Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Kubernetes filters to scopes #3711

Open
michaelkatch opened this issue Nov 27, 2023 · 5 comments
Open

Add Kubernetes filters to scopes #3711

michaelkatch opened this issue Nov 27, 2023 · 5 comments
Labels
kind/feature

Comments

@michaelkatch
Copy link
Contributor

As of today, when using tracee on k8s we can filter events based on the pod namespace (as attached on the picture)
image

Lately, we have encountered numerous situations where we need to trace events and signatures only from a specific pod namespace.
Cloud you please add this ability to the scope so we could filter the whole policy?
Attaching the desired outcome:
image

Thank you
@NDStrahilevitz NDStrahilevitz changed the title Add Kubernetes Pod Namespace to scopes Add Kubernetes filters to scopes Nov 27, 2023
@NDStrahilevitz
Copy link
Collaborator

I think all of our kubernetes fields would be useful for scope filtering so may as well generalize the issue, especially since they are all userspace filters. However, we currently don't have userland scope filters so this can either be done as part of #2675 or on its own.
Also related: #3553.

@rafaeldtinoco
Copy link
Contributor

I think all of our kubernetes fields would be useful for scope filtering so may as well generalize the issue, especially since they are all userspace filters. However, we currently don't have userland scope filters so this can either be done as part of #2675 or on its own. Also related: #3553.

I would say #2675 should be related to the trie datasource for in-kernel string filtering with wildcards we discussed.

Maybe this issue can be a issue to treat ANY event context filter in scopes ? This would be like adding the filters=XXX to all all filters within a policy, correct ? @geyslan should also take a look at this one.

@geyslan
Copy link
Member

geyslan commented Nov 28, 2023

I think all of our kubernetes fields would be useful for scope filtering so may as well generalize the issue, especially since they are all userspace filters. However, we currently don't have userland scope filters so this can either be done as part of #2675 or on its own. Also related: #3553.

I would say #2675 should be related to the trie datasource for in-kernel string filtering with wildcards we discussed.

Maybe this issue can be a issue to treat ANY event context filter in scopes ? This would be like adding the filters=XXX to all all filters within a policy, correct ? @geyslan should also take a look at this one.

Yes, they're all related. The ultimate goal is to convert all (or the majority of) filters to bpf land. But @michaelkatch I wonder if it's not currently possible to do what you asked for:

Cloud you please add this ability to the scope so we could filter the whole policy?

@josedonizetti, are policies able to define filters in the mentioned way?

@NDStrahilevitz
Copy link
Collaborator

NDStrahilevitz commented Nov 29, 2023
edited
Loading

@josedonizetti, are policies able to define filters in the mentioned way?

Not Jose, but we have the scope section, this would go there. But these fields aren't defined for that section right now if that's what you asked.

I would say #2675 should be related to the trie datasource for in-kernel string filtering with wildcards we discussed.

I think the trie would be how this is implemented, not sure how the data sources feature relate to this.

Maybe this issue can be a issue to treat ANY event context filter in scopes ? This would be like adding the filters=XXX to all all filters within a policy, correct ? @geyslan should also take a look at this one.

I agree, I think the current separation should be fixed if we can. That way any new filter we add can be easily applied both ways.

@rafaeldtinoco
Copy link
Contributor

I think the trie would be how this is implemented, not sure how the data sources feature relate to this.

I meant data structure =D (dyslexia won).

@yanivagman yanivagman mentioned this issue May 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@josedonizetti @geyslan @rafaeldtinoco @NDStrahilevitz @michaelkatch