Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] new(libsinsp): extract pod_uid from cgroups #1377

Closed
wants to merge 3 commits into from
Closed

[WIP] new(libsinsp): extract pod_uid from cgroups #1377

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
11b4f73
new(libsinsp): extract `pod_uid` from cgroups
Andreagit97 Sep 14, 2023
25ae335
fix: fix build in shared library build
Andreagit97 Oct 3, 2023
b0fdb31
fix: fix build on windows
Andreagit97 Oct 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions userspace/libsinsp/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,11 +200,10 @@ endif()
set_sinsp_target_properties(sinsp)

target_link_libraries(sinsp
PUBLIC scap
PUBLIC scap "${RE2_LIB}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is needed so that unit-test-libsinsp is able to correctly link re2 since it is now needed.

PRIVATE
"${CURL_LIBRARIES}"
"${JSONCPP_LIB}"
"${RE2_LIB}"
)

set(SINSP_PKGCONFIG_LIBRARIES
Expand Down
7 changes: 7 additions & 0 deletions userspace/libsinsp/filterchecks.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9052,6 +9052,13 @@ uint8_t* sinsp_filter_check_k8s::extract(sinsp_evt *evt, OUT uint32_t* len, bool
return NULL;
}
m_tstr.clear();

// We can extract the pod_id directly from cgroups
if((m_field_id == TYPE_K8S_POD_ID) && !tinfo->m_pod_uid.empty())
{
RETURN_EXTRACT_STRING(tinfo->m_pod_uid);
}

// there is metadata we can pull from the container directly instead of the k8s apiserver
const sinsp_container_info::ptr_t container_info =
m_inspector->m_container_manager.get_container(tinfo->m_container_id);
Expand Down
12 changes: 12 additions & 0 deletions userspace/libsinsp/parsers.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2154,6 +2154,12 @@ void sinsp_parser::parse_clone_exit_child(sinsp_evt *evt)
child_tinfo->set_group(child_tinfo->m_group.gid);
}

/* Set the pod uid if available
* OPTIMIZATION: we could use the same pod_uid of the parent instead
* of computing it again since the pod_uid should never change from parent to child. We need to check that we are not excluding some corner cases.
*/
child_tinfo->set_pod_uid();

//
// If there's a listener, invoke it
//
Expand Down Expand Up @@ -2742,6 +2748,12 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
evt->m_tinfo->set_group(evt->m_tinfo->m_group.gid);
}

/* Set the pod uid if available
* We need to reinforce the pod_uid since it could change between the clone and
* the corresponding execve.
*/
evt->m_tinfo->set_pod_uid();

//
// If there's a listener, invoke it
//
Expand Down
20 changes: 20 additions & 0 deletions userspace/libsinsp/pod_regex.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/*
Copyright (C) 2023 The Falco Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

*/

#pragma once

#define RGX_POD "(pod[a-z0-9]{8}[-_][a-z0-9]{4}[-_][a-z0-9]{4}[-_][a-z0-9]{4}[-_][a-z0-9]{12})"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why can't this live closer to the set_pod_uid definition in threadinfo.h? A full header file for a single define seems overkill.

79 changes: 79 additions & 0 deletions userspace/libsinsp/test/classes/sinsp_threadinfo.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ limitations under the License.
*/

#include <test/helpers/threads_helpers.h>
#include <re2/re2.h>
#include "pod_regex.h"

TEST(sinsp_threadinfo, get_main_thread)
{
Expand Down Expand Up @@ -125,3 +127,80 @@ TEST_F(sinsp_with_test_input, THRD_INFO_assign_children_to_a_nullptr)
ASSERT_THREAD_CHILDREN(p2_t1_tid, 0, 0);
ASSERT_THREAD_INFO_PIDS(p3_t1_tid, p3_t1_pid, 0);
}

// This test asserts that our regex is solid against all possible cgroup layouts
TEST(sinsp_threadinfo, check_pod_uid_regex)
{
re2::RE2 pattern(RGX_POD, re2::RE2::POSIX);

// CgroupV1, driver cgroup
std::string expected_pod_uid = "pod05869489-8c7f-45dc-9abd-1b1620787bb1";
std::string actual_pod_uid = "";
ASSERT_TRUE(re2::RE2::PartialMatch("/kubepods/besteffort/pod05869489-8c7f-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc", pattern, &actual_pod_uid));
ASSERT_EQ(expected_pod_uid, actual_pod_uid);

