filters: Implement policy name filter

Extend the list of filters with a new one to support filtering events based on the name of a tracing policy. Closes #1855 Signed-off-by: Ioannis Androulidakis <[email protected]>
cilium · Dec 20, 2023 · 8ad79e5 · 8ad79e5
1 parent be4801b
commit 8ad79e5
Show file tree

Hide file tree

Showing 16 changed files with 584 additions and 329 deletions.
diff --git a/api/v1/README.md b/api/v1/README.md
@@ -1085,6 +1085,7 @@ AggregationOptions defines configuration options for aggregating events.
 | pod_regex | [string](#string) | repeated | Filter by process.pod.name field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | arguments_regex | [string](#string) | repeated | Filter by process.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | labels | [string](#string) | repeated | Filter events by pod labels using Kubernetes label selector syntax: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Note that this filter never matches events without the pod field (i.e. host process events). |
+| policy_names | [string](#string) | repeated | Filter events by tracing policy names https://tetragon.io/docs/concepts/tracing-policy/ |
 
 
 
@@ -1176,7 +1177,7 @@ GetEventsResponse event oneof.
 <a name="tetragon-FieldFilterAction"></a>
 
 ### FieldFilterAction
-Determins the behaviour of a field filter
+Determines the behavior of a field filter
 
 | Name | Number | Description |
 | ---- | ------ | ----------- |

diff --git a/api/v1/tetragon/codegen/helpers/helpers.pb.go b/api/v1/tetragon/codegen/helpers/helpers.pb.go
diff --git a/api/v1/tetragon/events.pb.go b/api/v1/tetragon/events.pb.go
diff --git a/api/v1/tetragon/events.proto b/api/v1/tetragon/events.proto
@@ -51,9 +51,12 @@ message Filter {
     // Note that this filter never matches events without the pod field (i.e.
     // host process events).
     repeated string labels = 9;
+    // Filter events by tracing policy names
+    // https://tetragon.io/docs/concepts/tracing-policy/
+    repeated string policy_names = 10;
 }
 
-// Determins the behaviour of a field filter
+// Determines the behavior of a field filter
 enum FieldFilterAction {
     INCLUDE = 0;
     EXCLUDE = 1;

diff --git a/cmd/protoc-gen-go-tetragon/common/common.go b/cmd/protoc-gen-go-tetragon/common/common.go
@@ -90,6 +90,11 @@ func ProcessIdent(g *protogen.GeneratedFile) string {
 	return GoIdent(g, importPath, "Process")
 }
 
+func ProcessKprobeIdent(g *protogen.GeneratedFile) string {
+	importPath := filepath.Join("github.com/cilium/tetragon/api/v1/tetragon")
+	return GoIdent(g, importPath, "ProcessKprobe")
+}
+
 func ListMatcherIdent(g *protogen.GeneratedFile, name string) string {
 	importPath := filepath.Join("github.com/cilium/tetragon/pkg/matchers/listmatcher")
 	return GoIdent(g, importPath, name)

diff --git a/cmd/protoc-gen-go-tetragon/helpers/helpers.go b/cmd/protoc-gen-go-tetragon/helpers/helpers.go
@@ -110,6 +110,22 @@ func generateResponseInnerGetProcess(g *protogen.GeneratedFile, files []*protoge
 	return nil
 }
 
+func generateResponseGetProcessKprobe(g *protogen.GeneratedFile) error {
+	processKprobe := common.ProcessKprobeIdent(g)
+	tetragonGER := common.TetragonApiIdent(g, "GetEventsResponse")
+
+	g.P(`// ResponseGetProcessKprobe returns a GetEventsResponse's process if it exists
+    func ResponseGetProcessKprobe(response *` + tetragonGER + `) *` + processKprobe + ` {
+        if response == nil {
+            return nil
+        }
+
+		return response.GetProcessKprobe()
+	 }`)
+
+	return nil
+}
+
 func generateResponseGetParent(g *protogen.GeneratedFile) error {
 	tetragonProcess := common.ProcessIdent(g)
 	tetragonGER := common.TetragonApiIdent(g, "GetEventsResponse")
@@ -185,6 +201,10 @@ func Generate(gen *protogen.Plugin, files []*protogen.File) error {
 		return err
 	}
 
+	if err := generateResponseGetProcessKprobe(g); err != nil {
+		return err
+	}
+
 	if err := generateResponseGetParent(g); err != nil {
 		return err
 	}

diff --git a/cmd/tetra/getevents/getevents.go b/cmd/tetra/getevents/getevents.go
@@ -53,6 +53,7 @@ type Opts struct {
 	Timestamps    bool
 	TTYEncode     string
 	StackTraces   bool
+	PolicyNames   []string
 }
 
 var Options Opts
@@ -97,6 +98,10 @@ var GetFilter = func() *tetragon.Filter {
 			filter.EventSet = append(filter.EventSet, eventType)
 		}
 	}
+	if len(Options.PolicyNames) > 0 {
+		filter.PolicyNames = Options.PolicyNames
+	}
+
 	return &filter
 }
 
@@ -214,5 +219,6 @@ func New() *cobra.Command {
 	flags.BoolVar(&Options.Timestamps, "timestamps", false, "Include timestamps in compact output")
 	flags.StringVarP(&Options.TTYEncode, "tty-encode", "t", "", "Encode terminal data by file path (all other events will be ignored)")
 	flags.BoolVar(&Options.StackTraces, "stack-traces", true, "Include stack traces in compact output")
+	flags.StringSliceVar(&Options.PolicyNames, "policy-names", nil, "Get events by tracing policy names")
 	return &cmd
 }