fix: require changes

cilium · Feb 21, 2024 · 9bb78ef · 9bb78ef
1 parent 91c6d7b
commit 9bb78ef
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 26 deletions.
diff --git a/docs/content/en/docs/troubleshooting/_index.md b/docs/content/en/docs/troubleshooting/_index.md
@@ -47,27 +47,33 @@ Key Information Collected by the Bugtool:
 1. Identify Tetragon Pod:
 
    ```bash
-   kubectl get pods -n <tetragron-namespace> -l app.kubernetes.io name=tetragon
+   kubectl get pods -n <tetragon-namespace> -l app.kubernetes.io name=tetragon
    ```
 
 2. Execute tetra bugtool within the Pod:
 
    ```bash
-   kubectl exec -n <tetragron-namespace> <tetragron-pod-name> -- tetra bugtool
+   kubectl exec -n <tetragon-namespace> <tetragon-pod-name> -- tetra bugtool
+   ```
+
+3. Retrieve the created archive from the Pod's filesystem:
+
+   ```bash
+   kubectl cp <tetragon-namespace>/<tetragon-pod-name>:/path/to/archive.zip ./archive.zip
    ```
 
 ### Container Installation
 
 1. Enter the Tetragon Container:
 
    ```bash
-   docker exec -it <tetragron-container-id>
+   docker exec -it <tetragon-container-id> tetra bugtool
    ```
 
-2. Run tetra bugtool:
+2. Retrieve the archive using docker cp:
 
    ```bash
-   tetra bugtool
+   docker cp <tetragon-container-id>:/path/to/tetragon_output.zip
    ```
 
 ### Systemd Host Installation

diff --git a/pkg/labels/labels.go b/pkg/labels/labels.go
@@ -20,6 +20,10 @@ const (
 	opNotIn
 )
 
+const (
+	K8sPodNamespace = "k8s:io.kubernetes.pod.namespace"
+)
+
 type selectorOp struct {
 	key      string
 	operator operator

diff --git a/pkg/labels/labels_test.go b/pkg/labels/labels_test.go
@@ -14,6 +14,7 @@ import (
 type testLabel struct {
 	labels      Labels
 	expectedRes bool
+	namespace   string
 }
 