// CgroupV1, driver systemd
expected_pod_uid = "pod0f90f31c_ebeb_4192_a2b0_92e076c43817";
ASSERT_TRUE(re2::RE2::PartialMatch("/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod0f90f31c_ebeb_4192_a2b0_92e076c43817.slice/4c97d83b89df14eea65dbbab1f506b405758341616ab75437d66fd8bab0e2beb", pattern, &actual_pod_uid));
ASSERT_EQ(expected_pod_uid, actual_pod_uid);

// CgroupV2, driver cgroup
expected_pod_uid = "podaf4fa4cf-129e-4699-a2af-65548fb8977d";
ASSERT_TRUE(re2::RE2::PartialMatch("/kubepods/besteffort/podaf4fa4cf-129e-4699-a2af-65548fb8977d/fc16540dcd776bb475437b722c47de798fa1b07687db1ba7d4609c23d5d1a088", pattern, &actual_pod_uid));
ASSERT_EQ(expected_pod_uid, actual_pod_uid);

// CgroupV2, driver systemd
expected_pod_uid = "pod43f23404_e33c_48c7_8114_28ee4b7043ec";
ASSERT_TRUE(re2::RE2::PartialMatch("/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod43f23404_e33c_48c7_8114_28ee4b7043ec.slice/cri-containerd-b59ce319955234d0b051a93dac5efa8fc07df08d8b0188195b434174efc44e73.scope", pattern, &actual_pod_uid));
ASSERT_EQ(expected_pod_uid, actual_pod_uid);

// Not match, wrong pod_uid format
ASSERT_FALSE(re2::RE2::PartialMatch("cpuset=/kubepods/besteffort/pod05869489W-8c7fWW-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc", pattern));
}

// This test asserts that our parsers (clone/execve) can extract the pod_uid from cgroups.
TEST_F(sinsp_with_test_input, THRD_INFO_extract_pod_uid)
{
add_default_init_thread();
open_inspector();

int64_t p1_tid = 2;
int64_t p1_pid = 2;
int64_t p1_ptid = INIT_TID;
int64_t p1_vtid = 1;
int64_t p1_vpid = 1;

uint64_t not_relevant_64 = 0;
uint32_t not_relevant_32 = 0;

// cgroupfs driver format
std::vector<std::string> cgroups1 = {
"cpuset=/kubepods/besteffort/pod05869489-8c7f-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc",
"cpu=/kubepods/besteffort/pod05869489-8c7f-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc",
"cpuacct=/kubepods/besteffort/pod05869489-8c7f-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc",
"io=/kubepods/besteffort/pod05869489-8c7f-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc",
"memory=/kubepods/besteffort/pod05869489-8c7f-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc",
"devices=/kubepods/besteffort/pod05869489-8c7f-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc",
"freezer=/kubepods/besteffort/pod05869489-8c7f-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc",
};
std::string cgroupsv = test_utils::to_null_delimited(cgroups1);
scap_const_sized_buffer empty_bytebuf = {/*.buf =*/ nullptr, /*.size =*/ 0};
auto evt = add_event_advance_ts(increasing_ts(), p1_tid, PPME_SYSCALL_CLONE_20_X, 21, (int64_t)0, "init", empty_bytebuf, p1_tid, p1_pid, p1_ptid, "", not_relevant_64, not_relevant_64, not_relevant_64, not_relevant_32, not_relevant_32, not_relevant_32, "init", scap_const_sized_buffer{cgroupsv.data(), cgroupsv.size()}, (int32_t)0, not_relevant_32, not_relevant_32, p1_vtid, p1_vpid);

ASSERT_TRUE(evt->get_thread_info());
ASSERT_EQ(evt->get_thread_info()->m_pod_uid, "05869489-8c7f-45dc-9abd-1b1620787bb1");

// Now we simulate a change of cgroups in the execve event.

// systemd driver format
// Only one cgroup subsystem is enough
std::vector<std::string> cgroups2 = {
"cpuset=/kubelet.slice/kubelet-kubepods.slice/kubelet-kubepods-besteffort.slice/kubelet-kubepods-besteffort-pod47bf324a_ed3e_4a7c_be4a_7d119755bfcb.slice",
};

cgroupsv = test_utils::to_null_delimited(cgroups2);
evt = add_event_advance_ts(increasing_ts(), p1_tid, PPME_SYSCALL_EXECVE_19_X, 28, (int64_t)0, "/bin/new-prog", empty_bytebuf, p1_tid, p1_pid, p1_ptid, "", not_relevant_64, not_relevant_64, not_relevant_64, not_relevant_32, not_relevant_32, not_relevant_32, "new-prog", scap_const_sized_buffer{cgroupsv.data(), cgroupsv.size()}, empty_bytebuf, not_relevant_32, not_relevant_32, not_relevant_32, (int32_t) PPM_EXE_WRITABLE, not_relevant_64, not_relevant_64, not_relevant_64, not_relevant_64, not_relevant_64, not_relevant_64, not_relevant_64, "/bin/new-prog");

