Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add tetra policyfilter listpolicies command #3122

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

tpapagian
Copy link
Member

@tpapagian tpapagian commented Nov 15, 2024

Add tetra policyfilter listpolicies to determine which Kubernetes Identity Aware policies should be applied on a specific container.

Example:

$ kubectl exec -it ds/tetragon -n kube-system -c tetragon -- tetra policyfilter -r "unix:///procRoot/1/root/run/containerd/containerd.sock" listpolicies ff433e9e16467787a60ac853d9b313150091968731f620776d6d7c514b1e8d6c
ID   NAME                    STATE     FILTERID   NAMESPACE   SENSORS          KERNELMEMORY
5    lseek-podfilter-usage   enabled   5          (global)    generic_kprobe   1.72 MB
1    lseek-podfilter-app     enabled   1          (global)    generic_kprobe   1.72 MB

Details on how this works can be found on specific commits.

@tpapagian tpapagian force-pushed the pr/apapag/reverse_policy_id_map branch 3 times, most recently from d62cd19 to 7ed2acf Compare November 16, 2024 20:00
@tpapagian tpapagian added the release-note/misc This PR makes changes that have no direct user impact. label Nov 16, 2024
@tpapagian tpapagian force-pushed the pr/apapag/reverse_policy_id_map branch 2 times, most recently from a6e138f to 0350886 Compare November 21, 2024 09:43
@tpapagian tpapagian force-pushed the pr/apapag/reverse_policy_id_map branch from 0350886 to 9a9bfd1 Compare November 28, 2024 08:20
@tpapagian tpapagian force-pushed the pr/apapag/reverse_policy_id_map branch 4 times, most recently from edb12b0 to 1833233 Compare December 13, 2024 09:35
Copy link

netlify bot commented Dec 13, 2024

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 06d4488
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/676186f6db7a8d00088a642f
😎 Deploy Preview https://deploy-preview-3122--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@tpapagian tpapagian force-pushed the pr/apapag/reverse_policy_id_map branch from 1833233 to 6d7bb31 Compare December 13, 2024 10:15
@tpapagian tpapagian changed the title Test Add tetra policyfilter listpolicies command Dec 13, 2024
@tpapagian tpapagian requested a review from kkourt December 13, 2024 10:43
@tpapagian tpapagian marked this pull request as ready for review December 13, 2024 10:43
@tpapagian tpapagian requested a review from a team as a code owner December 13, 2024 10:43
@tpapagian tpapagian force-pushed the pr/apapag/reverse_policy_id_map branch from 6d7bb31 to 0de3361 Compare December 16, 2024 16:14
@tpapagian tpapagian requested a review from mtardy as a code owner December 16, 2024 16:14
This patch introduces an eBPF map that maps cgroupIds to policyIds. This
is handled from the user-space in a similar way to policy_filter_maps.

This can be used on later PRs to quickly indentify policies that match a
spoecific container or optimize tracing policies.

Signed-off-by: Anastasios Papagiannis <[email protected]>
It is useful to have a debug command to indentify which Kubernetes
Identity Aware policies should be applied on a specific container. An
example can be found here:

Create a pod with "app: ubuntu" and "usage: dev" labels.

$ cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
    app: ubuntu
    usage: dev
spec:
  containers:
  - name: ubuntu
    image: ubuntu:24.10
    command: ["/bin/sleep", "3650d"]
    imagePullPolicy: IfNotPresent
  restartPolicy: Always
EOF

And apply several policies where some of them match while others don't.

