diff --git a/api/v1/README.md b/api/v1/README.md
index 34fee45685f..39d3b247317 100644
--- a/api/v1/README.md
+++ b/api/v1/README.md
@@ -68,12 +68,18 @@
- [Filter](#tetragon-Filter)
- [GetEventsRequest](#tetragon-GetEventsRequest)
- [GetEventsResponse](#tetragon-GetEventsResponse)
+ - [ProcessRuntimeSecurity](#tetragon-ProcessRuntimeSecurity)
- [ProcessThrottle](#tetragon-ProcessThrottle)
- [RateLimitInfo](#tetragon-RateLimitInfo)
- [RedactionFilter](#tetragon-RedactionFilter)
+ - [RuntimeSecurityExecution](#tetragon-RuntimeSecurityExecution)
+ - [RuntimeSecurityPolicy](#tetragon-RuntimeSecurityPolicy)
+ - [RuntimeSecurityRule](#tetragon-RuntimeSecurityRule)
- [EventType](#tetragon-EventType)
- [FieldFilterAction](#tetragon-FieldFilterAction)
+ - [RuntimeSecurityRuleAction](#tetragon-RuntimeSecurityRuleAction)
+ - [RuntimeSecurityRuleType](#tetragon-RuntimeSecurityRuleType)
- [ThrottleType](#tetragon-ThrottleType)
- [tetragon/stack.proto](#tetragon_stack-proto)
@@ -1293,6 +1299,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
| process_loader | [ProcessLoader](#tetragon-ProcessLoader) | | |
| process_uprobe | [ProcessUprobe](#tetragon-ProcessUprobe) | | |
| process_throttle | [ProcessThrottle](#tetragon-ProcessThrottle) | | |
+| process_runtime_security | [ProcessRuntimeSecurity](#tetragon-ProcessRuntimeSecurity) | | |
| test | [Test](#tetragon-Test) | | |
| rate_limit_info | [RateLimitInfo](#tetragon-RateLimitInfo) | | |
| node_name | [string](#string) | | Name of the node where this event was observed. |
@@ -1304,6 +1311,24 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
+
+
+### ProcessRuntimeSecurity
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| process | [Process](#tetragon-Process) | | Process that triggered the exec. |
+| parent | [Process](#tetragon-Process) | | Immediate parent of the process. |
+| policy | [RuntimeSecurityPolicy](#tetragon-RuntimeSecurityPolicy) | | RuntimeSecurityPolicy associated with that event. |
+| rule | [RuntimeSecurityRule](#tetragon-RuntimeSecurityRule) | | Rule is the rule that triggered that event from the RuntimeSecurityPolicy. |
+
+
+
+
+
+
### ProcessThrottle
@@ -1351,6 +1376,54 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
+
+
+
+### RuntimeSecurityExecution
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| path | [string](#string) | | Path of the binary that triggered the execution rule. |
+
+
+
+
+
+
+
+
+### RuntimeSecurityPolicy
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| name | [string](#string) | | Name of the RuntimeSecurityPolicy associated with that event. |
+| namespace | [string](#string) | | Namespace of the RuntimeSecurityPolicy associated with that event. |
+
+
+
+
+
+
+
+
+### RuntimeSecurityRule
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| type | [RuntimeSecurityRuleType](#tetragon-RuntimeSecurityRuleType) | | Type of the rule that triggered this event. |
+| action | [RuntimeSecurityRuleAction](#tetragon-RuntimeSecurityRuleAction) | | Action of the rule that triggered this event. |
+| execution | [RuntimeSecurityExecution](#tetragon-RuntimeSecurityExecution) | | Execution is set if the rule type is Execution and provide details specific to execution. |
+
+
+
+
+
@@ -1372,6 +1445,7 @@ GetEventsResponse event oneof.
| PROCESS_LOADER | 11 | |
| PROCESS_UPROBE | 12 | |
| PROCESS_THROTTLE | 27 | |
+| PROCESS_RUNTIME_SECURITY | 28 | |
| TEST | 40000 | |
| RATE_LIMIT_INFO | 40001 | |
@@ -1389,6 +1463,31 @@ Determines the behavior of a field filter
+
+
+### RuntimeSecurityRuleAction
+
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| RUNTIME_SECURITY_ACTION_UNSPECIFIED | 0 | |
+| RUNTIME_SECURITY_ACTION_AUDIT | 1 | |
+| RUNTIME_SECURITY_ACTION_BLOCK | 2 | |
+
+
+
+
+
+### RuntimeSecurityRuleType
+
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| RUNTIME_SECURITY_TYPE_UNSPECIFIED | 0 | |
+| RUNTIME_SECURITY_TYPE_EXECUTION | 1 | |
+
+
+
### ThrottleType
diff --git a/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go b/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
index 7d5f8e8c5ca..dd7bee1b7dd 100644
--- a/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
+++ b/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
@@ -282,6 +282,8 @@ func CheckerFromEvent(event Event) (EventChecker, error) {
return NewRateLimitInfoChecker("").FromRateLimitInfo(ev), nil
case *tetragon.ProcessThrottle:
return NewProcessThrottleChecker("").FromProcessThrottle(ev), nil
+ case *tetragon.ProcessRuntimeSecurity:
+ return NewProcessRuntimeSecurityChecker("").FromProcessRuntimeSecurity(ev), nil
default:
return nil, fmt.Errorf("Unhandled event type %T", event)
@@ -344,6 +346,8 @@ func EventFromResponse(response *tetragon.GetEventsResponse) (Event, error) {
return ev.RateLimitInfo, nil
case *tetragon.GetEventsResponse_ProcessThrottle:
return ev.ProcessThrottle, nil
+ case *tetragon.GetEventsResponse_ProcessRuntimeSecurity:
+ return ev.ProcessRuntimeSecurity, nil
default:
return nil, fmt.Errorf("Unknown event type %T", response.Event)
@@ -2050,6 +2054,126 @@ func (checker *ProcessThrottleChecker) FromProcessThrottle(event *tetragon.Proce
return checker
}
+// ProcessRuntimeSecurityChecker implements a checker struct to check a ProcessRuntimeSecurity event
+type ProcessRuntimeSecurityChecker struct {
+ CheckerName string `json:"checkerName"`
+ Process *ProcessChecker `json:"process,omitempty"`
+ Parent *ProcessChecker `json:"parent,omitempty"`
+ Policy *RuntimeSecurityPolicyChecker `json:"policy,omitempty"`
+ Rule *RuntimeSecurityRuleChecker `json:"rule,omitempty"`
+}
+
+// CheckEvent checks a single event and implements the EventChecker interface
+func (checker *ProcessRuntimeSecurityChecker) CheckEvent(event Event) error {
+ if ev, ok := event.(*tetragon.ProcessRuntimeSecurity); ok {
+ return checker.Check(ev)
+ }
+ return fmt.Errorf("%s: %T is not a ProcessRuntimeSecurity event", CheckerLogPrefix(checker), event)
+}
+
+// CheckResponse checks a single gRPC response and implements the EventChecker interface
+func (checker *ProcessRuntimeSecurityChecker) CheckResponse(response *tetragon.GetEventsResponse) error {
+ event, err := EventFromResponse(response)
+ if err != nil {
+ return err
+ }
+ return checker.CheckEvent(event)
+}
+
+// NewProcessRuntimeSecurityChecker creates a new ProcessRuntimeSecurityChecker
+func NewProcessRuntimeSecurityChecker(name string) *ProcessRuntimeSecurityChecker {
+ return &ProcessRuntimeSecurityChecker{CheckerName: name}
+}
+
+// Get the name associated with the checker
+func (checker *ProcessRuntimeSecurityChecker) GetCheckerName() string {
+ return checker.CheckerName
+}
+
+// Get the type of the checker as a string
+func (checker *ProcessRuntimeSecurityChecker) GetCheckerType() string {
+ return "ProcessRuntimeSecurityChecker"
+}
+
+// Check checks a ProcessRuntimeSecurity event
+func (checker *ProcessRuntimeSecurityChecker) Check(event *tetragon.ProcessRuntimeSecurity) error {
+ if event == nil {
+ return fmt.Errorf("%s: ProcessRuntimeSecurity event is nil", CheckerLogPrefix(checker))
+ }
+
+ fieldChecks := func() error {
+ if checker.Process != nil {
+ if err := checker.Process.Check(event.Process); err != nil {
+ return fmt.Errorf("Process check failed: %w", err)
+ }
+ }
+ if checker.Parent != nil {
+ if err := checker.Parent.Check(event.Parent); err != nil {
+ return fmt.Errorf("Parent check failed: %w", err)
+ }
+ }
+ if checker.Policy != nil {
+ if err := checker.Policy.Check(event.Policy); err != nil {
+ return fmt.Errorf("Policy check failed: %w", err)
+ }
+ }
+ if checker.Rule != nil {
+ if err := checker.Rule.Check(event.Rule); err != nil {
+ return fmt.Errorf("Rule check failed: %w", err)
+ }
+ }
+ return nil
+ }
+ if err := fieldChecks(); err != nil {
+ return fmt.Errorf("%s: %w", CheckerLogPrefix(checker), err)
+ }
+ return nil
+}
+
+// WithProcess adds a Process check to the ProcessRuntimeSecurityChecker
+func (checker *ProcessRuntimeSecurityChecker) WithProcess(check *ProcessChecker) *ProcessRuntimeSecurityChecker {
+ checker.Process = check
+ return checker
+}
+
+// WithParent adds a Parent check to the ProcessRuntimeSecurityChecker
+func (checker *ProcessRuntimeSecurityChecker) WithParent(check *ProcessChecker) *ProcessRuntimeSecurityChecker {
+ checker.Parent = check
+ return checker
+}
+
+// WithPolicy adds a Policy check to the ProcessRuntimeSecurityChecker
+func (checker *ProcessRuntimeSecurityChecker) WithPolicy(check *RuntimeSecurityPolicyChecker) *ProcessRuntimeSecurityChecker {
+ checker.Policy = check
+ return checker
+}
+
+// WithRule adds a Rule check to the ProcessRuntimeSecurityChecker
+func (checker *ProcessRuntimeSecurityChecker) WithRule(check *RuntimeSecurityRuleChecker) *ProcessRuntimeSecurityChecker {
+ checker.Rule = check
+ return checker
+}
+
+//FromProcessRuntimeSecurity populates the ProcessRuntimeSecurityChecker using data from a ProcessRuntimeSecurity event
+func (checker *ProcessRuntimeSecurityChecker) FromProcessRuntimeSecurity(event *tetragon.ProcessRuntimeSecurity) *ProcessRuntimeSecurityChecker {
+ if event == nil {
+ return checker
+ }
+ if event.Process != nil {
+ checker.Process = NewProcessChecker().FromProcess(event.Process)
+ }
+ if event.Parent != nil {
+ checker.Parent = NewProcessChecker().FromProcess(event.Parent)
+ }
+ if event.Policy != nil {
+ checker.Policy = NewRuntimeSecurityPolicyChecker().FromRuntimeSecurityPolicy(event.Policy)
+ }
+ if event.Rule != nil {
+ checker.Rule = NewRuntimeSecurityRuleChecker().FromRuntimeSecurityRule(event.Rule)
+ }
+ return checker
+}
+
