-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new: add container.host_pid
container.host_network
and container.host_ipc
fields
#2047
base: master
Are you sure you want to change the base?
Conversation
… to container_info Signed-off-by: Lorenzo Susini <[email protected]>
…ation from docker socket Signed-off-by: Lorenzo Susini <[email protected]>
…ation from CRI runtimes Signed-off-by: Lorenzo Susini <[email protected]>
Signed-off-by: Lorenzo Susini <[email protected]>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: loresuso The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Lorenzo Susini <[email protected]>
4a2fdc3
to
52b9754
Compare
Perf diff from master - unit tests
Heap diff from master - unit tests
Heap diff from master - scap file
Benchmarks diff from master
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2047 +/- ##
==========================================
- Coverage 74.31% 74.10% -0.21%
==========================================
Files 253 254 +1
Lines 30967 31274 +307
Branches 5399 5435 +36
==========================================
+ Hits 23012 23177 +165
- Misses 7936 8070 +134
- Partials 19 27 +8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
/milestone 0.19.0 |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area libsinsp
Does this PR require a change in the driver versions?
What this PR does / why we need it:
This PR introduces the
container.host_pid
container.host_network
andcontainer.host_ipc
fields. Namespaces are the way the Linux kernel enforce isolation for containers. Sometimes, developers might want to turn off bits of this isolation by sharing pid, network or IPC namespaces with the host. This introduces several risks from a security perspective, and might be worth it monitoring and offering users the possibility to understand if a container was started with some namespaces shared with host. This PR was tested against Docker and CRI-compatible runtimes (CRI-O, in particular).Some example on how this can be (mis)used: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: