Merge pull request #329 from kubescape/include

skip ContainerCallback events for NS everywhere
kubescape · Jul 17, 2024 · 98feb0a · 98feb0a
2 parents dd748f4 + 6ed46a9
commit 98feb0a
Show file tree

Hide file tree

Showing 8 changed files with 35 additions and 3 deletions.
diff --git a/main.go b/main.go
@@ -199,7 +199,7 @@ func main() {
 		exporter := exporters.InitExporters(cfg.Exporters, clusterData.ClusterName, nodeName)
 
 		// create runtimeDetection managers
-		ruleManager, err = rulemanagerv1.CreateRuleManager(ctx, k8sClient, ruleBindingCache, objCache, exporter, prometheusExporter, nodeName, clusterData.ClusterName)
+		ruleManager, err = rulemanagerv1.CreateRuleManager(ctx, cfg, k8sClient, ruleBindingCache, objCache, exporter, prometheusExporter, nodeName, clusterData.ClusterName)
 		if err != nil {
 			logger.L().Ctx(ctx).Fatal("error creating RuleManager", helpers.Error(err))
 		}

diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go
@@ -589,6 +589,11 @@ func (am *ApplicationProfileManager) waitForContainer(k8sContainerID string) err
 }
 
 func (am *ApplicationProfileManager) ContainerCallback(notif containercollection.PubSubEvent) {
+	// check if the container should be ignored
+	if am.cfg.SkipNamespace(notif.Container.K8s.Namespace) {
+		return
+	}
+
 	k8sContainerID := utils.CreateK8sContainerID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName, notif.Container.K8s.ContainerName)
 	ctx, span := otel.Tracer("").Start(am.ctx, "ApplicationProfileManager.ContainerCallback", trace.WithAttributes(attribute.String("containerID", notif.Container.Runtime.ContainerID), attribute.String("k8s workload", k8sContainerID)))
 	defer span.End()

diff --git a/pkg/containerwatcher/v1/container_watcher_private.go b/pkg/containerwatcher/v1/container_watcher_private.go
@@ -21,7 +21,6 @@ const (
 )
 
 func (ch *IGContainerWatcher) containerCallback(notif containercollection.PubSubEvent) {
-
 	// check if the container should be ignored
 	if ch.ignoreContainer(notif.Container.K8s.Namespace, notif.Container.K8s.PodName) {
 		// avoid loops when the container is being removed

diff --git a/pkg/malwaremanager/v1/malware_manager.go b/pkg/malwaremanager/v1/malware_manager.go
@@ -70,6 +70,11 @@ func CreateMalwareManager(cfg config.Config, k8sClient k8sclient.K8sClientInterf
 }
 
 func (mm *MalwareManager) ContainerCallback(notif containercollection.PubSubEvent) {
+	// check if the container should be ignored
+	if mm.cfg.SkipNamespace(notif.Container.K8s.Namespace) {
+		return
+	}
+
 	t := time.NewTicker(mm.cfg.InitialDelay)
 
 	switch notif.Type {

diff --git a/pkg/networkmanager/v1/network_manager.go b/pkg/networkmanager/v1/network_manager.go
@@ -76,6 +76,11 @@ func CreateNetworkManager(ctx context.Context, cfg config.Config, k8sClient k8sc
 }
 
 func (am *NetworkManager) ContainerCallback(notif containercollection.PubSubEvent) {
+	// check if the container should be ignored
+	if am.cfg.SkipNamespace(notif.Container.K8s.Namespace) {
+		return
+	}
+
 	k8sContainerID := utils.CreateK8sContainerID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName, notif.Container.K8s.ContainerName)
 	ctx, span := otel.Tracer("").Start(am.ctx, "NetworkManager.ContainerCallback", trace.WithAttributes(attribute.String("containerID", notif.Container.Runtime.ContainerID), attribute.String("k8s workload", k8sContainerID)))
 	defer span.End()

