Filter out host processes by host mntns to prevent ebpf map from filling up during recording

[neblen]

Filter out host processes by host mntns to prevent ebpf map from filling up during recording

What type of PR is this?

/kind bug

What this PR does / why we need it:

The current ebpf code saves a lot of host process information, but none of this information is needed. This will cause the ebpf map to fill up during recording. I use the host mntns to filter out the host process so that the data in the ebpf map is only the pid we need to record

Which issue(s) this PR fixes:

Fixes #1165
#1165

Does this PR have test?

N

Special notes for your reviewer:

Does this PR introduce a user-facing change?

N

Filtering host processes by host mount namespace to prevent ebpf map from filling up during recording.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: neblen (ee75717)

[k8s-ci-robot]

Welcome @neblen!

It looks like this is your first PR to kubernetes-sigs/security-profiles-operator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/security-profiles-operator has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @neblen. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[saschagrunert]

Thank you for the PR @neblen, we really appreciate that! May I ask you to sign your commits by signing the EasyCLA?

[saschagrunert]

/ok-to-test

[saschagrunert]

Lets run make update-mocks to re-generate the code.

[saschagrunert]

The CI does not seem to be happy about the changes :)

[neblen]

The CI does not seem to be happy about the changes :)

It seems that some test cases have not been run, I will check first

[neblen]

/retest

[neblen]

The CI does not seem to be happy about the changes :)

It seems that some test cases have not been run, I will check first
Here is a test case for systemmntns, it seems that it is not needed at present, I deleted it.Please retest again.Thanks.

[codecov-commenter]

Codecov Report

Merging #1166 (8ee4226) into main (9a9836f) will decrease coverage by 0.06%.
The diff coverage is 50.00%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1166      +/-   ##
==========================================
- Coverage   48.65%   48.58%   -0.07%     
==========================================
  Files          43       43              
  Lines        4779     4794      +15     
==========================================
+ Hits         2325     2329       +4     
- Misses       2358     2367       +9     
- Partials       96       98       +2     

[neblen]

@saschagrunert Hi~ There are still some use cases that fail. I don't know why it didn't pass, would you help me watch it? I'm not particularly familiar with spo's test case flow

[saschagrunert]

@neblen please rebase, this should fix the CI now. :)

[neblen]

@neblen please rebase, this should fix the CI now. :)

@saschagrunert Ok, I have updated the main branch code to the fix/ebpf-with-mntns branch.

[neblen]

@neblen please rebase, this should fix the CI now. :)

@saschagrunert Hi~ The pull-security-profiles-operator-verify pipeline didn't pass.But I can't see what is directly causing the failure.

[saschagrunert]

@neblen the linter times-out:

level=error msg="Timeout exceeded: try increasing it by passing --timeout option"
make: *** [Makefile:344: verify-go-lint] Error 4

I assume thats because the diff of internal/pkg/daemon/bpfrecorder/generated.go looks way too huge, I run make update-bpf and re-commit it.

[saschagrunert]

/lgtm

Thank you again for you contribution, we really appreciate you time and effort on this topic!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neblen, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment