Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new: add container.host_pid container.host_network and container.host_ipc fields #2047

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

new: add container.host_pid container.host_network and container.host_ipc fields #2047

wants to merge 5 commits into from
+155 −2

Conversation

loresuso
Copy link
Member

@loresuso loresuso commented Sep 6, 2024
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This PR introduces the container.host_pid container.host_network and container.host_ipc fields. Namespaces are the way the Linux kernel enforce isolation for containers. Sometimes, developers might want to turn off bits of this isolation by sharing pid, network or IPC namespaces with the host. This introduces several risks from a security perspective, and might be worth it monitoring and offering users the possibility to understand if a container was started with some namespaces shared with host. This PR was tested against Docker and CRI-compatible runtimes (CRI-O, in particular).
Some example on how this can be (mis)used: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new: add `container.host_pid` `container.host_network` and `container.host_ipc` fields

@poiana
Copy link
Contributor

poiana commented Sep 6, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: loresuso
Once this PR has been reviewed and has the lgtm label, please assign lucaguerra for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 6, 2024

Perf diff from master - unit tests

     3.52%     +1.21%  [.] gzfile_read
     3.89%     -1.07%  [.] sinsp_thread_manager::get_thread_ref
     2.93%     +0.89%  [.] sinsp_thread_manager::find_thread
     1.14%     -0.59%  [.] sinsp_evt::get_param
     8.28%     -0.54%  [.] sinsp::next
     1.14%     -0.45%  [.] sinsp_parser::parse_context_switch
     4.78%     +0.40%  [.] next
     1.41%     -0.39%  [.] std::vector<sinsp_evt_param, std::allocator<sinsp_evt_param> >::emplace_back<sinsp_evt*, unsigned int&, char const*, unsigned long&>
     0.31%     +0.37%  [.] std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, libsinsp::state::dynamic_struct::field_info>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, libsinsp::state::dynamic_struct::field_info> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_find_before_node
     0.32%     +0.36%  [.] sinsp_parser::parse_open_openat_creat_exit

Heap diff from master - unit tests

peak heap memory consumption: -363B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: -363B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            -0.0189         -0.0189           149           147           149           147
BM_sinsp_split_median                                          -0.0186         -0.0185           150           147           149           147
BM_sinsp_split_stddev                                          -0.4962         -0.4961             1             0             1             0
BM_sinsp_split_cv                                              -0.4865         -0.4864             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  -0.1283         -0.1283            47            41            47            41
BM_sinsp_concatenate_paths_relative_path_median                -0.1199         -0.1199            47            41            47            41
BM_sinsp_concatenate_paths_relative_path_stddev                -0.9091         -0.9087             1             0             1             0
BM_sinsp_concatenate_paths_relative_path_cv                    -0.8957         -0.8953             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     -0.0043         -0.0043            17            17            17            17
BM_sinsp_concatenate_paths_empty_path_median                   +0.0002         +0.0002            17            17            17            17
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.3081         -0.3081             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       -0.3051         -0.3051             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.1911         -0.1911            51            41            51            41
BM_sinsp_concatenate_paths_absolute_path_median                -0.1883         -0.1883            51            41            51            41
BM_sinsp_concatenate_paths_absolute_path_stddev                -0.8854         -0.8857             1             0             1             0
BM_sinsp_concatenate_paths_absolute_path_cv                    -0.8583         -0.8586             0             0             0             0
BM_sinsp_split_container_image_mean                            +0.0030         +0.0030           352           353           352           353
BM_sinsp_split_container_image_median                          +0.0011         +0.0011           352           353           352           353
BM_sinsp_split_container_image_stddev                          +0.9424         +0.9427             2             4             2             4
BM_sinsp_split_container_image_cv                              +0.9366         +0.9368             0             0             0             0

@codecov Codecov
Copy link

codecov bot commented Sep 6, 2024

Codecov Report

Attention: Patch coverage is 76.66667% with 14 lines in your changes missing coverage. Please review.

Project coverage is 74.10%. Comparing base (13746b5) to head (52b9754).
Report is 33 commits behind head on master.

Files with missing lines Patch % Lines
.../libsinsp/container_engine/docker/async_source.cpp 0.00% 9 Missing ⚠️
userspace/libsinsp/cri.hpp 58.33% 5 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2047      +/-   ##
==========================================
- Coverage   74.31%   74.10%   -0.21%     
==========================================
  Files         253      254       +1     
  Lines       30967    31274     +307     
  Branches     5399     5435      +36     
==========================================
+ Hits        23012    23177     +165     
- Misses       7936     8070     +134     
- Partials       19       27       +8
Flag Coverage Δ
libsinsp 74.10% <76.66%> (-0.21%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@FedeDP
Copy link
Contributor

FedeDP commented Sep 8, 2024

/milestone 0.19.0

@poiana poiana added this to the 0.19.0 milestone Sep 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

@jasondellaluce jasondellaluce Awaiting requested review from jasondellaluce

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
area/libsinsp dco-signoff: yes kind/feature New feature or request release-note size/L
Projects
None yet
Milestone
0.19.0
Development

Successfully merging this pull request may close these issues.
3 participants
@loresuso @poiana @FedeDP