runtime hooks support for tetragon #695
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tpapagian
reviewed
Feb 13, 2023
tpapagian
approved these changes
Feb 13, 2023
kkourt
force-pushed
the
pr/kkourt/rt-hooks
branch
from
114f8a5 to
5258052
Compare
tixxdz
reviewed
Feb 17, 2023
This is intended for runtime hooks to pass information to the agent. In this patch we add a CreateContainer call so that the agent can be notified about the creation of a new container. - cgroupsPath: cgroups path - rootDir: root directory of the container - annotations: annotations for the container see https://github.com/opencontainers/runtime-spec/blob/main/config.md#annotations This patch modifies the proto definition and introduces stub functions The next patch will generate the necessary code from the proto file. Signed-off-by: Kornilios Kourtis <[email protected]>
generate code. Signed-off-by: Kornilios Kourtis <[email protected]>
This patch adds pkg/rthooks which can be used by sensors to add callbacks on RuntimeHookRequest (grpc) requests. There is a global runner, where sensors can register their callbacks. The server will serve the request by running all the callbacks registered in the runner, when a grpc request is issued. The callbacks have two arguments: - the grpc request itself - the k8s wathcer, that allows callbacks to retrieve k8s information as needed. For example, a callback may need to retrieve the namespaces or the labels of a pod when a container for that pod starts. Signed-off-by: Kornilios Kourtis <[email protected]>
This patch adds a create-container command to the tetra CLI, which will issue a CreateContainer grpc request to the agent. It's intended for testing/debugging so it's hidden from users. Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/rt-hooks
branch
from
5258052 to
5b82ba5
Compare
Updated description. The intended use is for OCI hooks, but that does not mean that we cannot use it from elsewhere. |
tixxdz
approved these changes
Feb 17, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a gRPC interface that can be used by run-time hooks to inform the tetragon agent about events such as container creation. Sensors can add hooks into these events so that they can be notified about them.