 type testCase struct {
@@ -27,8 +28,8 @@ func TestLabels(t *testing.T) {
 			// empty label selector should match everything
 			labelSelector: &slimv1.LabelSelector{},
 			tests: []testLabel{
-				{map[string]string{"app": "tetragon"}, true},
-				{nil, true},
+				{map[string]string{"app": "tetragon"}, true, "default"},
+				{Labels{}, true, "default"},
 			},
 		}, {
 			labelSelector: &slimv1.LabelSelector{
@@ -37,8 +38,8 @@ func TestLabels(t *testing.T) {
 				},
 			},
 			tests: []testLabel{
-				{map[string]string{"app": "tetragon"}, true},
-				{map[string]string{"app": "cilium"}, false},
+				{map[string]string{"app": "tetragon"}, true, "default"},
+				{map[string]string{"app": "cilium"}, false, "default"},
 			},
 		}, {
 			labelSelector: &slimv1.LabelSelector{
@@ -49,9 +50,9 @@ func TestLabels(t *testing.T) {
 				}},
 			},
 			tests: []testLabel{
-				{map[string]string{"app": "tetragon"}, true},
-				{map[string]string{"app": "cilium"}, true},
-				{map[string]string{"app": "hubble"}, false},
+				{map[string]string{"app": "tetragon"}, true, "default"},
+				{map[string]string{"app": "cilium"}, true, "default"},
+				{map[string]string{"app": "hubble"}, false, "default"},
 			},
 		}, {
 			labelSelector: &slimv1.LabelSelector{
@@ -62,9 +63,9 @@ func TestLabels(t *testing.T) {
 				}},
 			},
 			tests: []testLabel{
-				{map[string]string{"app": "tetragon"}, false},
-				{map[string]string{"app": "cilium"}, false},
-				{map[string]string{"app": "hubble"}, true},
+				{map[string]string{"app": "tetragon"}, false, "default"},
+				{map[string]string{"app": "cilium"}, false, "default"},
+				{map[string]string{"app": "hubble"}, true, "default"},
 			},
 		}, {
 			labelSelector: &slimv1.LabelSelector{
@@ -74,9 +75,9 @@ func TestLabels(t *testing.T) {
 				}},
 			},
 			tests: []testLabel{
-				{map[string]string{"app": "tetragon"}, true},
-				{map[string]string{"application": "cilium"}, false},
-				{map[string]string{"app": "hubble"}, true},
+				{map[string]string{"app": "tetragon"}, true, "default"},
+				{map[string]string{"application": "cilium"}, false, "default"},
+				{map[string]string{"app": "hubble"}, true, "default"},
 			},
 		}, {
 			labelSelector: &slimv1.LabelSelector{
@@ -86,9 +87,9 @@ func TestLabels(t *testing.T) {
 				}},
 			},
 			tests: []testLabel{
-				{map[string]string{"app": "tetragon"}, false},
-				{map[string]string{"application": "cilium"}, true},
-				{map[string]string{"app": "hubble"}, false},
+				{map[string]string{"app": "tetragon"}, false, "default"},
+				{map[string]string{"application": "cilium"}, true, "default"},
+				{map[string]string{"app": "hubble"}, false, "default"},
 			},
 		}, {
 			labelSelector: &slimv1.LabelSelector{
@@ -101,10 +102,59 @@ func TestLabels(t *testing.T) {
 				},
 			},
 			tests: []testLabel{
-				{map[string]string{"app": "tetragon"}, true},
-				{map[string]string{"application": "tetragon"}, false},
-				{map[string]string{"app": "tetragon", "application": "tetragon"}, false},
-				{map[string]string{"app": "tetragon", "pizza": "yes"}, true},
+				{map[string]string{"app": "tetragon"}, true, "default"},
+				{map[string]string{"application": "tetragon"}, false, "default"},
+				{map[string]string{"app": "tetragon", "application": "tetragon"}, false, "default"},
+				{map[string]string{"app": "tetragon", "pizza": "yes"}, true, "default"},
+			},
+		}, {
+			labelSelector: &slimv1.LabelSelector{
+				MatchExpressions: []slimv1.LabelSelectorRequirement{{
+					Key:      K8sPodNamespace,
+					Operator: "In",
+					Values:   []string{"tetragon"},
+				}},
+			},
+			tests: []testLabel{
+				{map[string]string{K8sPodNamespace: "tetragon"}, true, "tetragon"},
+				{map[string]string{K8sPodNamespace: "test"}, false, "default"},
+			},
+		}, {
+			labelSelector: &slimv1.LabelSelector{
+				MatchExpressions: []slimv1.LabelSelectorRequirement{{
+					Key:      K8sPodNamespace,
+					Operator: "In",
+					Values:   []string{"cilium", "tetragon"},
+				}},
+			},
+			tests: []testLabel{
+				{map[string]string{"app": "tetragon"}, true, "cilium"},
+				{map[string]string{"app": "cilium"}, true, "tetragon"},
+				{map[string]string{"app": "hubble"}, false, "default"},
+			},
+		}, {
+			labelSelector: &slimv1.LabelSelector{
+				MatchExpressions: []slimv1.LabelSelectorRequirement{{
+					Key:      K8sPodNamespace,
+					Operator: "NotIn",
+					Values:   []string{"cilium", "tetragon"},
+				}},
+			},
+			tests: []testLabel{
+				{map[string]string{"app": "tetragon"}, false, "cilium"},
+				{map[string]string{"app": "cilium"}, false, "tetragon"},
+				{map[string]string{"app": "hubble"}, true, "default"},
+			},
+		}, {
+			labelSelector: &slimv1.LabelSelector{
+				MatchExpressions: []slimv1.LabelSelectorRequirement{{
+					Key:      K8sPodNamespace,
+					Operator: "Exists",
+				}},
+			},
+			tests: []testLabel{
+				{map[string]string{K8sPodNamespace: "tetragon"}, true, "tetragon"},
+				{map[string]string{}, true, ""},
 			},
 		},
 	}
@@ -113,6 +163,9 @@ func TestLabels(t *testing.T) {
 		selector, err := SelectorFromLabelSelector(tc.labelSelector)
 		require.NoError(t, err)
 		for _, test := range tc.tests {
+			if _, ok := test.labels[K8sPodNamespace]; !ok {
+				test.labels[K8sPodNamespace] = test.namespace
+			}
 			res := selector.Match(test.labels)
 			if res != test.expectedRes {
 				t.Fatalf("label selector:%+v labels:%+v expected:%t got:%t", tc.labelSelector, test.labels, test.expectedRes, res)

diff --git a/pkg/policyfilter/state.go b/pkg/policyfilter/state.go
@@ -204,8 +204,18 @@ func (pol *policy) podMatches(podNs string, podLabels labels.Labels) bool {
 	if pol.namespace != "" && podNs != pol.namespace {
 		return false
 	}
+	var podLabels1 labels.Labels
+	if podLabels != nil {
+		podLabels1 = podLabels
+	} else {
+		podLabels1 = make(labels.Labels)
+	}
+
+	if _, ok := podLabels1[labels.K8sPodNamespace]; !ok {
+		podLabels1[labels.K8sPodNamespace] = podNs
+	}
 
-	return pol.podSelector.Match(podLabels)
+	return pol.podSelector.Match(podLabels1)
 }
 
 func (pol *policy) podInfoMatches(pod *podInfo) bool {