Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8s metadata from falco #1606

Merged
merged 5 commits into from
Apr 15, 2024
Merged

K8s metadata from falco #1606

merged 5 commits into from
Apr 15, 2024

Conversation

Molter73
Copy link
Collaborator

@Molter73 Molter73 commented Mar 20, 2024
edited
Loading

Description

As part of the ROX-22981 issue, requiring collector to filter what that is sent depending on k8s metadata like the namespace a given container belongs to, this PR re-enables Falco's full build, allowing for the container engines to be used again. By doing this, we can now query the CRI, CRI-O and containerd sockets for additional container information and get the namespace from that, as well as additional label information that might come in handy in the near future. Also added configuration options for falco's docker and podman container engine information gathering, since these might could be helpful for either testing or if we need to support native workloads.

Checklist

  • Investigated and inspected CI test results
  • Updated documentation accordingly

Automated testing

  • Added unit tests
  • Added integration tests
  • Added regression tests

If any of these don't apply, please comment below.

Testing Performed

Manually tested the changes alongside the newly implemented k8s based tests.

@Molter73 Molter73 force-pushed the mauro/k8s-metadata-from-falco branch from 37d2d6e to 940dd28 Compare March 26, 2024 17:49
@Molter73
Extract k8s metadata from Falco's container engines
b623e54 
This commit reenables Falco's full build in order to enable us using the
container engines to extract k8s metadata from container labels. A
feature flag has been added in order to maintain the current behaviour
of using our custom engine that just grabs container ID from cgroups or
default to using Falco's engines that also capture metadata by querying
runtimes.

In order to simplify and (somewhat) abstract extraction of fields, a new
K8s class has been created. Unfortunately, due to how Falco works, we
still need to pass in the inspector to the constructor and the events
need to be forwarded to the getters for the metadata.

By default only CRI, CRI-O and containerd engines are used (all 3 of
them share the same API), but a couple configuration flags have been
added to enable using docker and podman in case we need them at some
point in time.
@Molter73 Molter73 force-pushed the mauro/k8s-metadata-from-falco branch 4 times, most recently from 707b724 to b623e54 Compare March 27, 2024 17:33
@Molter73 Molter73 marked this pull request as ready for review March 27, 2024 17:38
@Molter73 Molter73 requested a review from a team as a code owner March 27, 2024 17:38
This was referenced Mar 27, 2024
Merged
Merged
JoukoVirtanen
JoukoVirtanen reviewed Mar 28, 2024
View reviewed changes
collector/lib/K8s.h Outdated

inline std::string_view GetContainerLabel(const std::string& container_id, const std::string& label) {
const auto container = inspector_->m_container_manager.get_container(container_id);
if (container == nullptr || container->m_labels.count(label) == 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using count seems inefficient.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's what Falco does so I didn't pay it too much care, count returns either 1 or 0 since map doesn't allow duplicate keys (see https://en.cppreference.com/w/cpp/container/map/count)

I could change it to find, but I think the slowest operation will be creating the copy of the string either way

(And as I write this comment I realize there are some changes missing here that are in #1614, I'll add them back and rebase the other 2 PRs)

@JoukoVirtanen
Copy link
Contributor

I don't think K8s is the best name either as this code can get labels other than those associated with K8s. I like ContainerMetadata more.

@Molter73 Molter73 force-pushed the mauro/k8s-metadata-from-falco branch from 604e236 to d7fb9bc Compare April 1, 2024 10:34
@Molter73 Molter73 requested a review from ovalenti April 2, 2024 15:30
@Molter73
Add an introspection endpoint for container metadata (#1614)
7f838e7 
* Add k8s based tests for namespace metadata (#1615)
@Molter73 Molter73 merged commit fbde43b into master Apr 15, 2024
51 checks passed
@Molter73 Molter73 deleted the mauro/k8s-metadata-from-falco branch April 15, 2024 15:37
@Molter73 Molter73 mentioned this pull request Apr 18, 2024
Merged
5 tasks
@JoukoVirtanen JoukoVirtanen mentioned this pull request Jul 7, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoukoVirtanen JoukoVirtanen JoukoVirtanen approved these changes

@ovalenti ovalenti Awaiting requested review from ovalenti

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Molter73 @JoukoVirtanen @ovalenti