Feature/rule engine redesign

cmd/main.go

@@ -29,6 +29,7 @@ import (
 	containerprofilemanagerv1 "github.com/kubescape/node-agent/pkg/containerprofilemanager/v1"
 	"github.com/kubescape/node-agent/pkg/containerwatcher"
 	containerwatcherv2 "github.com/kubescape/node-agent/pkg/containerwatcher/v2"
+	"github.com/kubescape/node-agent/pkg/contextdetection"
 	"github.com/kubescape/node-agent/pkg/dnsmanager"
 	"github.com/kubescape/node-agent/pkg/exporters"
 	"github.com/kubescape/node-agent/pkg/fimmanager"
@@ -290,8 +291,10 @@ func main() {
 			logger.L().Ctx(ctx).Fatal("error creating CEL evaluator", helpers.Error(err))
 		}
 
+		mntnsRegistry := contextdetection.NewMntnsRegistry()
+
 		// create runtimeDetection managers
-		ruleManager, err = rulemanager.CreateRuleManager(ctx, cfg, k8sClient, ruleBindingCache, objCache, exporter, prometheusExporter, processTreeManager, dnsResolver, nil, ruleCooldown, adapterFactory, celEvaluator)
+		ruleManager, err = rulemanager.CreateRuleManager(ctx, cfg, k8sClient, ruleBindingCache, objCache, exporter, prometheusExporter, processTreeManager, dnsResolver, nil, ruleCooldown, adapterFactory, celEvaluator, mntnsRegistry)
 		if err != nil {
 			logger.L().Ctx(ctx).Fatal("error creating RuleManager", helpers.Error(err))
 		}

configuration/config.json

@@ -15,6 +15,8 @@
       "seccompServiceEnabled": "false",
       "enableEmbeddedSBOMs": "false",
       "fimEnabled": true,
+      "hostMonitoringEnabled": false,
+      "standaloneMonitoringEnabled": false,
       "exporters": {
         "syslogExporterURL": "http://syslog.kubescape.svc.cluster.local:514",
         "stdoutExporter": "false",

docs/RULE_ENGINE_MULTI_CONTEXT_REDESIGN.md

@@ -0,0 +1,148 @@
+# Rule Engine Multi-Context Redesign
+
+## Overview
+
+This document describes the design and implementation of the multi-context rule engine in the Kubescape Node Agent. The system enables runtime security monitoring and alerting across three distinct execution contexts:
+
+1.  **Kubernetes**: Containers running within a Kubernetes cluster (Pod-based).
+2.  **Host**: The underlying node itself, treated as a specialized context for monitoring host-level activities.
+3.  **Standalone**: Non-Kubernetes containers (e.g., Docker containers, standalone containerd instances) that are not managed by the Kubernetes orchestrator.
+
+## Goals
+
+- Provide a unified rule evaluation engine for all execution contexts.
+- Use the mount namespace (mntns) ID as the primary key for identifying event contexts.
+- Support multiple container runtimes through automated discovery (fanotify).
+- Allow fine-grained control over where rules apply using context-specific tags.
+- Maintain backward compatibility with existing Kubernetes-only monitoring and alert formats.
+
+## Architecture
+
+### 1. Event Source Context
+
+The system defines three primary context types in `pkg/contextdetection/types.go`:
+
+```go
+type EventSourceContext string
+
+const (
+	Kubernetes EventSourceContext = "kubernetes"
+	Host       EventSourceContext = "host"
+	Standalone EventSourceContext = "standalone"
+)
+```
+
+### 2. Context Detection and Registry
+
+The architecture relies on a discovery mechanism that identifies the nature of a process or container when it starts.
+
+#### Context Info and Detectors
+Each detected context is represented by a `ContextInfo` object which provides the context type and a unique `WorkloadID`.
+
+```go
+type ContextInfo interface {
+	Context() EventSourceContext
+	WorkloadID() string
+}
+```
+
+The `DetectorManager` coordinates several `ContextDetector` implementations:
+- **K8sDetector**: Identifies containers enriched with Kubernetes metadata (Namespace, Pod name).
+- **HostDetector**: Identifies the host context based on PID 1 or the host's mount namespace.
+- **StandaloneDetector**: Identifies containers that have runtime information but lack Kubernetes metadata.
+
+#### Mount Namespace Registry
+The `MntnsRegistry` maintains a thread-safe mapping of mount namespace IDs to their corresponding `ContextInfo`. This registry is the "source of truth" used to enrich eBPF events as they arrive.
+
+```go
+type Registry interface {
+	Register(mntns uint64, info ContextInfo) error
+	Lookup(mntns uint64) (ContextInfo, bool)
+	Unregister(mntns uint64)
+}
+```
+
+### 3. Event Enrichment
+
+As eBPF events (exec, open, network, etc.) are captured, they are wrapped in an `EnrichedEvent`. The `RuleManager` enriches these events with context information by looking up the event's mount namespace ID in the registry.
+
+```go
+func (rm *RuleManager) enrichEventWithContext(enrichedEvent *events.EnrichedEvent) {
+	mntnsID := enrichedEvent.Event.GetMountNsID()
+	enrichedEvent.MountNamespaceID = mntnsID
+
+	if mntnsID != 0 {
+		if contextInfo, found := rm.mntnsRegistry.Lookup(mntnsID); found {
+			enrichedEvent.SourceContext = contextInfo
+		}
+	}
+}
+```
+
+### 4. Rule Evaluation Logic
+
+#### Context-Aware Filtering
+Rules can specify where they should execute using the `context:` tag prefix. The `RuleAppliesToContext` function determines if a rule is applicable:
+
+- If a rule has tags like `context:host`, it will only run for events detected as `Host`.
+- If a rule has no `context:` tags, it defaults to `Kubernetes` only, ensuring backward compatibility for existing rule sets.
+
+```go
+func RuleAppliesToContext(rule *typesv1.Rule, contextInfo contextdetection.ContextInfo) bool {
+    // ... logic to check "context:" tags ...
+    // Default: return currentContext == contextdetection.Kubernetes
+}
+```
+
+#### Profile Dependencies
+Kubernetes-specific features like Application Profiles and Network Neighborhoods are only enforced for the `Kubernetes` context. Rules requiring these profiles are skipped for `Host` and `Standalone` contexts.
+
+### 5. Alert Structure
+
+The `GenericRuleFailure` structure has been extended to include the `SourceContext`. To maintain compatibility with existing consumers (like the Kubescape Cloud or third-party SIEMs), context-specific metadata is mapped into the existing `RuntimeAlertK8sDetails` structure where appropriate:
+
+- **Host alerts**: The node's hostname is populated in the `NodeName` field.
+- **Standalone alerts**: Container ID and Image information are populated, while K8s-specific fields (Namespace, Pod) remain empty.
+
+```go
+type GenericRuleFailure struct {
+    // ... existing fields ...
+    SourceContext contextdetection.EventSourceContext
+}
+```
+
+### 6. Multiple Runtime Discovery
+
+The Node Agent leverages `inspektor-gadget`'s `WithContainerFanotifyEbpf()` capability. This allows the agent to:
+1. Use fanotify to watch for OCI runtime (runc, crun) executions.
+2. Capture the container's bundle directory and PID.
+3. Automatically detect and monitor containers regardless of whether they were started by `kubelet`, `docker`, or `containerd` directly.
+
+## Configuration
+
+Context monitoring is configurable via the Node Agent configuration:
+
+```yaml
+# Enable/disable specific monitoring contexts
+hostMonitoringEnabled: true
+standaloneMonitoringEnabled: true
+
+# Note: Kubernetes monitoring is usually tied to enableRuntimeDetection
+enableRuntimeDetection: true
+```
+
+## Implementation Status
+
+- [x] **Core Infrastructure**: Definition of context types and the `MntnsRegistry`.
+- [x] **Detector Framework**: Implementation of K8s, Host, and Standalone detectors.
+- [x] **Event Enrichment**: Integration into `RuleManager` to attach context to every event.
+- [x] **Context-Aware Rules**: Support for `context:` tags in rule definitions.
+- [x] **Unified Alerting**: Updated `RuleFailureCreator` to handle multi-context metadata.
+- [x] **Multi-Runtime Support**: Integration with fanotify for standalone container discovery.
+- [x] **Testing**: Unit and integration tests for context detection and rule application.
+
+## Future Considerations
+
+- **Standalone Profiles**: Extending Application Profile learning to standalone containers.
+- **Host Policy**: Specific rule sets tailored for host-level hardening and monitoring.
+- **Dynamic Context Tags**: Allowing users to define custom contexts based on container labels or environment variables.

pkg/cloudmetadata/metadata.go

@@ -3,6 +3,10 @@ package cloudmetadata
 import (
 	"context"
 	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/go-logger"
@@ -12,6 +16,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+const (
+	azureApiVersion = "2021-12-13"
+	metadataTimeout = 2 * time.Second
+)
+
 // GetCloudMetadata retrieves cloud metadata for a given node
 func GetCloudMetadata(ctx context.Context, client *k8sinterface.KubernetesApi, nodeName string) (*apitypes.CloudMetadata, error) {
 	node, err := client.GetKubernetesClient().CoreV1().Nodes().Get(ctx, nodeName, metav1.GetOptions{})
@@ -53,9 +62,163 @@ func GetCloudMetadataWithIMDS(ctx context.Context) (*apitypes.CloudMetadata, err
 	cMetadataClient := k8sInterfaceCloudMetadata.NewMetadataClient(true)
 
 	cMetadata, err := cMetadataClient.GetMetadata(ctx)
+	if err == nil {
+		return cMetadata, nil
+	}
+
+	logger.L().Info("failed to get cloud metadata from IMDS, trying fallbacks", helpers.Error(err))
+
+	// Fallback strategy: try different providers
+	fallbacks := []struct {
+		name  string
+		fetch func(context.Context) (*apitypes.CloudMetadata, error)
+	}{
+		{name: "DigitalOcean", fetch: fetchDigitalOceanMetadata},
+		{name: "GCP", fetch: fetchGCPMetadata},
+		{name: "Azure", fetch: fetchAzureMetadata},
+	}
+
+	for _, fb := range fallbacks {
+		if meta, ferr := fb.fetch(ctx); ferr == nil && meta != nil {
+			logger.L().Info(fmt.Sprintf("retrieved cloud metadata from %s metadata service", fb.name))
+			return meta, nil
+		}
+	}
+
+	// Wrap the underlying error with additional context so logs make it clearer why metadata is missing.
+	return nil, fmt.Errorf("failed to get cloud metadata from IMDS or fallbacks: %w", err)
+}
+
+// fetchHTTPMetadata helper to fetch metadata from a URL with optional headers
+func fetchHTTPMetadata(ctx context.Context, url string, headers map[string]string) (string, error) {
+	client := &http.Client{
+		Timeout: metadataTimeout,
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return "", err
+	}
+	for k, v := range headers {
+		req.Header.Set(k, v)
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("metadata endpoint %s returned status: %d", url, resp.StatusCode)
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(body)), nil
+}
+
+func getLastPathPart(val string) string {
+	if val == "" {
+		return ""
+	}
+	parts := strings.Split(val, "/")
+	return parts[len(parts)-1]
+}
+
+// fetchDigitalOceanMetadata attempts to fetch basic metadata from DigitalOcean's metadata service.
+func fetchDigitalOceanMetadata(ctx context.Context) (*apitypes.CloudMetadata, error) {
+	base := "http://169.254.169.254/metadata/v1/"
+
+	// Probe root to see whether the metadata endpoint responds and contains expected entries.
+	body, err := fetchHTTPMetadata(ctx, base, nil)
 	if err != nil {
 		return nil, err
 	}
 
