feat(mirror): read-only capture tap spec (NET_RAW-hardened context + pinned capture image + CaptureCommand)#5703
Conversation
…pinned capture image, CaptureCommand The injected tap ephemeral container now carries a hardened, non-configurable security context (drop ALL / add NET_RAW, no privilege escalation, read-only root filesystem, RuntimeDefault seccomp) — NET_RAW being the one capability passive pcap capture needs — and defaults to a pinned capture-capable image (nicolaka/netshoot:v0.16, carries tcpdump; WithTapImage still overrides). CaptureCommand builds the validated tcpdump invocation (unbuffered pcap to stdout, non-promiscuous, scoped to the target TCP port) that the upcoming exec-stream increment runs inside the tap. Capture design recorded on the epic: passive pcap via NET_RAW over the embedded exec channel; no reverse tunnel needed for mirror-only mode. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
✅MegaLinter analysis: Success✅ Linters with no issuesactionlint, bash-exec, git_diff, hadolint, jscpd, jsonlint, lychee, markdown-table-formatter, markdownlint, prettier, prettier, shellcheck, shfmt, stylelint, syft, trivy-sbom, trufflehog, v8r, v8r, yamllint Notices📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining See detailed reports in MegaLinter artifacts
|
Code Coverage OverviewLanguages: Go Go / code-coverage/goThe overall coverage in the branch remains at 64%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Code Coverage is in Public Preview. Learn more and provide us with your feedback. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughAdds a ChangesMirror capture and tap hardening
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Caller
participant CaptureCommand
participant InjectTap
participant TapContainer
Caller->>CaptureCommand: CaptureCommand(port)
CaptureCommand->>CaptureCommand: validate port range
CaptureCommand-->>Caller: tcpdump argv or ErrInvalidCapturePort
Caller->>InjectTap: InjectTap(...)
InjectTap->>InjectTap: tapSecurityContext()
InjectTap->>TapContainer: create EphemeralContainer(image, securityContext)
TapContainer-->>InjectTap: container injected (sleep infinity)
Related issues: Suggested labels: enhancement, mirror, security Suggested reviewers: devantler 🐰 A tap sneaks in with NET_RAW alone, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |

Fixes #5702. Part of #4521 (P1 mirror-only); follows #5685's
InjectTap/WaitForTap.What
capabilities: {drop: [ALL], add: [NET_RAW]},allowPrivilegeEscalation: false,readOnlyRootFilesystem: true, andseccompProfile: RuntimeDefault. NET_RAW is the one capability passive pcap capture needs; the read-only guarantee of mirror mode rests on the tap never holding more.DefaultTapImagemoves fromalpine:latest(inert placeholder, no capture tooling, floating tag) todocker.io/nicolaka/netshoot:v0.16— the de-facto standard network-debug image, carries tcpdump, pinned to a release tag.WithTapImagestill overrides.apk add tcpdump(network-dependent, mutates the container, defeats the read-only root fs).CaptureCommand(port): builds the validated tcpdump invocation the upcoming exec-stream increment runs inside the tap —tcpdump -p -i any -U -w - tcp port <n>(unbuffered pcap to stdout, non-promiscuous, scoped to the target TCP port).Notes
sleep infinitystays the inert injection command, soWaitForTapsemantics are untouched. Capture runs as a later exec, not as the container command — injection and capture lifecycles stay independent.restrictedPod Security profile; mirror is a dev-cluster inner-loop tool, and the failure mode is an explicit admission error, not silent breakage.Validation
go build ./...green;go test ./pkg/svc/...4459 passed / 78 packages;golangci-lint run ./pkg/svc/mirror/...0 issues.TestCaptureCommand_*(invocation shape, port bounds, rejection) andassertHardenedTapSecurityContextpinning the security context inTestInjectTapDefaults.Next increments (per #5702)
pcapgoreader — new Go dep, will be flagged).workload mirrorCLI wiring.