// ImageChecker implements a checker struct to check a Image field
type ImageChecker struct {
Id *stringmatcher.StringMatcher `json:"id,omitempty"`
@@ -6308,6 +6432,199 @@ func (checker *StackTraceEntryChecker) FromStackTraceEntry(event *tetragon.Stack
return checker
}
+// RuntimeSecurityPolicyChecker implements a checker struct to check a RuntimeSecurityPolicy field
+type RuntimeSecurityPolicyChecker struct {
+ Name *stringmatcher.StringMatcher `json:"name,omitempty"`
+ Namespace *stringmatcher.StringMatcher `json:"namespace,omitempty"`
+}
+
+// NewRuntimeSecurityPolicyChecker creates a new RuntimeSecurityPolicyChecker
+func NewRuntimeSecurityPolicyChecker() *RuntimeSecurityPolicyChecker {
+ return &RuntimeSecurityPolicyChecker{}
+}
+
+// Get the type of the checker as a string
+func (checker *RuntimeSecurityPolicyChecker) GetCheckerType() string {
+ return "RuntimeSecurityPolicyChecker"
+}
+
+// Check checks a RuntimeSecurityPolicy field
+func (checker *RuntimeSecurityPolicyChecker) Check(event *tetragon.RuntimeSecurityPolicy) error {
+ if event == nil {
+ return fmt.Errorf("%s: RuntimeSecurityPolicy field is nil", CheckerLogPrefix(checker))
+ }
+
+ fieldChecks := func() error {
+ if checker.Name != nil {
+ if err := checker.Name.Match(event.Name); err != nil {
+ return fmt.Errorf("Name check failed: %w", err)
+ }
+ }
+ if checker.Namespace != nil {
+ if err := checker.Namespace.Match(event.Namespace); err != nil {
+ return fmt.Errorf("Namespace check failed: %w", err)
+ }
+ }
+ return nil
+ }
+ if err := fieldChecks(); err != nil {
+ return fmt.Errorf("%s: %w", CheckerLogPrefix(checker), err)
+ }
+ return nil
+}
+
+// WithName adds a Name check to the RuntimeSecurityPolicyChecker
+func (checker *RuntimeSecurityPolicyChecker) WithName(check *stringmatcher.StringMatcher) *RuntimeSecurityPolicyChecker {
+ checker.Name = check
+ return checker
+}
+
+// WithNamespace adds a Namespace check to the RuntimeSecurityPolicyChecker
+func (checker *RuntimeSecurityPolicyChecker) WithNamespace(check *stringmatcher.StringMatcher) *RuntimeSecurityPolicyChecker {
+ checker.Namespace = check
+ return checker
+}
+
+//FromRuntimeSecurityPolicy populates the RuntimeSecurityPolicyChecker using data from a RuntimeSecurityPolicy field
+func (checker *RuntimeSecurityPolicyChecker) FromRuntimeSecurityPolicy(event *tetragon.RuntimeSecurityPolicy) *RuntimeSecurityPolicyChecker {
+ if event == nil {
+ return checker
+ }
+ checker.Name = stringmatcher.Full(event.Name)
+ checker.Namespace = stringmatcher.Full(event.Namespace)
+ return checker
+}
+
+// RuntimeSecurityExecutionChecker implements a checker struct to check a RuntimeSecurityExecution field
+type RuntimeSecurityExecutionChecker struct {
+ Path *stringmatcher.StringMatcher `json:"path,omitempty"`
+}
+
+// NewRuntimeSecurityExecutionChecker creates a new RuntimeSecurityExecutionChecker
+func NewRuntimeSecurityExecutionChecker() *RuntimeSecurityExecutionChecker {
+ return &RuntimeSecurityExecutionChecker{}
+}
+
+// Get the type of the checker as a string
+func (checker *RuntimeSecurityExecutionChecker) GetCheckerType() string {
+ return "RuntimeSecurityExecutionChecker"
+}
+
+// Check checks a RuntimeSecurityExecution field
+func (checker *RuntimeSecurityExecutionChecker) Check(event *tetragon.RuntimeSecurityExecution) error {
+ if event == nil {
+ return fmt.Errorf("%s: RuntimeSecurityExecution field is nil", CheckerLogPrefix(checker))
+ }
+
+ fieldChecks := func() error {
+ if checker.Path != nil {
+ if err := checker.Path.Match(event.Path); err != nil {
+ return fmt.Errorf("Path check failed: %w", err)
+ }
+ }
+ return nil
+ }
+ if err := fieldChecks(); err != nil {
+ return fmt.Errorf("%s: %w", CheckerLogPrefix(checker), err)
+ }
+ return nil
+}
+
+// WithPath adds a Path check to the RuntimeSecurityExecutionChecker
+func (checker *RuntimeSecurityExecutionChecker) WithPath(check *stringmatcher.StringMatcher) *RuntimeSecurityExecutionChecker {
+ checker.Path = check
+ return checker
+}
+
+//FromRuntimeSecurityExecution populates the RuntimeSecurityExecutionChecker using data from a RuntimeSecurityExecution field
+func (checker *RuntimeSecurityExecutionChecker) FromRuntimeSecurityExecution(event *tetragon.RuntimeSecurityExecution) *RuntimeSecurityExecutionChecker {
+ if event == nil {
+ return checker
+ }
+ checker.Path = stringmatcher.Full(event.Path)
+ return checker
+}
+
+// RuntimeSecurityRuleChecker implements a checker struct to check a RuntimeSecurityRule field
+type RuntimeSecurityRuleChecker struct {
+ Type *RuntimeSecurityRuleTypeChecker `json:"type,omitempty"`
+ Action *RuntimeSecurityRuleActionChecker `json:"action,omitempty"`
+ Execution *RuntimeSecurityExecutionChecker `json:"execution,omitempty"`
+}
+
+// NewRuntimeSecurityRuleChecker creates a new RuntimeSecurityRuleChecker
+func NewRuntimeSecurityRuleChecker() *RuntimeSecurityRuleChecker {
+ return &RuntimeSecurityRuleChecker{}
+}
+
+// Get the type of the checker as a string
+func (checker *RuntimeSecurityRuleChecker) GetCheckerType() string {
+ return "RuntimeSecurityRuleChecker"
+}
+
+// Check checks a RuntimeSecurityRule field
+func (checker *RuntimeSecurityRuleChecker) Check(event *tetragon.RuntimeSecurityRule) error {
+ if event == nil {
+ return fmt.Errorf("%s: RuntimeSecurityRule field is nil", CheckerLogPrefix(checker))
+ }
+
+ fieldChecks := func() error {
+ if checker.Type != nil {
+ if err := checker.Type.Check(&event.Type); err != nil {
+ return fmt.Errorf("Type check failed: %w", err)
+ }
+ }
+ if checker.Action != nil {
+ if err := checker.Action.Check(&event.Action); err != nil {
+ return fmt.Errorf("Action check failed: %w", err)
+ }
+ }
+ if checker.Execution != nil {
+ if err := checker.Execution.Check(event.Execution); err != nil {
+ return fmt.Errorf("Execution check failed: %w", err)
+ }
+ }
+ return nil
+ }
+ if err := fieldChecks(); err != nil {
+ return fmt.Errorf("%s: %w", CheckerLogPrefix(checker), err)
+ }
+ return nil
+}
+
+// WithType adds a Type check to the RuntimeSecurityRuleChecker
+func (checker *RuntimeSecurityRuleChecker) WithType(check tetragon.RuntimeSecurityRuleType) *RuntimeSecurityRuleChecker {
+ wrappedCheck := RuntimeSecurityRuleTypeChecker(check)
+ checker.Type = &wrappedCheck
+ return checker
+}
+
+// WithAction adds a Action check to the RuntimeSecurityRuleChecker
+func (checker *RuntimeSecurityRuleChecker) WithAction(check tetragon.RuntimeSecurityRuleAction) *RuntimeSecurityRuleChecker {
+ wrappedCheck := RuntimeSecurityRuleActionChecker(check)
+ checker.Action = &wrappedCheck
+ return checker
+}
+
+// WithExecution adds a Execution check to the RuntimeSecurityRuleChecker
+func (checker *RuntimeSecurityRuleChecker) WithExecution(check *RuntimeSecurityExecutionChecker) *RuntimeSecurityRuleChecker {
+ checker.Execution = check
+ return checker
+}
+
+//FromRuntimeSecurityRule populates the RuntimeSecurityRuleChecker using data from a RuntimeSecurityRule field
+func (checker *RuntimeSecurityRuleChecker) FromRuntimeSecurityRule(event *tetragon.RuntimeSecurityRule) *RuntimeSecurityRuleChecker {
+ if event == nil {
+ return checker
+ }
+ checker.Type = NewRuntimeSecurityRuleTypeChecker(event.Type)
+ checker.Action = NewRuntimeSecurityRuleActionChecker(event.Action)
+ if event.Execution != nil {
+ checker.Execution = NewRuntimeSecurityExecutionChecker().FromRuntimeSecurityExecution(event.Execution)
+ }
+ return checker
+}
+
// CapabilitiesTypeChecker checks a tetragon.CapabilitiesType
type CapabilitiesTypeChecker tetragon.CapabilitiesType
@@ -6619,3 +6936,107 @@ func (enum *ThrottleTypeChecker) Check(val *tetragon.ThrottleType) error {
}
return nil
}
+
+// RuntimeSecurityRuleTypeChecker checks a tetragon.RuntimeSecurityRuleType
+type RuntimeSecurityRuleTypeChecker tetragon.RuntimeSecurityRuleType
+
+// MarshalJSON implements json.Marshaler interface
+func (enum RuntimeSecurityRuleTypeChecker) MarshalJSON() ([]byte, error) {
+ if name, ok := tetragon.RuntimeSecurityRuleType_name[int32(enum)]; ok {
+ name = strings.TrimPrefix(name, "RUNTIME_SECURITY_TYPE_")
+ return json.Marshal(name)
+ }
+
+ return nil, fmt.Errorf("Unknown RuntimeSecurityRuleType %d", enum)
+}
+
+// UnmarshalJSON implements json.Unmarshaler interface
+func (enum *RuntimeSecurityRuleTypeChecker) UnmarshalJSON(b []byte) error {
+ var str string
+ if err := yaml.UnmarshalStrict(b, &str); err != nil {
+ return err
+ }
+
+ // Convert to uppercase if not already
+ str = strings.ToUpper(str)
+
+ // Look up the value from the enum values map
+ if n, ok := tetragon.RuntimeSecurityRuleType_value[str]; ok {
+ *enum = RuntimeSecurityRuleTypeChecker(n)
+ } else if n, ok := tetragon.RuntimeSecurityRuleType_value["RUNTIME_SECURITY_TYPE_"+str]; ok {
+ *enum = RuntimeSecurityRuleTypeChecker(n)
+ } else {
+ return fmt.Errorf("Unknown RuntimeSecurityRuleType %s", str)
+ }
+
+ return nil
+}
+
+// NewRuntimeSecurityRuleTypeChecker creates a new RuntimeSecurityRuleTypeChecker
+func NewRuntimeSecurityRuleTypeChecker(val tetragon.RuntimeSecurityRuleType) *RuntimeSecurityRuleTypeChecker {
+ enum := RuntimeSecurityRuleTypeChecker(val)
+ return &enum
+}
+
+// Check checks a RuntimeSecurityRuleType against the checker
+func (enum *RuntimeSecurityRuleTypeChecker) Check(val *tetragon.RuntimeSecurityRuleType) error {
+ if val == nil {
+ return fmt.Errorf("RuntimeSecurityRuleTypeChecker: RuntimeSecurityRuleType is nil and does not match expected value %s", tetragon.RuntimeSecurityRuleType(*enum))
+ }
+ if *enum != RuntimeSecurityRuleTypeChecker(*val) {
+ return fmt.Errorf("RuntimeSecurityRuleTypeChecker: RuntimeSecurityRuleType has value %s which does not match expected value %s", (*val), tetragon.RuntimeSecurityRuleType(*enum))
+ }
+ return nil
+}
+
+// RuntimeSecurityRuleActionChecker checks a tetragon.RuntimeSecurityRuleAction
+type RuntimeSecurityRuleActionChecker tetragon.RuntimeSecurityRuleAction
+
+// MarshalJSON implements json.Marshaler interface
+func (enum RuntimeSecurityRuleActionChecker) MarshalJSON() ([]byte, error) {
+ if name, ok := tetragon.RuntimeSecurityRuleAction_name[int32(enum)]; ok {
+ name = strings.TrimPrefix(name, "RUNTIME_SECURITY_ACTION_")
+ return json.Marshal(name)
+ }
+
+ return nil, fmt.Errorf("Unknown RuntimeSecurityRuleAction %d", enum)
+}
+
+// UnmarshalJSON implements json.Unmarshaler interface
+func (enum *RuntimeSecurityRuleActionChecker) UnmarshalJSON(b []byte) error {
+ var str string
+ if err := yaml.UnmarshalStrict(b, &str); err != nil {
+ return err
+ }
+
+ // Convert to uppercase if not already
+ str = strings.ToUpper(str)
+
+ // Look up the value from the enum values map
+ if n, ok := tetragon.RuntimeSecurityRuleAction_value[str]; ok {
+ *enum = RuntimeSecurityRuleActionChecker(n)
+ } else if n, ok := tetragon.RuntimeSecurityRuleAction_value["RUNTIME_SECURITY_ACTION_"+str]; ok {
+ *enum = RuntimeSecurityRuleActionChecker(n)
+ } else {
+ return fmt.Errorf("Unknown RuntimeSecurityRuleAction %s", str)
+ }
+
+ return nil
+}
+
+// NewRuntimeSecurityRuleActionChecker creates a new RuntimeSecurityRuleActionChecker
+func NewRuntimeSecurityRuleActionChecker(val tetragon.RuntimeSecurityRuleAction) *RuntimeSecurityRuleActionChecker {
+ enum := RuntimeSecurityRuleActionChecker(val)
+ return &enum
+}
+
+// Check checks a RuntimeSecurityRuleAction against the checker
+func (enum *RuntimeSecurityRuleActionChecker) Check(val *tetragon.RuntimeSecurityRuleAction) error {
+ if val == nil {
+ return fmt.Errorf("RuntimeSecurityRuleActionChecker: RuntimeSecurityRuleAction is nil and does not match expected value %s", tetragon.RuntimeSecurityRuleAction(*enum))
+ }
+ if *enum != RuntimeSecurityRuleActionChecker(*val) {
+ return fmt.Errorf("RuntimeSecurityRuleActionChecker: RuntimeSecurityRuleAction has value %s which does not match expected value %s", (*val), tetragon.RuntimeSecurityRuleAction(*enum))
+ }
+ return nil
+}
diff --git a/api/v1/tetragon/codegen/eventchecker/yaml/yaml.pb.go b/api/v1/tetragon/codegen/eventchecker/yaml/yaml.pb.go
index f3ff5347a95..cc2b948d6cb 100644
--- a/api/v1/tetragon/codegen/eventchecker/yaml/yaml.pb.go
+++ b/api/v1/tetragon/codegen/eventchecker/yaml/yaml.pb.go
@@ -140,15 +140,16 @@ func (conf *EventCheckerConf) WriteYamlFile(file string) error {
}
type eventCheckerHelper struct {
- ProcessExec *eventchecker.ProcessExecChecker `json:"exec,omitempty"`
- ProcessExit *eventchecker.ProcessExitChecker `json:"exit,omitempty"`
- ProcessKprobe *eventchecker.ProcessKprobeChecker `json:"kprobe,omitempty"`
- ProcessTracepoint *eventchecker.ProcessTracepointChecker `json:"tracepoint,omitempty"`
- ProcessUprobe *eventchecker.ProcessUprobeChecker `json:"uprobe,omitempty"`
- Test *eventchecker.TestChecker `json:"test,omitempty"`
- ProcessLoader *eventchecker.ProcessLoaderChecker `json:"loader,omitempty"`
- RateLimitInfo *eventchecker.RateLimitInfoChecker `json:"rateLimitInfo,omitempty"`
- ProcessThrottle *eventchecker.ProcessThrottleChecker `json:"throttle,omitempty"`
+ ProcessExec *eventchecker.ProcessExecChecker `json:"exec,omitempty"`
+ ProcessExit *eventchecker.ProcessExitChecker `json:"exit,omitempty"`
+ ProcessKprobe *eventchecker.ProcessKprobeChecker `json:"kprobe,omitempty"`
+ ProcessTracepoint *eventchecker.ProcessTracepointChecker `json:"tracepoint,omitempty"`
+ ProcessUprobe *eventchecker.ProcessUprobeChecker `json:"uprobe,omitempty"`
+ Test *eventchecker.TestChecker `json:"test,omitempty"`
+ ProcessLoader *eventchecker.ProcessLoaderChecker `json:"loader,omitempty"`
+ RateLimitInfo *eventchecker.RateLimitInfoChecker `json:"rateLimitInfo,omitempty"`
+ ProcessThrottle *eventchecker.ProcessThrottleChecker `json:"throttle,omitempty"`
+ ProcessRuntimeSecurity *eventchecker.ProcessRuntimeSecurityChecker `json:"runtimeSecurity,omitempty"`
}
// EventChecker is a wrapper around the EventChecker interface to help unmarshaling
@@ -217,6 +218,12 @@ func (checker *EventChecker) UnmarshalJSON(b []byte) error {
}
eventChecker = helper.ProcessThrottle
}
+ if helper.ProcessRuntimeSecurity != nil {
+ if eventChecker != nil {
+ return fmt.Errorf("EventChecker: cannot define more than one checker, got %T but already had %T", helper.ProcessRuntimeSecurity, eventChecker)
+ }
+ eventChecker = helper.ProcessRuntimeSecurity
+ }
checker.EventChecker = eventChecker
return nil
}
@@ -243,6 +250,8 @@ func (checker EventChecker) MarshalJSON() ([]byte, error) {
helper.RateLimitInfo = c
case *eventchecker.ProcessThrottleChecker:
helper.ProcessThrottle = c
+ case *eventchecker.ProcessRuntimeSecurityChecker:
+ helper.ProcessRuntimeSecurity = c
default:
return nil, fmt.Errorf("EventChecker: unknown checker type %T", c)
}
diff --git a/api/v1/tetragon/codegen/helpers/helpers.pb.go b/api/v1/tetragon/codegen/helpers/helpers.pb.go
index 55f80b413ef..e474bceccb4 100644
--- a/api/v1/tetragon/codegen/helpers/helpers.pb.go
+++ b/api/v1/tetragon/codegen/helpers/helpers.pb.go
@@ -36,6 +36,8 @@ func ResponseTypeString(response *tetragon.GetEventsResponse) (string, error) {
return tetragon.EventType_PROCESS_UPROBE.String(), nil
case *tetragon.GetEventsResponse_ProcessThrottle:
return tetragon.EventType_PROCESS_THROTTLE.String(), nil
+ case *tetragon.GetEventsResponse_ProcessRuntimeSecurity:
+ return tetragon.EventType_PROCESS_RUNTIME_SECURITY.String(), nil
case *tetragon.GetEventsResponse_Test:
return tetragon.EventType_TEST.String(), nil
case *tetragon.GetEventsResponse_RateLimitInfo:
@@ -74,6 +76,8 @@ func ResponseInnerGetProcess(event tetragon.IsGetEventsResponse_Event) *tetragon
return ev.ProcessUprobe.Process
case *tetragon.GetEventsResponse_ProcessLoader:
return ev.ProcessLoader.Process
+ case *tetragon.GetEventsResponse_ProcessRuntimeSecurity:
+ return ev.ProcessRuntimeSecurity.Process
}
return nil
@@ -115,6 +119,8 @@ func ResponseInnerGetParent(event tetragon.IsGetEventsResponse_Event) *tetragon.
return ev.ProcessTracepoint.Parent
case *tetragon.GetEventsResponse_ProcessUprobe:
return ev.ProcessUprobe.Parent
+ case *tetragon.GetEventsResponse_ProcessRuntimeSecurity:
+ return ev.ProcessRuntimeSecurity.Parent
}
return nil
diff --git a/api/v1/tetragon/events.pb.go b/api/v1/tetragon/events.pb.go
index f11dc36ba6c..c92f57c64d5 100644
--- a/api/v1/tetragon/events.pb.go
+++ b/api/v1/tetragon/events.pb.go
@@ -34,16 +34,17 @@ const (
type EventType int32
const (
- EventType_UNDEF EventType = 0
- EventType_PROCESS_EXEC EventType = 1
- EventType_PROCESS_EXIT EventType = 5
- EventType_PROCESS_KPROBE EventType = 9
- EventType_PROCESS_TRACEPOINT EventType = 10
- EventType_PROCESS_LOADER EventType = 11
- EventType_PROCESS_UPROBE EventType = 12
- EventType_PROCESS_THROTTLE EventType = 27
- EventType_TEST EventType = 40000
- EventType_RATE_LIMIT_INFO EventType = 40001
+ EventType_UNDEF EventType = 0
+ EventType_PROCESS_EXEC EventType = 1
+ EventType_PROCESS_EXIT EventType = 5
+ EventType_PROCESS_KPROBE EventType = 9
+ EventType_PROCESS_TRACEPOINT EventType = 10
+ EventType_PROCESS_LOADER EventType = 11
+ EventType_PROCESS_UPROBE EventType = 12
+ EventType_PROCESS_THROTTLE EventType = 27
+ EventType_PROCESS_RUNTIME_SECURITY EventType = 28
+ EventType_TEST EventType = 40000
+ EventType_RATE_LIMIT_INFO EventType = 40001
)
// Enum value maps for EventType.
@@ -57,20 +58,22 @@ var (
11: "PROCESS_LOADER",
12: "PROCESS_UPROBE",
27: "PROCESS_THROTTLE",
+ 28: "PROCESS_RUNTIME_SECURITY",
40000: "TEST",
40001: "RATE_LIMIT_INFO",
}
EventType_value = map[string]int32{
- "UNDEF": 0,
- "PROCESS_EXEC": 1,
- "PROCESS_EXIT": 5,
- "PROCESS_KPROBE": 9,
- "PROCESS_TRACEPOINT": 10,
- "PROCESS_LOADER": 11,
- "PROCESS_UPROBE": 12,
- "PROCESS_THROTTLE": 27,
- "TEST": 40000,
- "RATE_LIMIT_INFO": 40001,
+ "UNDEF": 0,
+ "PROCESS_EXEC": 1,
+ "PROCESS_EXIT": 5,
+ "PROCESS_KPROBE": 9,
+ "PROCESS_TRACEPOINT": 10,
+ "PROCESS_LOADER": 11,
+ "PROCESS_UPROBE": 12,
+ "PROCESS_THROTTLE": 27,
+ "PROCESS_RUNTIME_SECURITY": 28,
+ "TEST": 40000,
+ "RATE_LIMIT_INFO": 40001,
}
)
@@ -197,6 +200,101 @@ func (ThrottleType) EnumDescriptor() ([]byte, []int) {
return file_tetragon_events_proto_rawDescGZIP(), []int{2}
}
+type RuntimeSecurityRuleType int32
+
+const (
+ RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_UNSPECIFIED RuntimeSecurityRuleType = 0
+ RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_EXECUTION RuntimeSecurityRuleType = 1
+)
+
+// Enum value maps for RuntimeSecurityRuleType.
+var (
+ RuntimeSecurityRuleType_name = map[int32]string{
+ 0: "RUNTIME_SECURITY_TYPE_UNSPECIFIED",
+ 1: "RUNTIME_SECURITY_TYPE_EXECUTION",
+ }
+ RuntimeSecurityRuleType_value = map[string]int32{
+ "RUNTIME_SECURITY_TYPE_UNSPECIFIED": 0,
+ "RUNTIME_SECURITY_TYPE_EXECUTION": 1,
+ }
+)
+
+func (x RuntimeSecurityRuleType) Enum() *RuntimeSecurityRuleType {
+ p := new(RuntimeSecurityRuleType)
+ *p = x
+ return p
+}
+
+func (x RuntimeSecurityRuleType) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (RuntimeSecurityRuleType) Descriptor() protoreflect.EnumDescriptor {
+ return file_tetragon_events_proto_enumTypes[3].Descriptor()
+}
+
+func (RuntimeSecurityRuleType) Type() protoreflect.EnumType {
+ return &file_tetragon_events_proto_enumTypes[3]
+}
+
+func (x RuntimeSecurityRuleType) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use RuntimeSecurityRuleType.Descriptor instead.
+func (RuntimeSecurityRuleType) EnumDescriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{3}
+}
+
+type RuntimeSecurityRuleAction int32
+
+const (
+ RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_UNSPECIFIED RuntimeSecurityRuleAction = 0
+ RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_AUDIT RuntimeSecurityRuleAction = 1
+ RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_BLOCK RuntimeSecurityRuleAction = 2
+)
+
+// Enum value maps for RuntimeSecurityRuleAction.
+var (
+ RuntimeSecurityRuleAction_name = map[int32]string{
+ 0: "RUNTIME_SECURITY_ACTION_UNSPECIFIED",
+ 1: "RUNTIME_SECURITY_ACTION_AUDIT",
+ 2: "RUNTIME_SECURITY_ACTION_BLOCK",
+ }
+ RuntimeSecurityRuleAction_value = map[string]int32{
+ "RUNTIME_SECURITY_ACTION_UNSPECIFIED": 0,
+ "RUNTIME_SECURITY_ACTION_AUDIT": 1,
+ "RUNTIME_SECURITY_ACTION_BLOCK": 2,
+ }
+)
+
+func (x RuntimeSecurityRuleAction) Enum() *RuntimeSecurityRuleAction {
+ p := new(RuntimeSecurityRuleAction)
+ *p = x
+ return p
+}
+
+func (x RuntimeSecurityRuleAction) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (RuntimeSecurityRuleAction) Descriptor() protoreflect.EnumDescriptor {
+ return file_tetragon_events_proto_enumTypes[4].Descriptor()
+}
+
+func (RuntimeSecurityRuleAction) Type() protoreflect.EnumType {
+ return &file_tetragon_events_proto_enumTypes[4]
+}
+
+func (x RuntimeSecurityRuleAction) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use RuntimeSecurityRuleAction.Descriptor instead.
+func (RuntimeSecurityRuleAction) EnumDescriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{4}
+}
+
type Filter struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -927,6 +1025,253 @@ func (x *ProcessThrottle) GetCgroup() string {
return ""
}
+type RuntimeSecurityPolicy struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Name of the RuntimeSecurityPolicy associated with that event.
+ Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+ // Namespace of the RuntimeSecurityPolicy associated with that event.
+ Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+}
+
+func (x *RuntimeSecurityPolicy) Reset() {
+ *x = RuntimeSecurityPolicy{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[10]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *RuntimeSecurityPolicy) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RuntimeSecurityPolicy) ProtoMessage() {}
+
+func (x *RuntimeSecurityPolicy) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[10]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use RuntimeSecurityPolicy.ProtoReflect.Descriptor instead.
+func (*RuntimeSecurityPolicy) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *RuntimeSecurityPolicy) GetName() string {
+ if x != nil {
+ return x.Name
+ }
+ return ""
+}
+
+func (x *RuntimeSecurityPolicy) GetNamespace() string {
+ if x != nil {
+ return x.Namespace
+ }
+ return ""
+}
+
+type RuntimeSecurityExecution struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Path of the binary that triggered the execution rule.
+ Path string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
+}
+
+func (x *RuntimeSecurityExecution) Reset() {
+ *x = RuntimeSecurityExecution{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[11]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *RuntimeSecurityExecution) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RuntimeSecurityExecution) ProtoMessage() {}
+
+func (x *RuntimeSecurityExecution) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[11]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use RuntimeSecurityExecution.ProtoReflect.Descriptor instead.
+func (*RuntimeSecurityExecution) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *RuntimeSecurityExecution) GetPath() string {
+ if x != nil {
+ return x.Path
+ }
+ return ""
+}
+
+type RuntimeSecurityRule struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Type of the rule that triggered this event.
+ Type RuntimeSecurityRuleType `protobuf:"varint,1,opt,name=type,proto3,enum=tetragon.RuntimeSecurityRuleType" json:"type,omitempty"`
+ // Action of the rule that triggered this event.
+ Action RuntimeSecurityRuleAction `protobuf:"varint,2,opt,name=action,proto3,enum=tetragon.RuntimeSecurityRuleAction" json:"action,omitempty"`
+ // Execution is set if the rule type is Execution and provide details
+ // specific to execution.
+ Execution *RuntimeSecurityExecution `protobuf:"bytes,3,opt,name=execution,proto3" json:"execution,omitempty"`
+}
+
+func (x *RuntimeSecurityRule) Reset() {
+ *x = RuntimeSecurityRule{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[12]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *RuntimeSecurityRule) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RuntimeSecurityRule) ProtoMessage() {}
+
+func (x *RuntimeSecurityRule) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[12]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use RuntimeSecurityRule.ProtoReflect.Descriptor instead.
+func (*RuntimeSecurityRule) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *RuntimeSecurityRule) GetType() RuntimeSecurityRuleType {
+ if x != nil {
+ return x.Type
+ }
+ return RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_UNSPECIFIED
+}
+
+func (x *RuntimeSecurityRule) GetAction() RuntimeSecurityRuleAction {
+ if x != nil {
+ return x.Action
+ }
+ return RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_UNSPECIFIED
+}
+
+func (x *RuntimeSecurityRule) GetExecution() *RuntimeSecurityExecution {
+ if x != nil {
+ return x.Execution
+ }
+ return nil
+}
+
+type ProcessRuntimeSecurity struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Process that triggered the exec.
+ Process *Process `protobuf:"bytes,1,opt,name=process,proto3" json:"process,omitempty"`
+ // Immediate parent of the process.
+ Parent *Process `protobuf:"bytes,2,opt,name=parent,proto3" json:"parent,omitempty"`
+ // RuntimeSecurityPolicy associated with that event.
+ Policy *RuntimeSecurityPolicy `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"`
+ // Rule is the rule that triggered that event from the RuntimeSecurityPolicy.
+ Rule *RuntimeSecurityRule `protobuf:"bytes,4,opt,name=rule,proto3" json:"rule,omitempty"`
+}
+
+func (x *ProcessRuntimeSecurity) Reset() {
+ *x = ProcessRuntimeSecurity{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[13]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ProcessRuntimeSecurity) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ProcessRuntimeSecurity) ProtoMessage() {}
+
+func (x *ProcessRuntimeSecurity) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[13]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ProcessRuntimeSecurity.ProtoReflect.Descriptor instead.
+func (*ProcessRuntimeSecurity) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *ProcessRuntimeSecurity) GetProcess() *Process {
+ if x != nil {
+ return x.Process
+ }
+ return nil
+}
+
+func (x *ProcessRuntimeSecurity) GetParent() *Process {
+ if x != nil {
+ return x.Parent
+ }
+ return nil
+}
+
+func (x *ProcessRuntimeSecurity) GetPolicy() *RuntimeSecurityPolicy {
+ if x != nil {
+ return x.Policy
+ }
+ return nil
+}
+
+func (x *ProcessRuntimeSecurity) GetRule() *RuntimeSecurityRule {
+ if x != nil {
+ return x.Rule
+ }
+ return nil
+}
+
type GetEventsResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -945,6 +1290,7 @@ type GetEventsResponse struct {
// *GetEventsResponse_ProcessLoader
// *GetEventsResponse_ProcessUprobe
// *GetEventsResponse_ProcessThrottle
+ // *GetEventsResponse_ProcessRuntimeSecurity
// *GetEventsResponse_Test
// *GetEventsResponse_RateLimitInfo
Event isGetEventsResponse_Event `protobuf_oneof:"event"`
@@ -962,7 +1308,7 @@ type GetEventsResponse struct {
func (x *GetEventsResponse) Reset() {
*x = GetEventsResponse{}
if protoimpl.UnsafeEnabled {
- mi := &file_tetragon_events_proto_msgTypes[10]
+ mi := &file_tetragon_events_proto_msgTypes[14]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -975,7 +1321,7 @@ func (x *GetEventsResponse) String() string {
func (*GetEventsResponse) ProtoMessage() {}
func (x *GetEventsResponse) ProtoReflect() protoreflect.Message {
- mi := &file_tetragon_events_proto_msgTypes[10]
+ mi := &file_tetragon_events_proto_msgTypes[14]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -988,7 +1334,7 @@ func (x *GetEventsResponse) ProtoReflect() protoreflect.Message {
// Deprecated: Use GetEventsResponse.ProtoReflect.Descriptor instead.
func (*GetEventsResponse) Descriptor() ([]byte, []int) {
- return file_tetragon_events_proto_rawDescGZIP(), []int{10}
+ return file_tetragon_events_proto_rawDescGZIP(), []int{14}
}
func (m *GetEventsResponse) GetEvent() isGetEventsResponse_Event {
@@ -1047,6 +1393,13 @@ func (x *GetEventsResponse) GetProcessThrottle() *ProcessThrottle {
return nil
}
+func (x *GetEventsResponse) GetProcessRuntimeSecurity() *ProcessRuntimeSecurity {
+ if x, ok := x.GetEvent().(*GetEventsResponse_ProcessRuntimeSecurity); ok {
+ return x.ProcessRuntimeSecurity
+ }
+ return nil
+}
+
func (x *GetEventsResponse) GetTest() *Test {
if x, ok := x.GetEvent().(*GetEventsResponse_Test); ok {
return x.Test
@@ -1121,6 +1474,10 @@ type GetEventsResponse_ProcessThrottle struct {
ProcessThrottle *ProcessThrottle `protobuf:"bytes,27,opt,name=process_throttle,json=processThrottle,proto3,oneof"`
}
+type GetEventsResponse_ProcessRuntimeSecurity struct {
+ ProcessRuntimeSecurity *ProcessRuntimeSecurity `protobuf:"bytes,28,opt,name=process_runtime_security,json=processRuntimeSecurity,proto3,oneof"`
+}
+
type GetEventsResponse_Test struct {
Test *Test `protobuf:"bytes,40000,opt,name=test,proto3,oneof"`
}
@@ -1143,6 +1500,8 @@ func (*GetEventsResponse_ProcessUprobe) isGetEventsResponse_Event() {}
func (*GetEventsResponse_ProcessThrottle) isGetEventsResponse_Event() {}
+func (*GetEventsResponse_ProcessRuntimeSecurity) isGetEventsResponse_Event() {}
+
func (*GetEventsResponse_Test) isGetEventsResponse_Event() {}
func (*GetEventsResponse_RateLimitInfo) isGetEventsResponse_Event() {}
@@ -1274,75 +1633,133 @@ var file_tetragon_events_proto_rawDesc = []byte{
0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79,
0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x02, 0x20, 0x01,
- 0x28, 0x09, 0x52, 0x06, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, 0xf3, 0x05, 0x0a, 0x11, 0x47,
- 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
- 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x65, 0x63,
- 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
- 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x65, 0x63, 0x48, 0x00, 0x52,
- 0x0b, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x65, 0x63, 0x12, 0x3a, 0x0a, 0x0c,
- 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x69, 0x74, 0x18, 0x05, 0x20, 0x01,
- 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69, 0x74, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x6f,
- 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69, 0x74, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x5f, 0x6b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b,
- 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f,
- 0x63, 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x4c, 0x0a, 0x12, 0x70, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74,
- 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
- 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f,
- 0x69, 0x6e, 0x74, 0x48, 0x00, 0x52, 0x11, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72,
- 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b,
- 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f,
- 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x75, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x18, 0x0c, 0x20, 0x01,
- 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70,
- 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x46, 0x0a, 0x10,
- 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65,
- 0x18, 0x1b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
- 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c,
- 0x65, 0x48, 0x00, 0x52, 0x0f, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x6f,
- 0x74, 0x74, 0x6c, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x74, 0x65, 0x73, 0x74, 0x18, 0xc0, 0xb8, 0x02,
- 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
- 0x54, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x04, 0x74, 0x65, 0x73, 0x74, 0x12, 0x43, 0x0a, 0x0f,
- 0x72, 0x61, 0x74, 0x65, 0x5f, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18,
- 0xc1, 0xb8, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67,
- 0x6f, 0x6e, 0x2e, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x49, 0x6e, 0x66, 0x6f,
- 0x48, 0x00, 0x52, 0x0d, 0x72, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x49, 0x6e, 0x66,
- 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0xe8,
- 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12,
- 0x2f, 0x0a, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x18, 0xe9, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
- 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
- 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x04, 0x74, 0x69, 0x6d, 0x65,
- 0x12, 0x45, 0x0a, 0x10, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
- 0x69, 0x6e, 0x66, 0x6f, 0x18, 0xea, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x74, 0x65,
- 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x41, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x69,
- 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x42, 0x07, 0x0a, 0x05, 0x65, 0x76, 0x65, 0x6e, 0x74,
- 0x2a, 0xc7, 0x01, 0x0a, 0x09, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x09,
- 0x0a, 0x05, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x50, 0x52, 0x4f,
- 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x45, 0x43, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x50,
- 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x49, 0x54, 0x10, 0x05, 0x12, 0x12, 0x0a,
- 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10,
- 0x09, 0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x54, 0x52, 0x41,
- 0x43, 0x45, 0x50, 0x4f, 0x49, 0x4e, 0x54, 0x10, 0x0a, 0x12, 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f,
- 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4c, 0x4f, 0x41, 0x44, 0x45, 0x52, 0x10, 0x0b, 0x12, 0x12, 0x0a,
- 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x55, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10,
- 0x0c, 0x12, 0x14, 0x0a, 0x10, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x54, 0x48, 0x52,
- 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x10, 0x1b, 0x12, 0x0a, 0x0a, 0x04, 0x54, 0x45, 0x53, 0x54, 0x10,
- 0xc0, 0xb8, 0x02, 0x12, 0x15, 0x0a, 0x0f, 0x52, 0x41, 0x54, 0x45, 0x5f, 0x4c, 0x49, 0x4d, 0x49,
- 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x10, 0xc1, 0xb8, 0x02, 0x2a, 0x2d, 0x0a, 0x11, 0x46, 0x69,
- 0x65, 0x6c, 0x64, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
- 0x0b, 0x0a, 0x07, 0x49, 0x4e, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07,
- 0x45, 0x58, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x01, 0x2a, 0x4b, 0x0a, 0x0c, 0x54, 0x68, 0x72,
- 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x10, 0x54, 0x48, 0x52,
- 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12,
- 0x12, 0x0a, 0x0e, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x52,
- 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f,
- 0x53, 0x54, 0x4f, 0x50, 0x10, 0x02, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x28, 0x09, 0x52, 0x06, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, 0x49, 0x0a, 0x15, 0x52, 0x75,
+ 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x6f, 0x6c,
+ 0x69, 0x63, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+ 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73,
+ 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65,
+ 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x2e, 0x0a, 0x18, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f,
+ 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+ 0x04, 0x70, 0x61, 0x74, 0x68, 0x22, 0xcb, 0x01, 0x0a, 0x13, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d,
+ 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x35, 0x0a,
+ 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x21, 0x2e, 0x74, 0x65,
+ 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65,
+ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04,
+ 0x74, 0x79, 0x70, 0x65, 0x12, 0x3b, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02,
+ 0x20, 0x01, 0x28, 0x0e, 0x32, 0x23, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
+ 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52,
+ 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f,
+ 0x6e, 0x12, 0x40, 0x0a, 0x09, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03,
+ 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
+ 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x45,
+ 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74,
+ 0x69, 0x6f, 0x6e, 0x22, 0xdc, 0x01, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52,
+ 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x2b,
+ 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
+ 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65,
+ 0x73, 0x73, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x12, 0x29, 0x0a, 0x06, 0x70,
+ 0x61, 0x72, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65,
+ 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x06,
+ 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x12, 0x37, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+ 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
+ 0x6e, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
+ 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12,
+ 0x31, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e,
+ 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x04, 0x72, 0x75,
+ 0x6c, 0x65, 0x22, 0xd1, 0x06, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73,
+ 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x63,
+ 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x65, 0x63, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x45, 0x78, 0x65, 0x63, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73,
+ 0x45, 0x78, 0x65, 0x63, 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f,
+ 0x65, 0x78, 0x69, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x65, 0x74,
+ 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69,
+ 0x74, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69, 0x74,
+ 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6b, 0x70, 0x72, 0x6f,
+ 0x62, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61,
+ 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f, 0x62,
+ 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f,
+ 0x62, 0x65, 0x12, 0x4c, 0x0a, 0x12, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x72,
+ 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x48, 0x00, 0x52, 0x11, 0x70,
+ 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+ 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x61, 0x64,
+ 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61,
+ 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64, 0x65,
+ 0x72, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64,
+ 0x65, 0x72, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x75, 0x70,
+ 0x72, 0x6f, 0x62, 0x65, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74,
+ 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72,
+ 0x6f, 0x62, 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70,
+ 0x72, 0x6f, 0x62, 0x65, 0x12, 0x46, 0x0a, 0x10, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f,
+ 0x74, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x18, 0x1b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x48, 0x00, 0x52, 0x0f, 0x70, 0x72, 0x6f,
+ 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x12, 0x5c, 0x0a, 0x18,
+ 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x5f,
+ 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x18, 0x1c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
+ 0x48, 0x00, 0x52, 0x16, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x75, 0x6e, 0x74, 0x69,
+ 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x26, 0x0a, 0x04, 0x74, 0x65,
+ 0x73, 0x74, 0x18, 0xc0, 0xb8, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x74, 0x65, 0x74,
+ 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x54, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x04, 0x74, 0x65,
+ 0x73, 0x74, 0x12, 0x43, 0x0a, 0x0f, 0x72, 0x61, 0x74, 0x65, 0x5f, 0x6c, 0x69, 0x6d, 0x69, 0x74,
+ 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0xc1, 0xb8, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e,
+ 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d,
+ 0x69, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x48, 0x00, 0x52, 0x0d, 0x72, 0x61, 0x74, 0x65, 0x4c, 0x69,
+ 0x6d, 0x69, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f,
+ 0x6e, 0x61, 0x6d, 0x65, 0x18, 0xe8, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6e, 0x6f, 0x64,
+ 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2f, 0x0a, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x18, 0xe9, 0x07,
+ 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
+ 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
+ 0x52, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x45, 0x0a, 0x10, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67,
+ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0xea, 0x07, 0x20, 0x01, 0x28,
+ 0x0b, 0x32, 0x19, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x41, 0x67, 0x67,
+ 0x72, 0x65, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x61, 0x67,
+ 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x42, 0x07, 0x0a,
+ 0x05, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x2a, 0xe5, 0x01, 0x0a, 0x09, 0x45, 0x76, 0x65, 0x6e, 0x74,
+ 0x54, 0x79, 0x70, 0x65, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12,
+ 0x10, 0x0a, 0x0c, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x45, 0x43, 0x10,
+ 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x49,
+ 0x54, 0x10, 0x05, 0x12, 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4b,
+ 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10, 0x09, 0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x43, 0x45,
+ 0x53, 0x53, 0x5f, 0x54, 0x52, 0x41, 0x43, 0x45, 0x50, 0x4f, 0x49, 0x4e, 0x54, 0x10, 0x0a, 0x12,
+ 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4c, 0x4f, 0x41, 0x44, 0x45,
+ 0x52, 0x10, 0x0b, 0x12, 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x55,
+ 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10, 0x0c, 0x12, 0x14, 0x0a, 0x10, 0x50, 0x52, 0x4f, 0x43, 0x45,
+ 0x53, 0x53, 0x5f, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x10, 0x1b, 0x12, 0x1c, 0x0a,
+ 0x18, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45,
+ 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x10, 0x1c, 0x12, 0x0a, 0x0a, 0x04, 0x54,
+ 0x45, 0x53, 0x54, 0x10, 0xc0, 0xb8, 0x02, 0x12, 0x15, 0x0a, 0x0f, 0x52, 0x41, 0x54, 0x45, 0x5f,
+ 0x4c, 0x49, 0x4d, 0x49, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x10, 0xc1, 0xb8, 0x02, 0x2a, 0x2d,
+ 0x0a, 0x11, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x41, 0x63, 0x74,
+ 0x69, 0x6f, 0x6e, 0x12, 0x0b, 0x0a, 0x07, 0x49, 0x4e, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x00,
+ 0x12, 0x0b, 0x0a, 0x07, 0x45, 0x58, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x01, 0x2a, 0x4b, 0x0a,
+ 0x0c, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a,
+ 0x10, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57,
+ 0x4e, 0x10, 0x00, 0x12, 0x12, 0x0a, 0x0e, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f,
+ 0x53, 0x54, 0x41, 0x52, 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x54, 0x48, 0x52, 0x4f, 0x54,
+ 0x54, 0x4c, 0x45, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x10, 0x02, 0x2a, 0x65, 0x0a, 0x17, 0x52, 0x75,
+ 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c,
+ 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x25, 0x0a, 0x21, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45,
+ 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55,
+ 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f,
+ 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59,
+ 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x45, 0x43, 0x55, 0x54, 0x49, 0x4f, 0x4e, 0x10,
+ 0x01, 0x2a, 0x8a, 0x01, 0x0a, 0x19, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63,
+ 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
+ 0x27, 0x0a, 0x23, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52,
+ 0x49, 0x54, 0x59, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45,
+ 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x21, 0x0a, 0x1d, 0x52, 0x55, 0x4e, 0x54,
+ 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x41, 0x43, 0x54,
+ 0x49, 0x4f, 0x4e, 0x5f, 0x41, 0x55, 0x44, 0x49, 0x54, 0x10, 0x01, 0x12, 0x21, 0x0a, 0x1d, 0x52,
+ 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f,
+ 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4c, 0x4f, 0x43, 0x4b, 0x10, 0x02, 0x62, 0x06,
+ 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -1357,74 +1774,89 @@ func file_tetragon_events_proto_rawDescGZIP() []byte {
return file_tetragon_events_proto_rawDescData
}
-var file_tetragon_events_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_tetragon_events_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_tetragon_events_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
+var file_tetragon_events_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
var file_tetragon_events_proto_goTypes = []interface{}{
- (EventType)(0), // 0: tetragon.EventType
- (FieldFilterAction)(0), // 1: tetragon.FieldFilterAction
- (ThrottleType)(0), // 2: tetragon.ThrottleType
- (*Filter)(nil), // 3: tetragon.Filter
- (*CapFilter)(nil), // 4: tetragon.CapFilter
- (*CapFilterSet)(nil), // 5: tetragon.CapFilterSet
- (*RedactionFilter)(nil), // 6: tetragon.RedactionFilter
- (*FieldFilter)(nil), // 7: tetragon.FieldFilter
- (*GetEventsRequest)(nil), // 8: tetragon.GetEventsRequest
- (*AggregationOptions)(nil), // 9: tetragon.AggregationOptions
- (*AggregationInfo)(nil), // 10: tetragon.AggregationInfo
- (*RateLimitInfo)(nil), // 11: tetragon.RateLimitInfo
- (*ProcessThrottle)(nil), // 12: tetragon.ProcessThrottle
- (*GetEventsResponse)(nil), // 13: tetragon.GetEventsResponse
- (*wrapperspb.BoolValue)(nil), // 14: google.protobuf.BoolValue
- (CapabilitiesType)(0), // 15: tetragon.CapabilitiesType
- (*fieldmaskpb.FieldMask)(nil), // 16: google.protobuf.FieldMask
- (*durationpb.Duration)(nil), // 17: google.protobuf.Duration
- (*ProcessExec)(nil), // 18: tetragon.ProcessExec
- (*ProcessExit)(nil), // 19: tetragon.ProcessExit
- (*ProcessKprobe)(nil), // 20: tetragon.ProcessKprobe
- (*ProcessTracepoint)(nil), // 21: tetragon.ProcessTracepoint
- (*ProcessLoader)(nil), // 22: tetragon.ProcessLoader
- (*ProcessUprobe)(nil), // 23: tetragon.ProcessUprobe
- (*Test)(nil), // 24: tetragon.Test
- (*timestamppb.Timestamp)(nil), // 25: google.protobuf.Timestamp
+ (EventType)(0), // 0: tetragon.EventType
+ (FieldFilterAction)(0), // 1: tetragon.FieldFilterAction
+ (ThrottleType)(0), // 2: tetragon.ThrottleType
+ (RuntimeSecurityRuleType)(0), // 3: tetragon.RuntimeSecurityRuleType
+ (RuntimeSecurityRuleAction)(0), // 4: tetragon.RuntimeSecurityRuleAction
+ (*Filter)(nil), // 5: tetragon.Filter
+ (*CapFilter)(nil), // 6: tetragon.CapFilter
+ (*CapFilterSet)(nil), // 7: tetragon.CapFilterSet
+ (*RedactionFilter)(nil), // 8: tetragon.RedactionFilter
+ (*FieldFilter)(nil), // 9: tetragon.FieldFilter
+ (*GetEventsRequest)(nil), // 10: tetragon.GetEventsRequest
+ (*AggregationOptions)(nil), // 11: tetragon.AggregationOptions
+ (*AggregationInfo)(nil), // 12: tetragon.AggregationInfo
+ (*RateLimitInfo)(nil), // 13: tetragon.RateLimitInfo
+ (*ProcessThrottle)(nil), // 14: tetragon.ProcessThrottle
+ (*RuntimeSecurityPolicy)(nil), // 15: tetragon.RuntimeSecurityPolicy
+ (*RuntimeSecurityExecution)(nil), // 16: tetragon.RuntimeSecurityExecution
+ (*RuntimeSecurityRule)(nil), // 17: tetragon.RuntimeSecurityRule
+ (*ProcessRuntimeSecurity)(nil), // 18: tetragon.ProcessRuntimeSecurity
+ (*GetEventsResponse)(nil), // 19: tetragon.GetEventsResponse
+ (*wrapperspb.BoolValue)(nil), // 20: google.protobuf.BoolValue
+ (CapabilitiesType)(0), // 21: tetragon.CapabilitiesType
+ (*fieldmaskpb.FieldMask)(nil), // 22: google.protobuf.FieldMask
+ (*durationpb.Duration)(nil), // 23: google.protobuf.Duration
+ (*Process)(nil), // 24: tetragon.Process
+ (*ProcessExec)(nil), // 25: tetragon.ProcessExec
+ (*ProcessExit)(nil), // 26: tetragon.ProcessExit
+ (*ProcessKprobe)(nil), // 27: tetragon.ProcessKprobe
+ (*ProcessTracepoint)(nil), // 28: tetragon.ProcessTracepoint
+ (*ProcessLoader)(nil), // 29: tetragon.ProcessLoader
+ (*ProcessUprobe)(nil), // 30: tetragon.ProcessUprobe
+ (*Test)(nil), // 31: tetragon.Test
+ (*timestamppb.Timestamp)(nil), // 32: google.protobuf.Timestamp
}
var file_tetragon_events_proto_depIdxs = []int32{
- 14, // 0: tetragon.Filter.health_check:type_name -> google.protobuf.BoolValue
+ 20, // 0: tetragon.Filter.health_check:type_name -> google.protobuf.BoolValue
0, // 1: tetragon.Filter.event_set:type_name -> tetragon.EventType
- 4, // 2: tetragon.Filter.capabilities:type_name -> tetragon.CapFilter
- 5, // 3: tetragon.CapFilter.permitted:type_name -> tetragon.CapFilterSet
- 5, // 4: tetragon.CapFilter.effective:type_name -> tetragon.CapFilterSet
- 5, // 5: tetragon.CapFilter.inheritable:type_name -> tetragon.CapFilterSet
- 15, // 6: tetragon.CapFilterSet.any:type_name -> tetragon.CapabilitiesType
- 15, // 7: tetragon.CapFilterSet.all:type_name -> tetragon.CapabilitiesType
- 15, // 8: tetragon.CapFilterSet.exactly:type_name -> tetragon.CapabilitiesType
- 15, // 9: tetragon.CapFilterSet.none:type_name -> tetragon.CapabilitiesType
- 3, // 10: tetragon.RedactionFilter.match:type_name -> tetragon.Filter
+ 6, // 2: tetragon.Filter.capabilities:type_name -> tetragon.CapFilter
+ 7, // 3: tetragon.CapFilter.permitted:type_name -> tetragon.CapFilterSet
+ 7, // 4: tetragon.CapFilter.effective:type_name -> tetragon.CapFilterSet
+ 7, // 5: tetragon.CapFilter.inheritable:type_name -> tetragon.CapFilterSet
+ 21, // 6: tetragon.CapFilterSet.any:type_name -> tetragon.CapabilitiesType
+ 21, // 7: tetragon.CapFilterSet.all:type_name -> tetragon.CapabilitiesType
+ 21, // 8: tetragon.CapFilterSet.exactly:type_name -> tetragon.CapabilitiesType
+ 21, // 9: tetragon.CapFilterSet.none:type_name -> tetragon.CapabilitiesType
+ 5, // 10: tetragon.RedactionFilter.match:type_name -> tetragon.Filter
0, // 11: tetragon.FieldFilter.event_set:type_name -> tetragon.EventType
- 16, // 12: tetragon.FieldFilter.fields:type_name -> google.protobuf.FieldMask
+ 22, // 12: tetragon.FieldFilter.fields:type_name -> google.protobuf.FieldMask
1, // 13: tetragon.FieldFilter.action:type_name -> tetragon.FieldFilterAction
- 14, // 14: tetragon.FieldFilter.invert_event_set:type_name -> google.protobuf.BoolValue
- 3, // 15: tetragon.GetEventsRequest.allow_list:type_name -> tetragon.Filter
- 3, // 16: tetragon.GetEventsRequest.deny_list:type_name -> tetragon.Filter
- 9, // 17: tetragon.GetEventsRequest.aggregation_options:type_name -> tetragon.AggregationOptions
- 7, // 18: tetragon.GetEventsRequest.field_filters:type_name -> tetragon.FieldFilter
- 17, // 19: tetragon.AggregationOptions.window_size:type_name -> google.protobuf.Duration
+ 20, // 14: tetragon.FieldFilter.invert_event_set:type_name -> google.protobuf.BoolValue
+ 5, // 15: tetragon.GetEventsRequest.allow_list:type_name -> tetragon.Filter
+ 5, // 16: tetragon.GetEventsRequest.deny_list:type_name -> tetragon.Filter
+ 11, // 17: tetragon.GetEventsRequest.aggregation_options:type_name -> tetragon.AggregationOptions
+ 9, // 18: tetragon.GetEventsRequest.field_filters:type_name -> tetragon.FieldFilter
+ 23, // 19: tetragon.AggregationOptions.window_size:type_name -> google.protobuf.Duration
2, // 20: tetragon.ProcessThrottle.type:type_name -> tetragon.ThrottleType
- 18, // 21: tetragon.GetEventsResponse.process_exec:type_name -> tetragon.ProcessExec
- 19, // 22: tetragon.GetEventsResponse.process_exit:type_name -> tetragon.ProcessExit
- 20, // 23: tetragon.GetEventsResponse.process_kprobe:type_name -> tetragon.ProcessKprobe
- 21, // 24: tetragon.GetEventsResponse.process_tracepoint:type_name -> tetragon.ProcessTracepoint
- 22, // 25: tetragon.GetEventsResponse.process_loader:type_name -> tetragon.ProcessLoader
- 23, // 26: tetragon.GetEventsResponse.process_uprobe:type_name -> tetragon.ProcessUprobe
- 12, // 27: tetragon.GetEventsResponse.process_throttle:type_name -> tetragon.ProcessThrottle
- 24, // 28: tetragon.GetEventsResponse.test:type_name -> tetragon.Test
- 11, // 29: tetragon.GetEventsResponse.rate_limit_info:type_name -> tetragon.RateLimitInfo
- 25, // 30: tetragon.GetEventsResponse.time:type_name -> google.protobuf.Timestamp
- 10, // 31: tetragon.GetEventsResponse.aggregation_info:type_name -> tetragon.AggregationInfo
- 32, // [32:32] is the sub-list for method output_type
- 32, // [32:32] is the sub-list for method input_type
- 32, // [32:32] is the sub-list for extension type_name
- 32, // [32:32] is the sub-list for extension extendee
- 0, // [0:32] is the sub-list for field type_name
+ 3, // 21: tetragon.RuntimeSecurityRule.type:type_name -> tetragon.RuntimeSecurityRuleType
+ 4, // 22: tetragon.RuntimeSecurityRule.action:type_name -> tetragon.RuntimeSecurityRuleAction
+ 16, // 23: tetragon.RuntimeSecurityRule.execution:type_name -> tetragon.RuntimeSecurityExecution
+ 24, // 24: tetragon.ProcessRuntimeSecurity.process:type_name -> tetragon.Process
+ 24, // 25: tetragon.ProcessRuntimeSecurity.parent:type_name -> tetragon.Process
+ 15, // 26: tetragon.ProcessRuntimeSecurity.policy:type_name -> tetragon.RuntimeSecurityPolicy
+ 17, // 27: tetragon.ProcessRuntimeSecurity.rule:type_name -> tetragon.RuntimeSecurityRule
+ 25, // 28: tetragon.GetEventsResponse.process_exec:type_name -> tetragon.ProcessExec
+ 26, // 29: tetragon.GetEventsResponse.process_exit:type_name -> tetragon.ProcessExit
+ 27, // 30: tetragon.GetEventsResponse.process_kprobe:type_name -> tetragon.ProcessKprobe
+ 28, // 31: tetragon.GetEventsResponse.process_tracepoint:type_name -> tetragon.ProcessTracepoint
+ 29, // 32: tetragon.GetEventsResponse.process_loader:type_name -> tetragon.ProcessLoader
+ 30, // 33: tetragon.GetEventsResponse.process_uprobe:type_name -> tetragon.ProcessUprobe
+ 14, // 34: tetragon.GetEventsResponse.process_throttle:type_name -> tetragon.ProcessThrottle
+ 18, // 35: tetragon.GetEventsResponse.process_runtime_security:type_name -> tetragon.ProcessRuntimeSecurity
+ 31, // 36: tetragon.GetEventsResponse.test:type_name -> tetragon.Test
+ 13, // 37: tetragon.GetEventsResponse.rate_limit_info:type_name -> tetragon.RateLimitInfo
+ 32, // 38: tetragon.GetEventsResponse.time:type_name -> google.protobuf.Timestamp
+ 12, // 39: tetragon.GetEventsResponse.aggregation_info:type_name -> tetragon.AggregationInfo
+ 40, // [40:40] is the sub-list for method output_type
+ 40, // [40:40] is the sub-list for method input_type
+ 40, // [40:40] is the sub-list for extension type_name
+ 40, // [40:40] is the sub-list for extension extendee
+ 0, // [0:40] is the sub-list for field type_name
}
func init() { file_tetragon_events_proto_init() }
@@ -1556,6 +1988,54 @@ func file_tetragon_events_proto_init() {
}
}
file_tetragon_events_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*RuntimeSecurityPolicy); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*RuntimeSecurityExecution); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*RuntimeSecurityRule); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ProcessRuntimeSecurity); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*GetEventsResponse); i {
case 0:
return &v.state
@@ -1568,7 +2048,7 @@ func file_tetragon_events_proto_init() {
}
}
}
- file_tetragon_events_proto_msgTypes[10].OneofWrappers = []interface{}{
+ file_tetragon_events_proto_msgTypes[14].OneofWrappers = []interface{}{
(*GetEventsResponse_ProcessExec)(nil),
(*GetEventsResponse_ProcessExit)(nil),
(*GetEventsResponse_ProcessKprobe)(nil),
@@ -1576,6 +2056,7 @@ func file_tetragon_events_proto_init() {
(*GetEventsResponse_ProcessLoader)(nil),
(*GetEventsResponse_ProcessUprobe)(nil),
(*GetEventsResponse_ProcessThrottle)(nil),
+ (*GetEventsResponse_ProcessRuntimeSecurity)(nil),
(*GetEventsResponse_Test)(nil),
(*GetEventsResponse_RateLimitInfo)(nil),
}
@@ -1584,8 +2065,8 @@ func file_tetragon_events_proto_init() {
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_tetragon_events_proto_rawDesc,
- NumEnums: 3,
- NumMessages: 11,
+ NumEnums: 5,
+ NumMessages: 15,
NumExtensions: 0,
NumServices: 0,
},
diff --git a/api/v1/tetragon/events.pb.json.go b/api/v1/tetragon/events.pb.json.go
index 589d91748f7..4c71251dbf9 100644
--- a/api/v1/tetragon/events.pb.json.go
+++ b/api/v1/tetragon/events.pb.json.go
@@ -167,6 +167,70 @@ func (msg *ProcessThrottle) UnmarshalJSON(b []byte) error {
}.Unmarshal(b, msg)
}
+// MarshalJSON implements json.Marshaler
+func (msg *RuntimeSecurityPolicy) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *RuntimeSecurityPolicy) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
+// MarshalJSON implements json.Marshaler
+func (msg *RuntimeSecurityExecution) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *RuntimeSecurityExecution) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
+// MarshalJSON implements json.Marshaler
+func (msg *RuntimeSecurityRule) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *RuntimeSecurityRule) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
+// MarshalJSON implements json.Marshaler
+func (msg *ProcessRuntimeSecurity) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *ProcessRuntimeSecurity) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
// MarshalJSON implements json.Marshaler
func (msg *GetEventsResponse) MarshalJSON() ([]byte, error) {
return protojson.MarshalOptions{
diff --git a/api/v1/tetragon/events.proto b/api/v1/tetragon/events.proto
index f2bd554645f..3fc6685cea4 100644
--- a/api/v1/tetragon/events.proto
+++ b/api/v1/tetragon/events.proto
@@ -26,6 +26,7 @@ enum EventType {
PROCESS_LOADER = 11;
PROCESS_UPROBE = 12;
PROCESS_THROTTLE = 27;
+ PROCESS_RUNTIME_SECURITY = 28;
TEST = 40000;
RATE_LIMIT_INFO = 40001;
@@ -165,6 +166,50 @@ message ProcessThrottle {
string cgroup = 2;
}
+message RuntimeSecurityPolicy {
+ // Name of the RuntimeSecurityPolicy associated with that event.
+ string name = 1;
+ // Namespace of the RuntimeSecurityPolicy associated with that event.
+ string namespace = 2;
+}
+
+enum RuntimeSecurityRuleType {
+ RUNTIME_SECURITY_TYPE_UNSPECIFIED = 0;
+ RUNTIME_SECURITY_TYPE_EXECUTION = 1;
+}
+
+enum RuntimeSecurityRuleAction {
+ RUNTIME_SECURITY_ACTION_UNSPECIFIED = 0;
+ RUNTIME_SECURITY_ACTION_AUDIT = 1;
+ RUNTIME_SECURITY_ACTION_BLOCK = 2;
+}
+
+message RuntimeSecurityExecution {
+ // Path of the binary that triggered the execution rule.
+ string path = 1;
+}
+
+message RuntimeSecurityRule {
+ // Type of the rule that triggered this event.
+ RuntimeSecurityRuleType type = 1;
+ // Action of the rule that triggered this event.
+ RuntimeSecurityRuleAction action = 2;
+ // Execution is set if the rule type is Execution and provide details
+ // specific to execution.
+ RuntimeSecurityExecution execution = 3;
+}
+
+message ProcessRuntimeSecurity {
+ // Process that triggered the exec.
+ Process process = 1;
+ // Immediate parent of the process.
+ Process parent = 2;
+ // RuntimeSecurityPolicy associated with that event.
+ RuntimeSecurityPolicy policy = 3;
+ // Rule is the rule that triggered that event from the RuntimeSecurityPolicy.
+ RuntimeSecurityRule rule = 4;
+}
+
message GetEventsResponse {
// The type-specific fields of an event.
//
@@ -184,6 +229,7 @@ message GetEventsResponse {
ProcessLoader process_loader = 11;
ProcessUprobe process_uprobe = 12;
ProcessThrottle process_throttle = 27;
+ ProcessRuntimeSecurity process_runtime_security = 28;
Test test = 40000;
RateLimitInfo rate_limit_info = 40001;
diff --git a/api/v1/tetragon/types.pb.go b/api/v1/tetragon/types.pb.go
index f418b3eaca8..20495cc6a9e 100644
--- a/api/v1/tetragon/types.pb.go
+++ b/api/v1/tetragon/types.pb.go
@@ -167,6 +167,26 @@ func (event *ProcessThrottle) Encapsulate() IsGetEventsResponse_Event {
}
}
+// Encapsulate implements the Event interface.
+// Returns the event wrapped by its GetEventsResponse_* type.
+func (event *ProcessRuntimeSecurity) Encapsulate() IsGetEventsResponse_Event {
+ return &GetEventsResponse_ProcessRuntimeSecurity{
+ ProcessRuntimeSecurity: event,
+ }
+}
+
+// SetProcess implements the ProcessEvent interface.
+// Sets the Process field of an event.
+func (event *ProcessRuntimeSecurity) SetProcess(p *Process) {
+ event.Process = p
+}
+
+// SetParent implements the ParentEvent interface.
+// Sets the Parent field of an event.
+func (event *ProcessRuntimeSecurity) SetParent(p *Process) {
+ event.Parent = p
+}
+
// UnwrapGetEventsResponse gets the inner event type from a GetEventsResponse
func UnwrapGetEventsResponse(response *GetEventsResponse) interface{} {
event := response.GetEvent()
@@ -192,6 +212,8 @@ func UnwrapGetEventsResponse(response *GetEventsResponse) interface{} {
return ev.RateLimitInfo
case *GetEventsResponse_ProcessThrottle:
return ev.ProcessThrottle
+ case *GetEventsResponse_ProcessRuntimeSecurity:
+ return ev.ProcessRuntimeSecurity
}
return nil
}
diff --git a/cmd/tetra/commands.go b/cmd/tetra/commands.go
index 05778e6da56..c8640ee11cb 100644
--- a/cmd/tetra/commands.go
+++ b/cmd/tetra/commands.go
@@ -6,6 +6,7 @@ package main
import (
"github.com/cilium/tetragon/cmd/tetra/getevents"
"github.com/cilium/tetragon/cmd/tetra/rthooks"
+ "github.com/cilium/tetragon/cmd/tetra/runtimesecuritypolicy"
"github.com/cilium/tetragon/cmd/tetra/sensors"
"github.com/cilium/tetragon/cmd/tetra/stacktracetree"
"github.com/cilium/tetragon/cmd/tetra/status"
@@ -22,6 +23,7 @@ func addBaseCommands(rootCmd *cobra.Command) {
rootCmd.AddCommand(stacktracetree.New())
rootCmd.AddCommand(status.New())
rootCmd.AddCommand(rthooks.New())
+ rootCmd.AddCommand(runtimesecuritypolicy.New())
// bugtool technically builds on darwin and windows but makes no sense since
// it's supposed to be run on the machine running Tetragon, using
diff --git a/cmd/tetra/runtimesecuritypolicy/runtimesecuritypolicy.go b/cmd/tetra/runtimesecuritypolicy/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..69517b52cb8
--- /dev/null
+++ b/cmd/tetra/runtimesecuritypolicy/runtimesecuritypolicy.go
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package runtimesecuritypolicy
+
+import (
+ "os"
+
+ "github.com/cilium/tetragon/pkg/runtimesecuritypolicy"
+ "github.com/spf13/cobra"
+ "sigs.k8s.io/yaml"
+)
+
+func New() *cobra.Command {
+ return &cobra.Command{
+ Use: "runtimesecuritypolicy",
+ Aliases: []string{"rspolicy"},
+ Hidden: true,
+ Short: "Convert RuntimeSecurityPolicy to TracingPolicy. Development tool.",
+ Args: cobra.ExactArgs(1),
+ RunE: func(cmd *cobra.Command, args []string) error {
+ fileContent, err := os.ReadFile(args[0])
+ if err != nil {
+ return err
+ }
+ policy, err := runtimesecuritypolicy.FromYAML(fileContent)
+ if err != nil {
+ return err
+ }
+
+ tracingPolicy, err := runtimesecuritypolicy.ToTracingPolicy(*policy)
+ if err != nil {
+ return err
+ }
+ tpYAML, _ := yaml.Marshal(tracingPolicy)
+ cmd.Println(string(tpYAML))
+ return nil
+ },
+ }
+}
diff --git a/cmd/tetragon/main.go b/cmd/tetragon/main.go
index 2e673be21a4..d1d87f8e146 100644
--- a/cmd/tetragon/main.go
+++ b/cmd/tetragon/main.go
@@ -48,6 +48,7 @@ import (
"github.com/cilium/tetragon/pkg/reader/namespace"
"github.com/cilium/tetragon/pkg/reader/proc"
"github.com/cilium/tetragon/pkg/rthooks"
+ "github.com/cilium/tetragon/pkg/runtimesecuritypolicy"
"github.com/cilium/tetragon/pkg/sensors/base"
"github.com/cilium/tetragon/pkg/sensors/program"
"github.com/cilium/tetragon/pkg/server"
@@ -443,6 +444,7 @@ func tetragonExecute() error {
saveInitInfo()
if option.Config.EnableK8s && option.Config.EnableTracingPolicyCRD {
go crd.WatchTracePolicy(ctx, observer.GetSensorManager())
+ go crd.WatchRuntimeSecurityPolicy(ctx, observer.GetSensorManager())
}
obs.LogPinnedBpf(observerDir)
@@ -480,6 +482,13 @@ func tetragonExecute() error {
}
}
+ if len(option.Config.RuntimeSecurityPolicy) > 0 {
+ err = addRuntimeSecurityPolicy(ctx, option.Config.RuntimeSecurityPolicy)
+ if err != nil {
+ return err
+ }
+ }
+
// k8s should have metrics, so periodically log only in a non k8s
if !option.Config.EnableK8s {
go logStatus(ctx, obs)
@@ -498,6 +507,9 @@ func waitCRDs(config *rest.Config) error {
if option.Config.EnablePodInfo {
crds[v1alpha1.PIName] = struct{}{}
}
+ if option.Config.EnableRuntimeSecurityPolicyCRD {
+ crds[v1alpha1.RuntimeSecurityPolicyName] = struct{}{}
+ }
if len(crds) == 0 {
log.Info("No CRDs are enabled")
@@ -580,6 +592,25 @@ func loadTpFromDir(ctx context.Context, dir string) error {
return err
}
+func addRuntimeSecurityPolicy(ctx context.Context, file string) error {
+ tp, err := runtimesecuritypolicy.FromFileToTracingPolicy(file)
+ if err != nil {
+ return err
+ }
+
+ err = observer.GetSensorManager().AddTracingPolicy(ctx, tp)
+ if err != nil {
+ return err
+ }
+
+ logger.GetLogger().WithFields(logrus.Fields{
+ "RuntimeSecurityPolicy": file,
+ "metadata.name": tp.Name,
+ }).Info("Added RuntimeSecurityPolicy with success")
+
+ return nil
+}
+
func addTracingPolicy(ctx context.Context, file string) error {
f, err := filepath.Abs(filepath.Clean(file))
if err != nil {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
index f11dc36ba6c..c92f57c64d5 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
@@ -34,16 +34,17 @@ const (
type EventType int32
const (
- EventType_UNDEF EventType = 0
- EventType_PROCESS_EXEC EventType = 1
- EventType_PROCESS_EXIT EventType = 5
- EventType_PROCESS_KPROBE EventType = 9
- EventType_PROCESS_TRACEPOINT EventType = 10
- EventType_PROCESS_LOADER EventType = 11
- EventType_PROCESS_UPROBE EventType = 12
- EventType_PROCESS_THROTTLE EventType = 27
- EventType_TEST EventType = 40000
- EventType_RATE_LIMIT_INFO EventType = 40001
+ EventType_UNDEF EventType = 0
+ EventType_PROCESS_EXEC EventType = 1
+ EventType_PROCESS_EXIT EventType = 5
+ EventType_PROCESS_KPROBE EventType = 9
+ EventType_PROCESS_TRACEPOINT EventType = 10
+ EventType_PROCESS_LOADER EventType = 11
+ EventType_PROCESS_UPROBE EventType = 12
+ EventType_PROCESS_THROTTLE EventType = 27
+ EventType_PROCESS_RUNTIME_SECURITY EventType = 28
+ EventType_TEST EventType = 40000
+ EventType_RATE_LIMIT_INFO EventType = 40001
)
// Enum value maps for EventType.