ASSERT_TRUE(evt->get_thread_info());
ASSERT_EQ(evt->get_thread_info()->m_pod_uid, "47bf324a-ed3e-4a7c-be4a-7d119755bfcb");
}
46 changes: 46 additions & 0 deletions userspace/libsinsp/test/filterchecks/k8s.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
/*
Copyright (C) 2023 The Falco Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

*/

/* K8s filterchecks are not defined in the minimal build so we need this ifdef */
#if !defined(CYGWING_AGENT) && !defined(MINIMAL_BUILD) && !defined(__EMSCRIPTEN__)
#include <test/helpers/threads_helpers.h>
TEST_F(sinsp_with_test_input, K8S_FILTER_pod_id)
{
add_default_init_thread();
open_inspector();

int64_t p1_tid = 2;
int64_t p1_pid = 2;
int64_t p1_ptid = INIT_TID;
int64_t p1_vtid = 1;
int64_t p1_vpid = 1;

uint64_t not_relevant_64 = 0;
uint32_t not_relevant_32 = 0;

// cgroupfs driver format
std::vector<std::string> cgroups1 = {
"cpuset=/kubepods/besteffort/pod05869489-8c7f-45dc-9abd-1b1620787bb1/691e0ffb65010b2b611f3a15b7f76c48466192e673e156f38bd2f8e25acd6bbc",
};
std::string cgroupsv = test_utils::to_null_delimited(cgroups1);
scap_const_sized_buffer empty_bytebuf = {/*.buf =*/ nullptr, /*.size =*/ 0};
auto evt = add_event_advance_ts(increasing_ts(), p1_tid, PPME_SYSCALL_CLONE_20_X, 21, 0, "init", empty_bytebuf, p1_tid, p1_pid, p1_ptid, "", not_relevant_64, not_relevant_64, not_relevant_64, not_relevant_32, not_relevant_32, not_relevant_32, "init", scap_const_sized_buffer{cgroupsv.data(), cgroupsv.size()}, 0, not_relevant_32, not_relevant_32, p1_vtid, p1_vpid);

ASSERT_EQ(get_field_as_string(evt, "k8s.pod.id"), "05869489-8c7f-45dc-9abd-1b1620787bb1");
}

#endif
2 changes: 1 addition & 1 deletion userspace/libsinsp/test/state.ut.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -301,7 +301,7 @@ TEST(thread_manager, table_access)
{
// note: used for regression checks, keep this updated as we make
// new fields available
static const int s_threadinfo_static_fields_count = 20;
static const int s_threadinfo_static_fields_count = 21;

sinsp inspector;
auto table = static_cast<libsinsp::state::table<int64_t>*>(inspector.m_thread_manager);
Expand Down
40 changes: 40 additions & 0 deletions userspace/libsinsp/threadinfo.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ limitations under the License.
#include "tracer_emitter.h"
#endif

#include <re2/re2.h>
#include "pod_regex.h"

constexpr static const char* s_thread_table_name = "threads";

extern sinsp_evttables g_infotables;
Expand Down Expand Up @@ -74,6 +77,7 @@ sinsp_threadinfo::sinsp_threadinfo(sinsp* inspector, std::shared_ptr<libsinsp::s
// m_loginuser
// m_group
define_static_field(this, m_container_id, "container_id");
define_static_field(this, m_pod_uid, "pod_uid");
// m_flags
define_static_field(this, m_fdlimit, "fd_limit");
// m_cap_permitted
Expand Down Expand Up @@ -823,6 +827,42 @@ sinsp_threadinfo* sinsp_threadinfo::get_parent_thread()
return m_inspector->get_thread_ref(m_ptid, false).get();
}

static re2::RE2 pattern(RGX_POD, re2::RE2::POSIX);

void sinsp_threadinfo::set_pod_uid()
{
m_pod_uid = "";

// Set pod_uid to `""` if:
// 1. We don't have cgroups for this thread.
// 2. We are not in a container.
if(this->cgroups().empty() || !this->is_in_pid_namespace())
{
return;
}

// If `this->cgroups()` is not empty we should have at least the first element
// An example of `this->cgroups()[0].second` layout is:
// /kubelet.slice/kubelet-kubepods.slice/kubelet-kubepods-pod1b011081_6e8e_4839_b225_4685eae5fd59.slice/cri-containerd-2f92446a3fbfd0b7a73457b45e96c75a25c5e44e7b1bcec165712b906551c261.scope
if(!re2::RE2::PartialMatch(this->cgroups()[0].second, pattern, &m_pod_uid))
Copy link
Contributor

@Molter73 Molter73 Oct 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure we want to add a regex match in the hot path for processes? What type of performance hit do we expect from this? Would you mind providing an easy way to disable this check at runtime just in case? Maybe since it looks like heavily related to k8s, could we move it somewhere in the k8s specific code?

