goreplay icon indicating copy to clipboard operation
goreplay copied to clipboard

Published 20 hours ago verified publisher icon buger

Update K8s features

Open monrax opened this issue 2 years ago • 3 comments

feat(capture): add option to prevent any packet capture when no pods match given k8s schema.

When there aren't any pods that match the given k8s:// schema, the BPF filter is updated to reflect the fact that there aren't any IPs/hosts to match, and instead it matches ports only. This could lead to capturing undesired packets from non-matching pods that use the same port. A boolean flag is introduced as an option to enabled/disable this behavior. It is disabled by default by updating the BPF filter to match no packets.

monrax avatar Mar 08 '22 22:03 monrax

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 7 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

sonarqubecloud[bot] avatar Apr 07 '22 14:04 sonarqubecloud[bot]

I went ahead and added more features for K8s:

  • Now, there is support to capture from pods that are selected by a given service (this can be specified with k8s://[namespace/]service/[service_name].
  • A new service discovery feature is introduced. Here, all services in a given namespace (or in all namespaces if no namespace is specified) are listed. Then, get the pods selected by each service by iterating over each service. The options input-raw-k8s-skip-svc and input-raw-k8s-skip-ns are now available to skip specific services and namespaces from this discovery process.
  • Port discovery is now available. If no ports are passed and --input-raw k8s:// is used, the ports exposed by each pod to capture from are obtained and appended to the listener's ports accordingly.
  • Check for interfaces prefixed with "veth" was removed, as this is might not always be the case. Instead --input-raw-ignore-interface can still be used to avoid specific interface altogether.
  • The option for the boolean flag from the previous commit has been renamed input-raw-k8s-nomatch-nocap and it is false by default. This means, the expected behavior from gor will still be the same, except if this option is passed. If this option is passed and k8s:// is used, the following BPF filter will be returned when no IPs are found: not (ip or ip6 or arp or rarp or decnet or tcp or udp). This will prevent capture until a pod matching the given specification becomes available.
  • Scaffolding for future improvements for deployment, daemonset, and deployment discovery can be found in each corresponding section as comments.

monrax avatar Apr 07 '22 15:04 monrax

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 7 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

sonarqubecloud[bot] avatar Jul 21 '22 13:07 sonarqubecloud[bot]