-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
examples: Add trace network with container filter #2599
examples: Add trace network with container filter #2599
Conversation
2c425a7
to
7e60d40
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left some comments on network.go (so you can change your implementation too).
Some broader comments before continue reviewing:
-
If you want to polish this PR to merge it, that's fine for me, I'll review it, but please consider we're in the process of moving to image-based gadgets and implementing a golang API for them, once that's done, we'll deprecate and remove the built-in gadgets (API being used by this example).
-
We're trying to create a much easier to consume API for the gadgets. Thinks like setting the operators, connecting the socket enricher to the tracer and so on should be handled automatically by us. We'll love to have feedback from users of our API, if you're willing I'll ping you once we have something to test.
-
Are you interested in enriching the IP addresses to K8s svc / pod names? You can see how it's done in https://github.com/inspektor-gadget/inspektor-gadget/blob/main/pkg/gadget-collection/gadgets/trace/network/gadget.go#L123-L139.
@alban do you have any comments on this example?
I agree with your comments. Hopefully the new Golang API will make it easier to consume IG packages. Meanwhile, it is good to have this example. And once the new Golang API is ready, the example code in network.go should be a lot less lines of code. |
e17aee6
to
8ca0b57
Compare
18f87ea
to
a00b9a9
Compare
Thanks for the heads up @mauriciovasquezbernal about breaking changes in the internal APIs. I'd love to see and evaluate new APIs that encapsulate nitty gritty details of container and Kubernetes enrichment. We've been evaluating IG for its efficient container enrichment APIs and to collect golden signals for security monitoring (exec, network, open, capabilities, etc.). We'd also want to deploy it with least privilege principle (on recent Linux kernels). I'm happy to provide more feedback as your shape up the APIs. |
Hi!
Can you please share more insights on this? Best regards. |
Loading eBPF programs and getting container metadata requires elevated privileges. That's why people usually run such code as privileged pod controlled by a DaemonSet. Our requirement in security domain is to avoid running as privileged as much as possible and configure SecurityContext with just enough permissions and Linux capabilities so the tracers can work. Otherwise the tracer becomes a threat vector on its own and we'd not be able to deploy it in many environments, such as FedRAMP, AWS Bottlecket, etc. That's why you'll see in the corresponding PR a deployment descriptor that I use to test if it's feasible to deploy IG in a non-privileged container. |
I totally share your point of view!
Your
Do you see any ways we could reduce the privileges we are actually using? |
6af9c8f
to
97aab78
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides two minor nits LGTM. I'll merge once those nits are fixed. Thanks for the contribution!
4cdadb7
to
bd85c12
Compare
Resolves: inspektor-gadget#2593 Signed-off-by: Daniel Pacak <1322923+danielpacak@users.noreply.github.com>
bd85c12
to
bb6b116
Compare
I'm on a constant mission to run an agent with least privileges. I used |
Same for us, reducing Inspektor Gadget privileges is something I take very seriously. |
Thanks a lot for your contribution! |
79b1149
into
inspektor-gadget:main
I've shared an example setup I'm using to test network tracer with container filters. Dockerfile, deployment descriptor and install/uninstall scripts need to be adjusted to fit the project structure, but I wanted to share network.go and collect feedback first, before this example might be accepted as a representative example.
Resolves: #2593