cleanup(sinsp)!: remove mesos and k8s filterchecks and move some k8s filtechecks under container.

CMakeLists.txt

@@ -45,7 +45,7 @@ endif()
 project(falcosecurity-libs)
 
 option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
-option(MINIMAL_BUILD "Produce a minimal build with only the essential features (no kubernetes, no mesos, no marathon and no container metadata)" OFF)
+option(MINIMAL_BUILD "Produce a minimal build with only the essential features (no container metadata)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 option(USE_BUNDLED_DRIVER "Use the driver/ subdirectory in the build process (only available in Linux)" ON)
 option(ENABLE_DRIVERS_TESTS "Enable driver tests (bpf, kernel module, modern bpf)" OFF)

userspace/libsinsp/CMakeLists.txt

@@ -99,8 +99,6 @@ set(SINSP_SOURCES
 	sinsp_filtercheck_fspath.cpp
 	sinsp_filtercheck_gen_event.cpp
 	sinsp_filtercheck_group.cpp
-	sinsp_filtercheck_k8s.cpp
-	sinsp_filtercheck_mesos.cpp
 	sinsp_filtercheck_rawstring.cpp
 	sinsp_filtercheck_reference.cpp
 	sinsp_filtercheck_syslog.cpp

userspace/libsinsp/filter_check_list.cpp

@@ -121,8 +121,6 @@ sinsp_filter_check_list::sinsp_filter_check_list()
 	add_filter_check(new sinsp_filter_check_syslog());
 	add_filter_check(new sinsp_filter_check_utils());
 	add_filter_check(new sinsp_filter_check_fdlist());
-	add_filter_check(new sinsp_filter_check_k8s());
-	add_filter_check(new sinsp_filter_check_mesos());
 	add_filter_check(new sinsp_filter_check_tracer());
 	add_filter_check(new sinsp_filter_check_evtin());
 }

userspace/libsinsp/filterchecks.h

@@ -30,8 +30,6 @@ limitations under the License.
 #include "sinsp_filtercheck_fspath.h"
 #include "sinsp_filtercheck_gen_event.h"
 #include "sinsp_filtercheck_group.h"
-#include "sinsp_filtercheck_k8s.h"
-#include "sinsp_filtercheck_mesos.h"
 #include "sinsp_filtercheck_rawstring.h"
 #include "sinsp_filtercheck_reference.h"
 #include "sinsp_filtercheck_syslog.h"

userspace/libsinsp/sinsp.h

@@ -1205,7 +1205,7 @@ VISIBILITY_PRIVATE
 	std::vector<sinsp_protodecoder*> m_decoders_reset_list;
 
 	//
-	// meta event management for other sources like k8s, mesos.
+	// meta event management for other sources.
 	//
 	sinsp_evt* m_metaevt;
 	meta_event_callback m_meta_event_callback;
@@ -1360,8 +1360,6 @@ VISIBILITY_PRIVATE
 	friend class sinsp_worker;
 	friend class curses_textbox;
 	friend class sinsp_filter_check_fd;
-	friend class sinsp_filter_check_k8s;
-	friend class sinsp_filter_check_mesos;
 	friend class sinsp_filter_check_evtin;
 	friend class sinsp_baseliner;
 	friend class sinsp_memory_dumper;

userspace/libsinsp/sinsp_filtercheck_container.cpp

@@ -32,6 +32,27 @@ using namespace std;
         return (uint8_t*) (x).c_str(); \
 } while(0)
 
+// We use a macro to avoid a performance overhead, even using an inline function
+// we are not sure the compiler will inline it
+#define CHECK_LABEL_PRESENCE(x)                                                                                        \
+	if(is_host || !container_info)                                                                                 \
+	{                                                                                                              \
+		return nullptr;                                                                                           \
+	}                                                                                                              \
+	else                                                                                                           \
+	{                                                                                                              \
+		auto label = container_info->m_labels.find(x);                                                         \
+		if(label != container_info->m_labels.end())                                                            \
+		{                                                                                                      \
+			m_tstr = label->second;                                                                        \
+			RETURN_EXTRACT_STRING(m_tstr);                                                                 \
+		}                                                                                                      \
+		else                                                                                                   \
+		{                                                                                                      \
+			return nullptr;                                                                                   \
+		}                                                                                                      \
+	}
+
 static const filtercheck_field_info sinsp_filter_check_container_fields[] =
 {
 	{PT_CHARBUF, EPF_NONE, PF_NA, "container.id", "Container ID", "The truncated container id (first 12 characters)."},
@@ -57,6 +78,11 @@ static const filtercheck_field_info sinsp_filter_check_container_fields[] =
 	{PT_RELTIME, EPF_NONE, PF_DEC, "container.duration", "Number of nanoseconds since container.start_ts", "Number of nanoseconds since container.start_ts."},
 	{PT_CHARBUF, EPF_NONE, PF_NA, "container.ip", "Container ip address", "The container's / pod's primary ip address as retrieved from the container engine. Only ipv4 addresses are tracked. Consider container.cni.json (CRI use case) for logging ip addresses for each network interface."},
 	{PT_CHARBUF, EPF_NONE, PF_NA, "container.cni.json", "Container's / pod's CNI result json", "The container's / pod's CNI result field from the respective pod status info. It contains ip addresses for each network interface exposed as unparsed escaped JSON string. Supported for CRI container engine (containerd, cri-o runtimes), optimized for containerd (some non-critical JSON keys removed). Useful for tracking ips (ipv4 and ipv6, dual-stack support) for each network interface (multi-interface support)."},
+	{PT_CHARBUF, EPF_NONE, PF_NA, "container.k8s.pod.name", "Pod Name", "When the container belongs to a Kubernetes pod it provides the pod name."},
+	{PT_CHARBUF, EPF_NONE, PF_NA, "container.k8s.pod.id", "Pod ID", "When the container belongs to a Kubernetes pod it provides the pod id."},
+	{PT_CHARBUF, EPF_ARG_REQUIRED, PF_NA, "container.k8s.pod.label", "Pod Label", "When the container belongs to a Kubernetes pod it provides a specific pod label. 'container.k8s.pod.label[foo]'."},
+	{PT_CHARBUF, EPF_IS_LIST, PF_NA, "container.k8s.pod.labels", "Pod Labels", "When the container belongs to a Kubernetes pod it provides the pod comma-separated key/value labels. E.g. '(foo1:bar1,foo2:bar2)'."},
+	{PT_CHARBUF, EPF_NONE, PF_NA, "container.k8s.ns.name", "Pod Namespace Name", "When the container belongs to a Kubernetes pod it provides the pod namespace name."},
 };
 
 sinsp_filter_check_container::sinsp_filter_check_container()
@@ -73,34 +99,47 @@ sinsp_filter_check* sinsp_filter_check_container::allocate_new()
 	return (sinsp_filter_check*) new sinsp_filter_check_container();
 }
 
-int32_t sinsp_filter_check_container::extract_arg(const string &val, size_t basepos)
+int32_t sinsp_filter_check_container::extract_arg(const std::string& val, size_t basepos, container_arg_type type)
 {
 	size_t start = val.find_first_of('[', basepos);
 	if(start == string::npos)
 	{
-		throw sinsp_exception("filter syntax error: " + val);
+		throw sinsp_exception("the field '" + val + "' requires an argument but '[' is not found");
 	}
 
 	size_t end = val.find_first_of(']', start);
 	if(end == string::npos)
 	{
-		throw sinsp_exception("filter syntax error: " + val);
+		throw sinsp_exception("the field '" + val + "' requires an argument but ']' is not found");
 	}
 
