Skip to content

allow specifying wl profiles in labels #612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

allow specifying wl profiles in labels #612

wants to merge 1 commit into from

Conversation

matthyx
Copy link
Contributor

@matthyx matthyx commented Aug 11, 2025
edited
Loading

This pull request introduces support for user-defined application profiles in the container profiling and caching logic. The main changes focus on detecting when a container is associated with a user-defined profile, retrieving and caching these profiles, and ensuring such containers are handled appropriately throughout the lifecycle management process.

User-defined profile support:

  • Added a UserDefinedProfile field to both WatchedContainerData and ContainerInfo structs to track if a container uses a user-defined profile. [1] [2]
  • Updated the SetContainerInfo method to extract the user-defined profile name from pod labels and set it in WatchedContainerData.
  • Modified the addContainer method in ApplicationProfileCacheImpl to:
    • Detect user-defined profiles via pod labels.
    • Fetch and cache the user-defined profile from storage.
    • Log and update profile state on errors.
    • Set the UserDefinedProfile field in ContainerInfo.
  • In the container profile manager, containers with user-defined profiles are now ignored for automatic profiling, with appropriate logging and cleanup.

Profile cache and state management:

  • Ensured that a mapping for workload ID to profile state is always created, even for user-defined profiles, to maintain cache consistency.
  • Clarified that missing workload IDs during profile updates can be expected for user-defined profiles and should be skipped.

Dependency update:

  • Updated the github.com/kubescape/k8s-interface dependency to version v0.0.200 in go.mod.

How to use:

  • create an application profile in the same namespace as the workload, for example nginx-user-defined
  • set a pod label pointing to it:
apiVersion: apps/v1                                                                                                                                                                                                                                           
kind: Deployment                                                                                                                                                                                                                                              
metadata:                                                                                                                                                                                                                                           
  labels:                                                                                                                                                                                                                                                     
    app: nginx                                                                                                                                                                                                                                                
  name: nginx                                                                                                                                                                                                                                                 
  namespace: default                                                                                                                                                                                                                
spec:                                                                                                                                                                                                                                  
  selector:                                                                                                                                                                                                                                                   
    matchLabels:                                                                                                                                                                                                                                              
      app: nginx                                                                                                                                                                                                                                     
  template:                                                                                                                                                                                                                                                   
    metadata:                                                                                                                                                                                                                               
      labels:                                                                                                                                                                                                                                                 
        app: nginx                                                                                                                                                                                                                                            
        kubescape.io/user-defined-profile: nginx-user-defined
    spec:
      containers:
      - image: nginx:latest

@github-actions GitHub Actions
Copy link

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: success
  • Unit test: success
  • Go linting: failure

@matthyx matthyx moved this to WIP in KS PRs tracking Aug 19, 2025
@github-actions GitHub Actions
Copy link

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

@matthyx matthyx changed the title WIP - allow specifying wl profiles in annotations allow specifying wl profiles in labels Sep 30, 2025
@github-actions GitHub Actions
Copy link

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 2, 2025

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
KS PRs tracking
Status: WIP
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@matthyx