-	return cMetadata, nil
+	// Basic heuristic: the DO metadata root typically lists resources like 'id', 'hostname', 'region' etc.
+	if !strings.Contains(body, "id") && !strings.Contains(body, "region") && !strings.Contains(body, "hostname") {
+		return nil, fmt.Errorf("digitalocean metadata root missing expected entries")
+	}
+
+	get := func(path string) string {
+		val, _ := fetchHTTPMetadata(ctx, base+path, nil)
+		return val
+	}
+
+	id := get("id")
+	if id == "" {
+		id = get("droplet_id")
+	}
+	instanceType := get("size")
+	if instanceType == "" {
+		instanceType = get("type")
+	}
+
+	meta := &apitypes.CloudMetadata{
+		Provider:     "digitalocean",
+		InstanceID:   id,
+		InstanceType: instanceType,
+		Region:       get("region"),
+		PrivateIP:    get("interfaces/private/0/ipv4/address"),
+		PublicIP:     get("interfaces/public/0/ipv4/address"),
+		Hostname:     get("hostname"),
+	}
+
+	// if nothing useful was obtained, return an error so callers can continue trying other fallbacks
+	if meta.InstanceID == "" && meta.Hostname == "" && meta.Region == "" && meta.PrivateIP == "" && meta.PublicIP == "" && meta.InstanceType == "" {
+		return nil, fmt.Errorf("digitalocean metadata endpoints returned no data")
+	}
+
+	return meta, nil
+}
+
+// fetchGCPMetadata attempts to fetch basic metadata from GCP's metadata service.
+func fetchGCPMetadata(ctx context.Context) (*apitypes.CloudMetadata, error) {
+	base := "http://metadata.google.internal/computeMetadata/v1/"
+	headers := map[string]string{"Metadata-Flavor": "Google"}
+
+	get := func(path string) string {
+		val, _ := fetchHTTPMetadata(ctx, base+path, headers)
+		return val
+	}
+
+	machineType := get("instance/machine-type")
+	if machineType == "" {
+		return nil, fmt.Errorf("not a GCP instance")
+	}
+
+	return &apitypes.CloudMetadata{
+		Provider:     "gcp",
+		AccountID:    get("project/project-id"),
+		InstanceID:   get("instance/id"),
+		InstanceType: getLastPathPart(machineType),
+		Zone:         getLastPathPart(get("instance/zone")),
+		Hostname:     get("instance/hostname"),
+	}, nil
+}
+
+// fetchAzureMetadata attempts to fetch basic metadata from Azure's metadata service.
+func fetchAzureMetadata(ctx context.Context) (*apitypes.CloudMetadata, error) {
+	base := "http://169.254.169.254/metadata/instance/compute/"
+	headers := map[string]string{"Metadata": "true"}
+	params := "?api-version=" + azureApiVersion + "&format=text"
+
+	get := func(path string) string {
+		val, _ := fetchHTTPMetadata(ctx, base+path+params, headers)
+		return val
+	}
+
+	vmSize := get("vmSize")
+	if vmSize == "" {
+		return nil, fmt.Errorf("not an Azure instance")
+	}
+
+	return &apitypes.CloudMetadata{
+		Provider:     "azure",
+		AccountID:    get("subscriptionId"),
+		InstanceID:   get("vmId"),
+		InstanceType: vmSize,
+		Region:       get("location"),
+		Zone:         get("zone"),
+		Hostname:     get("name"),
+	}, nil
 }

pkg/config/config.go

@@ -66,6 +66,8 @@ type Config struct {
 	EnableRuntimeDetection         bool                                 `mapstructure:"runtimeDetectionEnabled"`
 	EnableSbomGeneration           bool                                 `mapstructure:"sbomGenerationEnabled"`
 	EnableSeccomp                  bool                                 `mapstructure:"seccompServiceEnabled"`
+	HostMonitoringEnabled          bool                                 `mapstructure:"hostMonitoringEnabled"`
+	StandaloneMonitoringEnabled    bool                                 `mapstructure:"standaloneMonitoringEnabled"`
 	SeccompProfileBackend          string                               `mapstructure:"seccompProfileBackend"`
 	EventBatchSize                 int                                  `mapstructure:"eventBatchSize"`
 	ExcludeJsonPaths               []string                             `mapstructure:"excludeJsonPaths"`
@@ -179,6 +181,8 @@ func LoadConfig(path string) (Config, error) {
 	viper.SetDefault("dnsCacheSize", 50000)
 	viper.SetDefault("seccompProfileBackend", "storage") // "storage" or "crd"
 	viper.SetDefault("containerEolNotificationBuffer", 100)
+	viper.SetDefault("hostMonitoringEnabled", false)
+	viper.SetDefault("standaloneMonitoringEnabled", false)
 	// HTTP Exporter Alert Bulking defaults
 	viper.SetDefault("exporters::httpExporterConfig::bulkMaxAlerts", 50)
 	viper.SetDefault("exporters::httpExporterConfig::bulkTimeoutSeconds", 10)