tetragon: Add debug interface to track cgroups to workload/ns mappings #2540
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
jrfastab
force-pushed
the
pr/jrfastab/nsDebug
branch
2 times, most recently
from
82304ad to
24f0d6a
Compare
jrfastab
added
the
release-note/minor
jrfastab
force-pushed
the
pr/jrfastab/nsDebug
branch
4 times, most recently
from
03b7cd5 to
e03fed9
Compare
|
Also needs to be run though |
jrfastab
force-pushed
the
pr/jrfastab/nsDebug
branch
from
e03fed9 to
490f4fb
Compare
tixxdz
reviewed
Jun 20, 2024
jrfastab
force-pushed
the
pr/jrfastab/nsDebug
branch
2 times, most recently
from
2fb5314 to
5e3a860
Compare
kkourt
requested changes
Jun 21, 2024
jrfastab
force-pushed
the
pr/jrfastab/nsDebug
branch
4 times, most recently
from
1811474 to
f90fcd2
Compare
jrfastab
changed the title
We will need to use execObj() from the policyfilter pkg, but this will cause a circular dependency. So lets just pull this out into a new pkg that we can import. Signed-off-by: John Fastabend <[email protected]>
Debugging BPF and some kernel functions I want to understand cgroup to namespace/workload/kind mappings at event side. This patch maintains a stable mapping between cgroups and human readable namespaces. The end goal is to filter out noisy namespaces from execs which will be follow up series. This is minimally useful as is. To support this just extend the use of namespace filters from kprobe and tracepoints into a more general space where we can hook selectors. Next steps we can push namespace filters into other sensor types e.g. loader. Signed-off-by: John Fastabend <[email protected]>
Its sometimes useful when debugging policy statements to be able to dump the cgroup IDs to their namespace human readable names. This helps ensure (a) the policy maps are correctly updated and (b) if we are debugging kernel we can map cgroups to kubernetes names. Signed-off-by: John Fastabend <[email protected]>
jrfastab
force-pushed
the
pr/jrfastab/nsDebug
branch
from
f90fcd2 to
d061804
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Debugging BPF and some kernel functions I want to understand cgroup to namespace mappings at event side. This patch maintains a stable mapping between cgroups and human readable namespaces. The end goal is to filter out noisy namespaces from execs which will be follow up series. This is minimally useful as is.
To support this just extend the use of namespace filters from kprobe and tracepoints into a more general space where we can hook selectors.