Copy link
Member Author

@Andreagit97 Andreagit97 Oct 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! Let's say the alternative would be to loop over some prefixes like in the container engine

libs/userspace/libsinsp/runc.cpp

Line 41 in 3d1f481

bool match_one_container_id(const std::string &cgroup, const std::string &prefix, const std::string &suffix, std::string &container_id)
but not sure this would be more efficient 🤔

I'm ok with disabling it at runtime, but not sure what is the best way to disable it (cmake?some flags provided to sinsp?) Any ideas?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't this be done by a container engine thread as an async event? Just thinking out loud.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this needs to be in the process hot path at all, at least thinking from my use case, we have a separate process that gets this information from the kube api, so this are just compute cycles being wasted. Since it's for k8s, I insist it might be better placed somewhere closer to the k8s specific code, but I'm not familiar enough with that code to suggest where to place it.

As for how to enable it at runtime, a simple bool m_pod_uid_enabled flag and a setter alongside the set_pod_uid definition is more than enough IMO, set_pod_uid would just check that flag before doing anything else and return if it's set to false.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👋 happy to help as I have been sifting through the container engine on multiple occasions.

First, yes plz no additional regexes on the hot path.

A few pointers:

I usually use crictl to spin up test pods as that allows for easy testing of both containerd and crio. Example inspection outputs of both the pod / sandbox or the container show that if it's a sandbox the container id is the same as the pod / sandbox id.

INSPECT POD / SANDBOX

sudo crictl pods
sudo crictl inspectp 95120af54b0d1


crio

 "io.kubernetes.cri-o.SandboxID": "95120af54b0d102cc259e906f9aea0423ea7a5dd87ae458567f93cd453b944b1",
 "io.kubernetes.cri-o.ContainerID": "95120af54b0d102cc259e906f9aea0423ea7a5dd87ae458567f93cd453b944b1",

containerd

"status": {
    "id": "c28089bf708270613d27c409a4aaa5679537e8cbe54993ee3749038811cc8d97",

"io.kubernetes.cri.container-type": "sandbox",
"io.kubernetes.cri.sandbox-id": "c28089bf708270613d27c409a4aaa5679537e8cbe54993ee3749038811cc8d97",


INSPECT CONTAINER

sudo crictl ps
sudo crictl inspect 84d2897a399b0

crio 

"io.kubernetes.cri-o.SandboxID": "95120af54b0d102cc259e906f9aea0423ea7a5dd87ae458567f93cd453b944b1",
"io.kubernetes.cri-o.ContainerID": "84d2897a399b0026499e93f490f47304818eb77868b23634f397a50bcedadb77",

String search for m_is_pod_sandbox in the code base and I think that will direct you to the relevant code blocks to make minor adjustments. Basically perhaps it's just about returning the existing container id already extracted from the current cgroups parsing logic if it's a sandbox (without needing the API call against the container runtime socket to know if it's a sandbox or container). And since I haven't looked myself I don't know what all needs to be adjusted to get this, just suspecting it could be easier and less intrusive in the container engine code base (echoing @FedeDP and @Molter73 feedback).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is much heavier than lots of things already happening in the main thread after all. I see the use case and it makes sense IMO.
I'd only enable this behavior (ie: the regex match) when either the k8s client is enabled or the new plugin is enabled, so that people that don't use it don't pay the (small) extra cost.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this needs to be in the process hot path at all, at least thinking from my use case, we have a separate process that gets this information from the kube api, so this are just compute cycles being wasted

@Molter73 Just for curiosity, how do you associate the pod_uid extracted from the kube API to a sinsp thread?

Copy link
Contributor

@Molter73 Molter73 Oct 4, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this needs to be in the process hot path at all, at least thinking from my use case, we have a separate process that gets this information from the kube api, so this are just compute cycles being wasted. Since it's for k8s, I insist it might be better placed somewhere closer to the k8s specific code, but I'm not familiar enough with that code to suggest where to place it.