-	string numstr = val.substr(start + 1, end-start-1);
-	try
-	{
-		m_argid = sinsp_numparser::parsed32(numstr);
-	}
-	catch (const sinsp_exception& e)
+	string str = val.substr(start + 1, end-start-1);
+
+	if(type == container_arg_type::TYPE_S32)
 	{
-		if(strstr(e.what(), "is not a valid number") == NULL)
+		try
 		{
-			throw;
+			m_argid = sinsp_numparser::parsed32(str);
 		}
+		catch (const sinsp_exception& e)
+		{
+			if(strstr(e.what(), "is not a valid number") == NULL)
+			{
+				throw;
+			}
 
-		m_argid = -1;
-		m_argstr = numstr;
+			m_argid = -1;
+			m_argstr = str;
+		}
+	}
+	else if(type == container_arg_type::TYPE_STRING)
+	{
+		m_argstr = str;
+	}
+	else
+	{
+		ASSERT(false);
+		throw sinsp_exception("argument type unknown during 'sinsp_filter_check_container::extract_arg'");
 	}
 
 	return end+1;
@@ -149,15 +188,25 @@ int32_t sinsp_filter_check_container::parse_field_name(const char* str, bool all
 		}
 		m_field = &m_info.m_fields[m_field_id];
 
-		res = extract_arg(val, basepos);
+		res = extract_arg(val, basepos, container_arg_type::TYPE_S32);
 	}
 	else if (val.find("container.mount") == 0 &&
 		 val[basepos-1] != 's')
 	{
 		m_field_id = TYPE_CONTAINER_MOUNT;
 		m_field = &m_info.m_fields[m_field_id];
 
-		res = extract_arg(val, basepos-1);
+		res = extract_arg(val, basepos-1, container_arg_type::TYPE_S32);
+	}
+	// We need to check that is `pod.label` and not `pod.labels`
+	else if(val.find("container.k8s.pod.label") == 0 &&
+		 val[sizeof("container.k8s.pod.label")-1] != 's')
+	{
+		m_field_id = TYPE_CONTAINER_K8S_POD_LABEL;
+		m_field = &m_info.m_fields[m_field_id];
+
+		// We don't need to check the return value, if no arg was specified we throw an exception
+		res = extract_arg(val, sizeof("container.k8s.pod.label")-1, container_arg_type::TYPE_STRING);
 	}
 	else
 	{
@@ -574,10 +623,121 @@ uint8_t* sinsp_filter_check_container::extract(sinsp_evt *evt, OUT uint32_t* len
 			RETURN_EXTRACT_STRING(container_info->m_pod_cniresult);
 		}
 		break;
+	case TYPE_CONTAINER_K8S_POD_NAME:
+		CHECK_LABEL_PRESENCE("io.kubernetes.pod.name");
+		break;
+	case TYPE_CONTAINER_K8S_POD_ID:
+		CHECK_LABEL_PRESENCE("io.kubernetes.pod.uid");
+		break;
+	case TYPE_CONTAINER_K8S_POD_LABEL:
+		if(is_host || !container_info)
+		{
+			return nullptr;
+		}
+		else
+		{
+			auto label = container_info->m_labels.find("io.kubernetes.sandbox.id");
+			if(label == container_info->m_labels.end())
+			{
+				return nullptr;
+			}
+
+			std::string sandbox_container_id = label->second;
+			if(sandbox_container_id.size() > 12)
+			{
+				sandbox_container_id.resize(12);
+			}
+			const auto sandbox_container_info = m_inspector->m_container_manager.get_container(sandbox_container_id);
+			if(!sandbox_container_info || sandbox_container_info->m_labels.empty())
+			{
+				return nullptr;
+			}
+
+			label = sandbox_container_info->m_labels.find(m_argstr);
+			if(label == sandbox_container_info->m_labels.end())
+			{
+				return nullptr;
+			}
+			m_tstr = label->second;
+			RETURN_EXTRACT_STRING(m_tstr);
+		}
+		break;
+	case TYPE_CONTAINER_K8S_NS_NAME:
+		CHECK_LABEL_PRESENCE("io.kubernetes.pod.namespace");
+		break;
 	default:
 		ASSERT(false);
 		break;
 	}
 
 	return NULL;
 }
+
+bool sinsp_filter_check_container::extract(sinsp_evt* evt, OUT std::vector<extract_value_t>& values,
+					   bool sanitize_strings)
+{
+	values.clear();
+
+	// `TYPE_CONTAINER_K8S_POD_LABELS` has the `EPF_IS_LIST` flag.
+	if(m_field_id == TYPE_CONTAINER_K8S_POD_LABELS)
+	{
+		sinsp_threadinfo* tinfo = evt->get_thread_info();
+		// Without the container id we can do nothing
+		if(tinfo == nullptr || tinfo->m_container_id.empty())
+		{
+			return false;
+		}
+
+		auto container_info = m_inspector->m_container_manager.get_container(tinfo->m_container_id);
+
+		if(container_info == nullptr)
+		{
+			return false;
+		}
+
+		// We need the label `io.kubernetes.sandbox.id` to extract pod labels.
+		auto sandbox_label = container_info->m_labels.find("io.kubernetes.sandbox.id");
+		if(sandbox_label == container_info->m_labels.end())
+		{
+			return false;
+		}
+
+		std::string sandbox_container_id = sandbox_label->second;
+		if(sandbox_container_id.size() > 12)
+		{
+			sandbox_container_id.resize(12);
+		}
+		const auto sandbox_container_info =
+			m_inspector->m_container_manager.get_container(sandbox_container_id);
+
+		if(sandbox_container_info == nullptr || sandbox_container_info->m_labels.empty())
+		{
+			return false;
+		}
+
+		// Clean a possible not empty storage
+		m_labels_storage.clear();
+		for(const auto& label : sandbox_container_info->m_labels)
+		{
+			// Exclude annotations and internal labels
+			if(label.first.find("annotation.") == 0 || label.first.find("io.kubernetes.") == 0)
+			{
+				continue;
+			}
+
+			// We use a storage because these strings should survive until the next filtercheck call.
+			m_labels_storage.emplace_back(label.first + ":" + label.second);
+		}
+
+		for(const auto& label : m_labels_storage)
+		{
+			extract_value_t val;
+			val.ptr = (uint8_t*)label.c_str();
+			val.len = label.size();
+			values.emplace_back(val);
+		}
+		return true;
+	}
+
+	return sinsp_filter_check::extract(evt, values, sanitize_strings);
+}

userspace/libsinsp/sinsp_filtercheck_container.h

@@ -51,17 +51,32 @@ class sinsp_filter_check_container : public sinsp_filter_check
 		TYPE_CONTAINER_DURATION,
 		TYPE_CONTAINER_IP_ADDR,
 		TYPE_CONTAINER_CNIRESULT,
+		TYPE_CONTAINER_K8S_POD_NAME,
+		TYPE_CONTAINER_K8S_POD_ID,
+		TYPE_CONTAINER_K8S_POD_LABEL,
+		TYPE_CONTAINER_K8S_POD_LABELS,
+		TYPE_CONTAINER_K8S_NS_NAME,
+	};
+
+	enum container_arg_type {
+		TYPE_S32,
+		TYPE_STRING
 	};
 
 	sinsp_filter_check_container();
 	sinsp_filter_check* allocate_new();
 	uint8_t* extract(sinsp_evt *evt, OUT uint32_t* len, bool sanitize_strings = true);
+	// This is needed to extract arguments with `EPF_IS_LIST` flags
+	bool extract(sinsp_evt *evt, OUT std::vector<extract_value_t>& values, bool sanitize_strings = true);
 
 	const std::string &get_argstr();
 private:
 	int32_t parse_field_name(const char* str, bool alloc_state, bool needed_for_filtering);
-	int32_t extract_arg(const std::string& val, size_t basename);
+	int32_t extract_arg(const std::string& val, size_t basepos, container_arg_type type);
 
+	// This vector is used to save the concatenated labels (`key:value`)
+	// between invocations of `TYPE_CONTAINER_K8S_POD_LABELS` filtercheck.
+	std::vector<std::string> m_labels_storage;
 	std::string m_tstr;
 	uint32_t m_u32val;
 	int32_t m_argid;