diff --git a/pkg/networkmanager/v2/network_manager.go b/pkg/networkmanager/v2/network_manager.go
@@ -492,6 +492,11 @@ func (nm *NetworkManager) waitForContainer(k8sContainerID string) error {
 }
 
 func (nm *NetworkManager) ContainerCallback(notif containercollection.PubSubEvent) {
+	// check if the container should be ignored
+	if nm.cfg.SkipNamespace(notif.Container.K8s.Namespace) {
+		return
+	}
+
 	k8sContainerID := utils.CreateK8sContainerID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName, notif.Container.K8s.ContainerName)
 	ctx, span := otel.Tracer("").Start(nm.ctx, "NetworkManager.ContainerCallback", trace.WithAttributes(attribute.String("containerID", notif.Container.Runtime.ContainerID), attribute.String("k8s workload", k8sContainerID)))
 	defer span.End()

diff --git a/pkg/relevancymanager/v1/relevancy_manager.go b/pkg/relevancymanager/v1/relevancy_manager.go
@@ -314,6 +314,11 @@ func (rm *RelevancyManager) startRelevancyProcess(ctx context.Context, container
 }
 
 func (rm *RelevancyManager) ContainerCallback(notif containercollection.PubSubEvent) {
+	// check if the container should be ignored
+	if rm.cfg.SkipNamespace(notif.Container.K8s.Namespace) {
+		return
+	}
+
 	k8sContainerID := utils.CreateK8sContainerID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName, notif.Container.K8s.ContainerName)
 	// ignore pre-running containers
 	if rm.preRunningContainerIDs.Contains(notif.Container.Runtime.ContainerID) {

diff --git a/pkg/rulemanager/v1/rule_manager.go b/pkg/rulemanager/v1/rule_manager.go
@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/kubescape/node-agent/pkg/config"
 	"github.com/kubescape/node-agent/pkg/exporters"
 	"github.com/kubescape/node-agent/pkg/k8sclient"
 	"github.com/kubescape/node-agent/pkg/ruleengine"
@@ -50,6 +51,7 @@ import (
 )
 
 type RuleManager struct {
+	cfg                      config.Config
 	watchedContainerChannels maps.SafeMap[string, chan error] // key is k8sContainerID
 	ruleBindingCache         bindingcache.RuleBindingCache
 	trackedContainers        mapset.Set[string] // key is k8sContainerID
@@ -69,8 +71,9 @@ type RuleManager struct {
 
 var _ rulemanager.RuleManagerClient = (*RuleManager)(nil)
 
-func CreateRuleManager(ctx context.Context, k8sClient k8sclient.K8sClientInterface, ruleBindingCache bindingcache.RuleBindingCache, objectCache objectcache.ObjectCache, exporter exporters.Exporter, metrics metricsmanager.MetricsManager, nodeName string, clusterName string) (*RuleManager, error) {
+func CreateRuleManager(ctx context.Context, cfg config.Config, k8sClient k8sclient.K8sClientInterface, ruleBindingCache bindingcache.RuleBindingCache, objectCache objectcache.ObjectCache, exporter exporters.Exporter, metrics metricsmanager.MetricsManager, nodeName string, clusterName string) (*RuleManager, error) {
 	return &RuleManager{
+		cfg:               cfg,
 		ctx:               ctx,
 		k8sClient:         k8sClient,
 		containerMutexes:  storageUtils.NewMapMutex[string](),
@@ -246,6 +249,11 @@ func (rm *RuleManager) deleteResources(watchedContainer *utils.WatchedContainerD
 }
 
 func (rm *RuleManager) ContainerCallback(notif containercollection.PubSubEvent) {
+	// check if the container should be ignored
+	if rm.cfg.SkipNamespace(notif.Container.K8s.Namespace) {
+		return
+	}
+
 	k8sContainerID := utils.CreateK8sContainerID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName, notif.Container.K8s.ContainerName)
 
 	switch notif.Type {