datadog-agent
datadog-agent copied to clipboard
DataDog
[CWS] add security profile sliding window
What does this PR do?
This PR adds a life-cycle for security profiles. The selector is no longer focused on image_name + image_tag: now the selector is only image_name and each profiles could now contains several image_tag versions.
The maximum number of versions for a profile can be configured via runtime_security_config.security_profile.max_image_tags (10 by default).
Once the limit is reached, the last seen version is evicted.
The first version would come from a security dump, then further versions will be directly added by the profile manager.
New set of tests has been added to validate the changes:
TestSecurityProfileLifeCycleExecs/life-cycle-v1-learning-new-process
TestSecurityProfileLifeCycleExecs/life-cycle-v1-stable-process-anomaly
TestSecurityProfileLifeCycleExecs/life-cycle-v2-learning-new-process-anomaly
TestSecurityProfileLifeCycleExecs/life-cycle-v2-learning-v1-process
TestSecurityProfileLifeCycleExecs/life-cycle-v1-unstable-new-process
TestSecurityProfileLifeCycleDNS/life-cycle-v1-learning-new-dns
TestSecurityProfileLifeCycleDNS/life-cycle-v1-stable-dns-anomaly
TestSecurityProfileLifeCycleDNS/life-cycle-v2-learning-new-dns-anomaly
TestSecurityProfileLifeCycleDNS/life-cycle-v2-learning-v1-dns
TestSecurityProfileLifeCycleDNS/life-cycle-v1-unstable-new-dns
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-v1-learning-new-process
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-v1-stable-process-anomaly
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-v2-learning-new-process-anomaly
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-check-v1-evicted
TestSecurityProfileLifeCycleEvictitonProcess/life-cycle-eviction-process-v1-process-anomaly
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-v1-learning-new-process
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-v1-stable-process-anomaly
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-v2-learning-new-process-anomaly
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-check-v1-evicted
TestSecurityProfileLifeCycleEvictitonDNS/life-cycle-eviction-dns-v1-process-anomaly
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v1-learning-new-process
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v1-unstable
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v2-learning
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v3-learning
TestSecurityProfileLifeCycleEvictitonProcessUnstable/life-cycle-eviction-process-unstable-v3-process-anomaly
There is also new metrics to follow the new sec profile behaviors:
.security_profile.evicted_versions will be send each time a profile version has been evicted (when reaching the max number of concurrent versions).
.security_profile.versions will reflect the number of version for each profile
Motivation
This will allow to raise coverage on short lived containers, allowing to learn from a previous version instead of starting from blank each time.
Additional Notes
We'll have to pay attention on how it behaves on some workloads where the image_tag is not used to version the image (we know that some uses the same image with multiple purposes, specifying it through image_tag).
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes
Run the tests is a first way. Play with images and change image tag each time, have a look on profile states, try to generate anomalies.
Reviewer's Checklist
- [ ] If known, an appropriate milestone has been selected; otherwise the
Triagemilestone is set. - [ ] Use the
major_changelabel if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote. - [ ] A release note has been added or the
changelog/no-changeloglabel has been applied. - [ ] Changed code has automated tests for its functionality.
- [ ] Adequate QA/testing plan information is provided if the
qa/skip-qalabel is not applied. - [ ] At least one
team/..label has been applied, indicating the team(s) that should QA this change. - [ ] If applicable, docs team has been notified or an issue has been opened on the documentation repo.
- [ ] If applicable, the
need-change/operatorandneed-change/helmlabels have been applied. - [ ] If applicable, the
k8s/<min-version>label, indicating the lowest Kubernetes version compatible with this feature. - [ ] If applicable, the config template has been updated.
Go Package Import Differences
Baseline: 8ac53d398b723c0dca29a37e201a7283d1fc1bed Comparison: 0b09e90135734d9063db47c09a633d7fdab76b7b
| binary | os | arch | change |
|---|---|---|---|
| cluster-agent | linux | amd64 | +0, -1
-github.com/DataDog/datadog-agent/pkg/security/security_profile
|
| cluster-agent | linux | arm64 | +0, -1
-github.com/DataDog/datadog-agent/pkg/security/security_profile
|
| security-agent | linux | amd64 | +0, -1
-github.com/DataDog/datadog-agent/pkg/security/security_profile
|
| security-agent | linux | arm64 | +0, -1
-github.com/DataDog/datadog-agent/pkg/security/security_profile
|
| system-probe | linux | amd64 | +0, -1
-github.com/DataDog/datadog-agent/pkg/security/security_profile
|
| system-probe | linux | arm64 | +0, -1
-github.com/DataDog/datadog-agent/pkg/security/security_profile
|
![cit-pr-commenter[bot] avatar](https://avatars.githubusercontent.com/in/330445?v=4 "Published by a pub.dev verified publisher"){kind=small}
Bloop Bleep... Dogbot Here
Regression Detector Results
Run ID: 64464f39-e758-4179-8758-c68149388ade Baseline: e8334ca2487427203e33f7d340602851ba2a106b Comparison: b4e75e7b7bfa19aa908971f79efb8aa5ea714850 Total CPUs: 7
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
Experiments with missing or malformed data
- basic_py_check
Usually, this warning means that there is no usable optimization goal data for that experiment, which could be a result of misconfiguration.