$ cat << EOF | kubectl apply -f -
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "lseek-podfilter-app"
spec:
  podSelector:
    matchLabels:
      app: "ubuntu"
  kprobes:
    [...]
EOF
$ cat << EOF | kubectl apply -f -
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "lseek-podfilter-usage"
spec:
  podSelector:
    matchLabels:
      usage: "dev"
  kprobes:
    [...]
EOF
$ cat << EOF | kubectl apply -f -
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "lseek-podfilter-prod"
spec:
  podSelector:
    matchLabels:
      prod: "true"
  kprobes:
    [...]
EOF
$ cat << EOF | kubectl apply -f -
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "lseek-podfilter-info"
spec:
  podSelector:
    matchLabels:
      info: "broken"
  kprobes:
    [...]
EOF
$ cat << EOF | kubectl apply -f -
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "lseek-podfilter-global"
spec:
  kprobes:
    [...]
EOF

Based on the labels we expect that policies lseek-podfilter-app and
lseek-podfilter-usage to match on that pod. lseek-podfilter-global is
not a Kubernetes Identity Aware policy so this will be applied in all
cases and we do not report that.

First step is to find the container ID that we care about.

$ kubectl describe pod/ubuntu | grep containerd
    Container ID:  containerd://ff433e9e16467787a60ac853d9b313150091968731f620776d6d7c514b1e8d6c

And then use it to report all Kubernetes Identity Aware policies that
match.

$ kubectl exec -it ds/tetragon -n kube-system -c tetragon -- tetra policyfilter -r "unix:///procRoot/1/root/run/containerd/containerd.sock" listpolicies ff433e9e16467787a60ac853d9b313150091968731f620776d6d7c514b1e8d6c
ID   NAME                    STATE     FILTERID   NAMESPACE   SENSORS          KERNELMEMORY
5    lseek-podfilter-usage   enabled   5          (global)    generic_kprobe   1.72 MB
1    lseek-podfilter-app     enabled   1          (global)    generic_kprobe   1.72 MB

We also provide --debug flag to provide more details i.e.:

$ kubectl exec -it ds/tetragon -n kube-system -c tetragon -- tetra policyfilter -r "unix:///procRoot/1/root/run/containerd/containerd.sock" listpolicies ff433e9e16467787a60ac853d9b313150091968731f620776d6d7c514b1e8d6c --debug
time="2024-12-13T09:47:38Z" level=info msg=cgroup path=/run/tetragon/cgroup2/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod189a8053_9f36_4250_bcae_9ed167172920.slice/cri-containerd-ff433e9e16467787a60ac853d9b313150091968731f620776d6d7c514b1e8d6c.scope
time="2024-12-13T09:47:38Z" level=info msg=cgroup id=5695
time="2024-12-13T09:47:39Z" level=debug msg="resolved server address using info file" InitInfoFile=/var/run/tetragon/tetragon-info.json ServerAddress="localhost:54321"
ID   NAME                    STATE     FILTERID   NAMESPACE   SENSORS          KERNELMEMORY
1    lseek-podfilter-app     enabled   1          (global)    generic_kprobe   1.72 MB
5    lseek-podfilter-usage   enabled   5          (global)    generic_kprobe   1.72 MB

This uses a reverse policy filter map that introduced in a previous
commit and maps cgroupIds to policyIds.

Signed-off-by: Anastasios Papagiannis <[email protected]>
By adding a command line argument (and the appropriate configmap option).

Signed-off-by: Anastasios Papagiannis <[email protected]>
@tpapagian tpapagian force-pushed the pr/apapag/reverse_policy_id_map branch from 0de3361 to 06d4488 Compare December 17, 2024 14:13
__type(value, __u8); /* empty */
});
} policy_filter_reverse_maps SEC(".maps");

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think naming the map "reverse" will make the code/etc. harder to understand.
How about cgroup_policies or policyfilter_cgoup_policies?
What do you think?

ids := make([]string, 0, len(cgIDs))
for id := range cgIDs {
ids = append(ids, strconv.FormatUint(uint64(id), 10))
}
fmt.Printf("%d: %s\n", polId, strings.Join(ids, ","))
}

fmt.Println("--- Reverse Map ---")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if we do not rename the map I find that "Direct" and "Reverse" would make things harder to understand. Let's describe what is the key and what is the value here to make it easier to understand the output.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants