Expand All @@ -14,7 +15,7 @@ namespace collector {

class ProcessSignalFormatter : public ProtoSignalFormatter<sensor::SignalStreamMessage> {
public:
ProcessSignalFormatter(sinsp* inspector) : event_names_(EventNames::GetInstance()) {
ProcessSignalFormatter(sinsp* inspector) : event_names_(EventNames::GetInstance()), container_metadata_(inspector) {
event_extractor_.Init(inspector);
}

Expand All @@ -41,6 +42,7 @@ class ProcessSignalFormatter : public ProtoSignalFormatter<sensor::SignalStreamM

const EventNames& event_names_;
system_inspector::EventExtractor event_extractor_;
ContainerMetadata container_metadata_;
};

} // namespace collector
Expand Down
3 changes: 3 additions & 0 deletions collector/lib/system-inspector/EventExtractor.h
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,9 @@ class EventExtractor {
FIELD_RAW(client_port, "fd.cport", uint16_t);
FIELD_RAW(server_port, "fd.sport", uint16_t);

// k8s metadata
FIELD_CSTR(k8s_namespace, "k8s.ns.name");

#undef TINFO_FIELD
#undef FIELD_RAW
#undef FIELD_CSTR
Expand Down
27 changes: 24 additions & 3 deletions collector/lib/system-inspector/Service.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

#include <linux/ioctl.h>

#include "libsinsp/container_engine/sinsp_container_type.h"
#include "libsinsp/parsers.h"

#include <google/protobuf/util/time_util.h>
Expand Down Expand Up @@ -88,9 +89,29 @@ bool Service::InitKernel(const CollectorConfig& config, const DriverCandidate& c
inspector_->get_parser()->set_track_connection_status(true);
}

auto engine = std::make_shared<ContainerEngine>(inspector_->m_container_manager);
auto* container_engines = inspector_->m_container_manager.get_container_engines();
container_engines->push_back(engine);
if (config.EnableRuntimeFilters()) {
uint64_t mask = 1 << CT_CRI |
1 << CT_CRIO |
1 << CT_CONTAINERD;

if (config.UseDockerCe()) {
mask |= 1 << CT_DOCKER;
}

if (config.UsePodmanCe()) {
mask |= 1 << CT_PODMAN;
}

inspector_->set_container_engine_mask(mask);

// k8s naming conventions specify that max length be 253 characters
// (the extra 2 are just for a nice 0xFF).
inspector_->set_container_labels_max_len(255);
} else {
auto engine = std::make_shared<ContainerEngine>(inspector_->m_container_manager);
auto* container_engines = inspector_->m_container_manager.get_container_engines();
container_engines->push_back(engine);
}

inspector_->set_filter("container.id != 'host'");

Expand Down
Loading