policyfilter improvements#1038
Merged
Merged
Conversation
kkourt
marked this pull request as draft
May 31, 2023 11:13
kkourt
force-pushed
the
pr/kkourt/policyfilter-improvements
branch
4 times, most recently
from
May 31, 2023 12:42
055bc63 to
725b3cf
Compare
kkourt
marked this pull request as ready for review
May 31, 2023 13:28
willfindlay
approved these changes
May 31, 2023
willfindlay
left a comment
Contributor
There was a problem hiding this comment.
e2e tests and e2e changes LGTM. Thanks a lot for the bug fixes btw 🚀
tpapagian
reviewed
Jun 1, 2023
tpapagian
approved these changes
Jun 1, 2023
Testing indicated that we were not removing the policy from the policyfilter state, when the sensor manager was deleting a policy. We do so in this patch. We add two more fields in the collection struct: an error and the filter id. We use the error to mark errors when we try to delete a policy, and the filter id to delete the policy from the policyfilter state. For now, we expose these fields in the Info() field of TracingPolicyStatus. Eventually, we probably want to have them as part of the proto spec. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
Set the wait flag to wait when for the pod to be ready when starting it. We 've observed flakes on the skeleton test, so they could be potentially caused by starting the test when the pod is not ready yet. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
While we check whether the checker implements GetRemainingChecks, we still call the method if it does implement it which leads to a nil dereference. This patch voids that by returning. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
Previous version of RPCChecker failed when we hit the time limit or the event limit. This breaks the MultiEventChecker semantics and makes it difficult to check for the absence of events. This patch, changes RPCChecker's behavior so that if it terminates due to a time or event limit, it returns the value of FinalCheck(). Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
This patch adds operation metrics to the policfilter operations. We maintain a counter using the subsystem (currently pod-handlers or rthooks), the operation, and the error (including the case where error was nil) as labels. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
This patch adds a WaitForTracingPolicy function that: connects to all tetragon pods via the gRPC port that was port-forwarded, and ensures that a policy with the provided name exists in the agent. This is going to be used in subsequent patches. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
policyfilter is the underlying mechanism for implementing namespaced policies and pod label fitlers. Enable it for our e2e tests. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
Add an e2e test for namespaced policies. The test: - creates two namespaces and start a pod in each of them - installs a policy for monitoring syscalls in one of them - checks that we get events only from that namespace, and not the other. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
This patch adds a pod label filter test to the policyfilter e2e test. Idea is: - create a namespace - install a namespaced policy with pod label filter in that namespace (on sys_exit) - create two pods, one that matches the policy and one that does not - check that we only receive events from the first We use sys_exit here to make it easier to dinguish with the namespace test which uses sys_enter. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
The code that reads the flag, uses KeyOutput (which is set to "output"), so use the same in the code that sets the flag. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
This patch adds an --output flag for listing tracing policies in a JSON format. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
A test failure had goroutines blocked on starting the stt manager. stt manager is no longer used. It was also based on the old sensor design and we would need to rethink how to implement it. For now, just remove it. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
kkourt
force-pushed
the
pr/kkourt/policyfilter-improvements
branch
from
June 1, 2023 09:11
725b3cf to
99d81ba
Compare
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR includes several improvements for polcyfilter.
There were some modifications needed in the e2e tests for the second bullet. Please review patch-by-patch.