-
Notifications
You must be signed in to change notification settings - Fork 394
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Kubernetes filters to scopes #3711
Comments
I would say #2675 should be related to the trie datasource for in-kernel string filtering with wildcards we discussed. Maybe this issue can be a issue to treat ANY event context filter in scopes ? This would be like adding the filters=XXX to all all filters within a policy, correct ? @geyslan should also take a look at this one. |
Yes, they're all related. The ultimate goal is to convert all (or the majority of) filters to bpf land. But @michaelkatch I wonder if it's not currently possible to do what you asked for:
@josedonizetti, are policies able to define filters in the mentioned way? |
Not Jose, but we have the scope section, this would go there. But these fields aren't defined for that section right now if that's what you asked.
I think the trie would be how this is implemented, not sure how the data sources feature relate to this.
I agree, I think the current separation should be fixed if we can. That way any new filter we add can be easily applied both ways. |
I meant data structure =D (dyslexia won). |
As of today, when using tracee on k8s we can filter events based on the pod namespace (as attached on the picture)
![image](https://private-user-images.githubusercontent.com/70207874/285857241-efb4a060-77bc-419a-a243-8ed59c51a6a1.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk4OTk1ODAsIm5iZiI6MTcxOTg5OTI4MCwicGF0aCI6Ii83MDIwNzg3NC8yODU4NTcyNDEtZWZiNGEwNjAtNzdiYy00MTlhLWEyNDMtOGVkNTljNTFhNmExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzAyVDA1NDgwMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWFkNjUwM2RiZjM0NWVmMzZhYTk2YjYxNjlkZDM2MmI3YmU5ZGM1ZjlhMzg2ZDlkNjAxNjVmOGJkZDJjYmI4ODMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.wOR4txaqMPSr1XFbyUw3xLSzZw90lkSMaTwHXBaJAiY)
Lately, we have encountered numerous situations where we need to trace events and signatures only from a specific pod namespace.
![image](https://private-user-images.githubusercontent.com/70207874/285859204-05560664-4b54-4038-9522-19d964c714c9.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk4OTk1ODAsIm5iZiI6MTcxOTg5OTI4MCwicGF0aCI6Ii83MDIwNzg3NC8yODU4NTkyMDQtMDU1NjA2NjQtNGI1NC00MDM4LTk1MjItMTlkOTY0YzcxNGM5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzAyVDA1NDgwMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTQyYzllN2Y5NWVjY2M2OTM3YzY0ZTI1NDIwN2UzNWJjZjlhZmI4OGNiMjBlYTgyN2UzMmI2YjBiZTc2OTM4ZjgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Rv2yPuzi_lWjeRpkwH4oJO3dcanRy3_0z_Z6jn6U2fg)
Cloud you please add this ability to the scope so we could filter the whole policy?
Attaching the desired outcome:
Thank you
The text was updated successfully, but these errors were encountered: