configurable policy mode #3393
Open
configurable policy mode #3393
+3,624
−1,430
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kkourt
force-pushed
the
pr/kkourt/policy-mode
branch
from
713700f to
f57c7e8
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
kkourt
force-pushed
the
pr/kkourt/policy-mode
branch
2 times, most recently
from
c037ddd to
259cc53
Compare
kkourt
added
the
release-note/minor
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
kkourt
force-pushed
the
pr/kkourt/policy-mode
branch
from
ea0095c to
736c8ed
Compare
Fix uprobe name (generic_uprobe instead of generic_lsm) and reject the policy if a uprobe section is defined together with another section type. Signed-off-by: Kornilios Kourtis <[email protected]>
This commit groups all policy information into a single struct and passes it to the sensor creating functions. No functional changes. Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/policy-mode
branch
from
736c8ed to
c270478
Compare
kkourt
added
release-note/major
This map is meant to hold policy configuration. For now, it only includes "mode" which is used to set a policy to "monitoring", which disables enforcement. Signed-off-by: Kornilios Kourtis <[email protected]>
Add the policy conf map to the various tracing sensors. To do so, we add the mapBuilder method in policyInfo that can be used to build a policy-specific map. In the first call, the program will be the creater will in all subsequent calls the program will be the user. This approach will also work if at some point we lift the limitation of not combining multiple program types (e.g., kprobes and tracepoints) in a single policy. Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/policy-mode
branch
from
c270478 to
dee160d
Compare
kkourt
force-pushed
the
pr/kkourt/policy-mode
branch
2 times, most recently
from
59b573d to
ad825f0
Compare
Spec options are policy-wide, so place them in the policyInfo struct. They will be used in a subsequent patch to configure the policy mode. No functional changes. Signed-off-by: Kornilios Kourtis <[email protected]>
This commits allows configuring the policy mode as part of the policy.
Example:
```
apiVersion: cilium.io/v1alpha1
kind: TracingPolicyNamespaced
metadata:
name: "enforce-test"
namespace: "pizza"
spec:
options:
- name: "policy-mode"
value: "enforce"
kprobes:
...
```
Signed-off-by: Kornilios Kourtis <[email protected]>
Add TracingPolicyMode in protobuf file. Signed-off-by: Kornilios Kourtis <[email protected]>
Signed-off-by: Kornilios Kourtis <[email protected]>
This commit adds fills the poilcy mode in the gRPC request. It can now be observed using: tetra tracingpolicy list -o json Had to move some things around to break import cycles. Also, created some helpers under pkg/tracingpolicy. Subsequent patches will add the field in the table output as well. Signed-off-by: Kornilios Kourtis <[email protected]>
Add mode column for text mode Signed-off-by: Kornilios Kourtis <[email protected]>
This commit adds the ability to load a policy with a specific mode via the CLI. It is implemented by manipulating the yaml file, and adding the policy in the options. An alternative approach would be to add the mode as part of AddTracingPolicyRequest gRPC request, but that would require changing the PolicyHandler interface and caused a lot of churn. We can always add it later. I also made a deliberate choice to not use the TracingPolicy type, and avoid a dependence on all the k8s code and instead use a generic type. This has the additional benefit of producing nice yaml output. A new modify command is added, that can be used to output the resulting policy. Signed-off-by: Kornilios Kourtis <[email protected]>
Add a new gRPC operation for configuring a traicng policy. We can use this also for enable,disable, as well as future configurations. Deprecate the Enable/Disable calls. Signed-off-by: Kornilios Kourtis <[email protected]>
Signed-off-by: Kornilios Kourtis <[email protected]>
No functional changes. This is meant to make subsequent changes clearer. Signed-off-by: Kornilios Kourtis <[email protected]>
Add a function to set the mode of a policy. Signed-off-by: Kornilios Kourtis <[email protected]>
Signed-off-by: Kornilios Kourtis <[email protected]>
Implement the ConfigureTracingPolicy gRPC call in the tetragon gRPC server. Signed-off-by: Kornilios Kourtis <[email protected]>
Use ConfigureTracingPolicy for enable/disable instead of the now-deprecated calls. Signed-off-by: Kornilios Kourtis <[email protected]>
Refactor commands code so that each command has its own function (and scope). No functional changes. Signed-off-by: Kornilios Kourtis <[email protected]>
Now that each command has its own scope, rename variables to something that's easier for the eyes. Signed-off-by: Kornilios Kourtis <[email protected]>
Use a common tpConfigure function for enable/disable. Next commit is also going to use it for setting the mode. Signed-off-by: Kornilios Kourtis <[email protected]>
Add a command to set the mode of a policy. Signed-off-by: Kornilios Kourtis <[email protected]>
Add a simple program that sends a SIGKILL to itself. It's to be used in a subsequent commit. Signed-off-by: Kornilios Kourtis <[email protected]>
Add a exec_mayfail command. It is meant to be used to test the SIGKILL action. Add a test using raisesigkillProg Signed-off-by: Kornilios Kourtis <[email protected]>
Move a testing helper function from cgtracker_test, to its own package in testutils so that it can be used by other tests in subsequent patches. Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/policy-mode
branch
from
ad825f0 to
f58b845
Compare
|
Setting to draft mode until I figure out the test failures. It should be in a good state to review though. |
Add yet another helper function for testing. The main idea here is to use the policyfilter mechanism to only apply policies to a certain cgroup. This way, we can just load a policy that only affects the tester program. Signed-off-by: Kornilios Kourtis <[email protected]>
Add a test for switching from enforcement to monitor and back to enforcement mode. The test tests sigkill enforcement. Signed-off-by: Kornilios Kourtis <[email protected]>
Needed for the next commit. Signed-off-by: Kornilios Kourtis <[email protected]>
This commit adds two helper functions for the enforcer map. They will be used by subsequent patches. Signed-off-by: Kornilios Kourtis <[email protected]>
Add a second test for the policy mode test. This test the override and enforcer actions. Because they do not kill the process, the way we check for them is different than the sigkill test. For override, we just check the error that is printed in stdout. For enforcer, we check the enforcer map contents. Signed-off-by: Kornilios Kourtis <[email protected]>
Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/policy-mode
branch
from
f58b845 to
aca38c0
Compare
|
Fixed the test issue and undrafted. |
|
looks great, from quick test when loading: I'm getting enforce mode: could we detect sigkill or enforce in the policy and guess proper mode when loading and mode option is not set? |
olsajiri
approved these changes
Feb 21, 2025
| @@ -354,11 +355,13 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, bool *post) | |||
| case ACTION_SIGNAL: | |||
| signal = actions->act[++i]; | |||
| case ACTION_SIGKILL: | |||
| do_action_signal(signal); | |||
| if (!monitor_mode) | |||
There was a problem hiding this comment.
nit, would it be more straightforward to pass bool enforce_mode so we wou;dn't need to do the negated condition al lthe time?
pkg/tracingpolicy/mode.go
Outdated
| @@ -1,26 +0,0 @@ | |||
| // SPDX-License-Identifier: Apache-2.0 | |||
There was a problem hiding this comment.
let's not add this file in the first place?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a policy mode that can set a policy to either monitor or enforcement mode.
See commits.