Hi @Molter73 , we are writing a plugin to handle the kubernetes metadata. But we need to associate a process/thread with those metadata. The best is to leverage the pod UID and extract it from the cgroup path. The cgroup path is already there, just need to extract the pod UID substring from it. We can consider moving the extraction of the pod UID to the plugin code but performances would be impacted too much since the extraction would be done each time we need to associate a syscall to its k8s metadata. Keep in mind that plugin logic would block all the processing on the sinsp side.

Well, that's all fine, but we can still probably move it to the container engine. Even if most of the heavy lifting by container engines is done asynchronously, getting the container ID is done in line by the resolve members, so by making the check there you can limit the search to engines that actually make sense and you could potentially use the already matched container ID in some cases as @incertum suggests. At the very least, if it's going to be a costly operation, an enable flag for adopters to opt out would be appreciated.

I don't think this needs to be in the process hot path at all, at least thinking from my use case, we have a separate process that gets this information from the kube api, so this are just compute cycles being wasted

@Molter73 Just for curiosity, how do you associate the pod_uid extracted from the kube API to a sinsp thread?

Have to admit I'm not 100% sure how this process works, it's a completely separate process from the one I usually work on, but basically we inform data about the process and the container ID it belongs to and the other process does its thing to get information about the resource the container belongs to from the API. I'd have to dig deeper to understand it better, but at that point the data is no longer a sinsp_thread.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alacuku thanks for adding more context around why you would want this outside the container engine. It was not clear to me before you shared this additional context. I was wondering why we actually cannot use the container engine API calls to get the sandbox id like we currently do as the id itself has not too much value without the pod name anyways. But now I see the use case. Just double checking: The new k8s client definitely and absolutely would only work with the sandbox id and we couldn't pivot from container id to sandbox id like we for example do today with the container runtime API calls?

Yes the tree would need to be formed - it would still be more effective in the container engine portions, but as you explained the ultimate goal would be to bypass the container engine.

Question:

How urgent is this patch now? Are we planning the k8s client refactor for Falco 0.37? What are the performance improvement hopes compared to extracting the most critical information from the container runtime socket today? Are we just planning to replace the mechanisms of getting the k8s fields we support today or are we planning to extend capabilities?

For example, would support for extracting info from for example https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook be possible with the new framework down the road? That would get me definitely "hooked" and in favor.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Andreagit97 and @alacuku re to what was mentioned above Omar opened a new issue falcosecurity/falco#2895. It would propose adding some similar (not necessarily regex), but string checks on the hot path.

@Andreagit97 you mentioned you wanted to explore more options, curious to hear more. I liked to hear that the refactor could potentially be more performant and more reliable than the current container engine. In that case we could also win in terms of using the k8s client to already gather container image and other fields we currently only fetch from the container runtime socket.

{
return;
}

// Here `m_pod_uid` could have 2 possible layouts:
// - (driver cgroup) pod05869489-8c7f-45dc-9abd-1b1620787bb1
// - (driver systemd) pod05869489_8c7f_45dc_9abd_1b1620787bb1

// remove the "pod" prefix from `m_pod_uid`
m_pod_uid.erase(0, 3);

// convert `_` into `-` if we are in `systemd` notation
std::replace(m_pod_uid.begin(), m_pod_uid.end(), '_', '-');

// The final `pod_uid` layout is:
// 05869489-8c7f-45dc-9abd-1b1620787bb1
}

sinsp_fdinfo_t* sinsp_threadinfo::add_fd(int64_t fd, sinsp_fdinfo_t *fdinfo)
{
sinsp_fdtable* fd_table_ptr = get_fd_table();
Expand Down
6 changes: 6 additions & 0 deletions userspace/libsinsp/threadinfo.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,11 @@ class SINSP_PUBLIC sinsp_threadinfo: public libsinsp::state::table_entry
return possible_main;
}

/*!
\brief Extract the pod uid from the cgroups if they are available.
*/
void set_pod_uid();

/*!
\brief Get the process that launched this thread's process.
*/
Expand Down Expand Up @@ -417,6 +422,7 @@ class SINSP_PUBLIC sinsp_threadinfo: public libsinsp::state::table_entry
std::vector<std::string> m_env; ///< Environment variables
std::unique_ptr<cgroups_t> m_cgroups; ///< subsystem-cgroup pairs
std::string m_container_id; ///< heuristic-based container id
std::string m_pod_uid; ///< pod universally unique identifier extracted from cgroups.
uint32_t m_flags; ///< The thread flags. See the PPM_CL_* declarations in ppm_events_public.h.
int64_t m_fdlimit; ///< The maximum number of FDs this thread can open
scap_userinfo m_user; ///< user infos
Expand Down