No significant changes in experiment optimization goals
Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%
There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.
Experiments ignored for regressions
Regressions in experiments with settings containing erratic: true are ignored.
| perf | experiment | goal | Δ mean % | Δ mean % CI |
|---|---|---|---|---|
| ➖ | file_to_blackhole | % cpu utilization | -0.71 | [-7.25, +5.83] |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI |
|---|---|---|---|---|
| ➖ | process_agent_standard_check_with_stats | memory utilization | +0.13 | [+0.10, +0.17] |
| ➖ | trace_agent_msgpack | ingress throughput | +0.00 | [-0.01, +0.01] |
| ➖ | uds_dogstatsd_to_api | ingress throughput | +0.00 | [-0.00, +0.00] |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | +0.00 | [-0.00, +0.00] |
| ➖ | trace_agent_json | ingress throughput | -0.03 | [-0.06, +0.00] |
| ➖ | process_agent_standard_check | memory utilization | -0.03 | [-0.08, +0.01] |
| ➖ | process_agent_real_time_mode | memory utilization | -0.21 | [-0.24, -0.18] |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | -0.49 | [-0.55, -0.43] |
| ➖ | otel_to_otel_logs | ingress throughput | -0.49 | [-1.08, +0.09] |
| ➖ | idle | memory utilization | -0.61 | [-0.64, -0.57] |
| ➖ | file_tree | memory utilization | -0.64 | [-0.72, -0.55] |
| ➖ | file_to_blackhole | % cpu utilization | -0.71 | [-7.25, +5.83] |
| ➖ | uds_dogstatsd_to_api_cpu | % cpu utilization | -1.36 | [-2.76, +0.05] |
Explanation
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
![pr-commenter[bot] avatar](https://avatars.githubusercontent.com/u/365230?v=4 "Published by a pub.dev verified publisher"){kind=small}
I think the
manager.OnCGroupDeletedEventfunction should use the profile selector ("*") instead of the one from the cgroup model parameter. Otherwise the manager fails to lookup the corresponding profile.
Thanks, good catch! Fixed in the last commit :)
Test changes on VM
Use this command from test-infra-definitions to manually test this PR changes on a VM:
inv create-vm --pipeline-id=30615551 --os-family=ubuntu
Regression Detector
Regression Detector Results
Run ID: 0976b264-6bbd-4e0b-bb34-8a8b9b6f15d1 Baseline: 8ac53d398b723c0dca29a37e201a7283d1fc1bed Comparison: 0b09e90135734d9063db47c09a633d7fdab76b7b
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
No significant changes in experiment optimization goals
Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%
There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.
Experiments ignored for regressions
Regressions in experiments with settings containing erratic: true are ignored.
| perf | experiment | goal | Δ mean % | Δ mean % CI |
|---|---|---|---|---|
| ➖ | file_to_blackhole | % cpu utilization | +0.58 | [-5.76, +6.93] |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI |
|---|---|---|---|---|
| ➖ | pycheck_1000_100byte_tags | % cpu utilization | +1.24 | [-3.68, +6.15] |
| ➖ | file_to_blackhole | % cpu utilization | +0.58 | [-5.76, +6.93] |
| ➖ | uds_dogstatsd_to_api_cpu | % cpu utilization | +0.44 | [-2.27, +3.15] |
| ➖ | process_agent_standard_check_with_stats | memory utilization | +0.19 | [+0.15, +0.22] |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | +0.05 | [+0.02, +0.08] |
| ➖ | trace_agent_json | ingress throughput | +0.00 | [-0.04, +0.04] |
| ➖ | uds_dogstatsd_to_api | ingress throughput | +0.00 | [-0.20, +0.20] |
| ➖ | process_agent_standard_check | memory utilization | -0.03 | [-0.06, +0.00] |
| ➖ | trace_agent_msgpack | ingress throughput | -0.03 | [-0.05, -0.02] |
| ➖ | idle | memory utilization | -0.22 | [-0.25, -0.18] |
| ➖ | basic_py_check | % cpu utilization | -0.26 | [-2.78, +2.26] |
| ➖ | otel_to_otel_logs | ingress throughput | -0.26 | [-0.69, +0.16] |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | -0.41 | [-0.50, -0.33] |
| ➖ | process_agent_real_time_mode | memory utilization | -0.45 | [-0.48, -0.41] |
| ➖ | file_tree | memory utilization | -1.03 | [-1.11, -0.94] |
Explanation
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
:steam_locomotive: MergeQueue
This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.
Use /merge -c to cancel this operation!
:steam_locomotive: MergeQueue
Added to the queue.
This build is next! (estimated merge in less than 28m)
Use /merge -c to cancel this operation!