@@ -57,20 +58,22 @@ var (
11: "PROCESS_LOADER",
12: "PROCESS_UPROBE",
27: "PROCESS_THROTTLE",
+ 28: "PROCESS_RUNTIME_SECURITY",
40000: "TEST",
40001: "RATE_LIMIT_INFO",
}
EventType_value = map[string]int32{
- "UNDEF": 0,
- "PROCESS_EXEC": 1,
- "PROCESS_EXIT": 5,
- "PROCESS_KPROBE": 9,
- "PROCESS_TRACEPOINT": 10,
- "PROCESS_LOADER": 11,
- "PROCESS_UPROBE": 12,
- "PROCESS_THROTTLE": 27,
- "TEST": 40000,
- "RATE_LIMIT_INFO": 40001,
+ "UNDEF": 0,
+ "PROCESS_EXEC": 1,
+ "PROCESS_EXIT": 5,
+ "PROCESS_KPROBE": 9,
+ "PROCESS_TRACEPOINT": 10,
+ "PROCESS_LOADER": 11,
+ "PROCESS_UPROBE": 12,
+ "PROCESS_THROTTLE": 27,
+ "PROCESS_RUNTIME_SECURITY": 28,
+ "TEST": 40000,
+ "RATE_LIMIT_INFO": 40001,
}
)
@@ -197,6 +200,101 @@ func (ThrottleType) EnumDescriptor() ([]byte, []int) {
return file_tetragon_events_proto_rawDescGZIP(), []int{2}
}
+type RuntimeSecurityRuleType int32
+
+const (
+ RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_UNSPECIFIED RuntimeSecurityRuleType = 0
+ RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_EXECUTION RuntimeSecurityRuleType = 1
+)
+
+// Enum value maps for RuntimeSecurityRuleType.
+var (
+ RuntimeSecurityRuleType_name = map[int32]string{
+ 0: "RUNTIME_SECURITY_TYPE_UNSPECIFIED",
+ 1: "RUNTIME_SECURITY_TYPE_EXECUTION",
+ }
+ RuntimeSecurityRuleType_value = map[string]int32{
+ "RUNTIME_SECURITY_TYPE_UNSPECIFIED": 0,
+ "RUNTIME_SECURITY_TYPE_EXECUTION": 1,
+ }
+)
+
+func (x RuntimeSecurityRuleType) Enum() *RuntimeSecurityRuleType {
+ p := new(RuntimeSecurityRuleType)
+ *p = x
+ return p
+}
+
+func (x RuntimeSecurityRuleType) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (RuntimeSecurityRuleType) Descriptor() protoreflect.EnumDescriptor {
+ return file_tetragon_events_proto_enumTypes[3].Descriptor()
+}
+
+func (RuntimeSecurityRuleType) Type() protoreflect.EnumType {
+ return &file_tetragon_events_proto_enumTypes[3]
+}
+
+func (x RuntimeSecurityRuleType) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use RuntimeSecurityRuleType.Descriptor instead.
+func (RuntimeSecurityRuleType) EnumDescriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{3}
+}
+
+type RuntimeSecurityRuleAction int32
+
+const (
+ RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_UNSPECIFIED RuntimeSecurityRuleAction = 0
+ RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_AUDIT RuntimeSecurityRuleAction = 1
+ RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_BLOCK RuntimeSecurityRuleAction = 2
+)
+
+// Enum value maps for RuntimeSecurityRuleAction.
+var (
+ RuntimeSecurityRuleAction_name = map[int32]string{
+ 0: "RUNTIME_SECURITY_ACTION_UNSPECIFIED",
+ 1: "RUNTIME_SECURITY_ACTION_AUDIT",
+ 2: "RUNTIME_SECURITY_ACTION_BLOCK",
+ }
+ RuntimeSecurityRuleAction_value = map[string]int32{
+ "RUNTIME_SECURITY_ACTION_UNSPECIFIED": 0,
+ "RUNTIME_SECURITY_ACTION_AUDIT": 1,
+ "RUNTIME_SECURITY_ACTION_BLOCK": 2,
+ }
+)
+
+func (x RuntimeSecurityRuleAction) Enum() *RuntimeSecurityRuleAction {
+ p := new(RuntimeSecurityRuleAction)
+ *p = x
+ return p
+}
+
+func (x RuntimeSecurityRuleAction) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (RuntimeSecurityRuleAction) Descriptor() protoreflect.EnumDescriptor {
+ return file_tetragon_events_proto_enumTypes[4].Descriptor()
+}
+
+func (RuntimeSecurityRuleAction) Type() protoreflect.EnumType {
+ return &file_tetragon_events_proto_enumTypes[4]
+}
+
+func (x RuntimeSecurityRuleAction) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use RuntimeSecurityRuleAction.Descriptor instead.
+func (RuntimeSecurityRuleAction) EnumDescriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{4}
+}
+
type Filter struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -927,6 +1025,253 @@ func (x *ProcessThrottle) GetCgroup() string {
return ""
}
+type RuntimeSecurityPolicy struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Name of the RuntimeSecurityPolicy associated with that event.
+ Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+ // Namespace of the RuntimeSecurityPolicy associated with that event.
+ Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+}
+
+func (x *RuntimeSecurityPolicy) Reset() {
+ *x = RuntimeSecurityPolicy{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[10]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *RuntimeSecurityPolicy) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RuntimeSecurityPolicy) ProtoMessage() {}
+
+func (x *RuntimeSecurityPolicy) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[10]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use RuntimeSecurityPolicy.ProtoReflect.Descriptor instead.
+func (*RuntimeSecurityPolicy) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *RuntimeSecurityPolicy) GetName() string {
+ if x != nil {
+ return x.Name
+ }
+ return ""
+}
+
+func (x *RuntimeSecurityPolicy) GetNamespace() string {
+ if x != nil {
+ return x.Namespace
+ }
+ return ""
+}
+
+type RuntimeSecurityExecution struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Path of the binary that triggered the execution rule.
+ Path string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
+}
+
+func (x *RuntimeSecurityExecution) Reset() {
+ *x = RuntimeSecurityExecution{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[11]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *RuntimeSecurityExecution) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RuntimeSecurityExecution) ProtoMessage() {}
+
+func (x *RuntimeSecurityExecution) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[11]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use RuntimeSecurityExecution.ProtoReflect.Descriptor instead.
+func (*RuntimeSecurityExecution) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *RuntimeSecurityExecution) GetPath() string {
+ if x != nil {
+ return x.Path
+ }
+ return ""
+}
+
+type RuntimeSecurityRule struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Type of the rule that triggered this event.
+ Type RuntimeSecurityRuleType `protobuf:"varint,1,opt,name=type,proto3,enum=tetragon.RuntimeSecurityRuleType" json:"type,omitempty"`
+ // Action of the rule that triggered this event.
+ Action RuntimeSecurityRuleAction `protobuf:"varint,2,opt,name=action,proto3,enum=tetragon.RuntimeSecurityRuleAction" json:"action,omitempty"`
+ // Execution is set if the rule type is Execution and provide details
+ // specific to execution.
+ Execution *RuntimeSecurityExecution `protobuf:"bytes,3,opt,name=execution,proto3" json:"execution,omitempty"`
+}
+
+func (x *RuntimeSecurityRule) Reset() {
+ *x = RuntimeSecurityRule{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[12]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *RuntimeSecurityRule) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RuntimeSecurityRule) ProtoMessage() {}
+
+func (x *RuntimeSecurityRule) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[12]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use RuntimeSecurityRule.ProtoReflect.Descriptor instead.
+func (*RuntimeSecurityRule) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *RuntimeSecurityRule) GetType() RuntimeSecurityRuleType {
+ if x != nil {
+ return x.Type
+ }
+ return RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_UNSPECIFIED
+}
+
+func (x *RuntimeSecurityRule) GetAction() RuntimeSecurityRuleAction {
+ if x != nil {
+ return x.Action
+ }
+ return RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_UNSPECIFIED
+}
+
+func (x *RuntimeSecurityRule) GetExecution() *RuntimeSecurityExecution {
+ if x != nil {
+ return x.Execution
+ }
+ return nil
+}
+
+type ProcessRuntimeSecurity struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Process that triggered the exec.
+ Process *Process `protobuf:"bytes,1,opt,name=process,proto3" json:"process,omitempty"`
+ // Immediate parent of the process.
+ Parent *Process `protobuf:"bytes,2,opt,name=parent,proto3" json:"parent,omitempty"`
+ // RuntimeSecurityPolicy associated with that event.
+ Policy *RuntimeSecurityPolicy `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"`
+ // Rule is the rule that triggered that event from the RuntimeSecurityPolicy.
+ Rule *RuntimeSecurityRule `protobuf:"bytes,4,opt,name=rule,proto3" json:"rule,omitempty"`
+}
+
+func (x *ProcessRuntimeSecurity) Reset() {
+ *x = ProcessRuntimeSecurity{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[13]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ProcessRuntimeSecurity) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ProcessRuntimeSecurity) ProtoMessage() {}
+
+func (x *ProcessRuntimeSecurity) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[13]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ProcessRuntimeSecurity.ProtoReflect.Descriptor instead.
+func (*ProcessRuntimeSecurity) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *ProcessRuntimeSecurity) GetProcess() *Process {
+ if x != nil {
+ return x.Process
+ }
+ return nil
+}
+
+func (x *ProcessRuntimeSecurity) GetParent() *Process {
+ if x != nil {
+ return x.Parent
+ }
+ return nil
+}
+
+func (x *ProcessRuntimeSecurity) GetPolicy() *RuntimeSecurityPolicy {
+ if x != nil {
+ return x.Policy
+ }
+ return nil
+}
+
+func (x *ProcessRuntimeSecurity) GetRule() *RuntimeSecurityRule {
+ if x != nil {
+ return x.Rule
+ }
+ return nil
+}
+
type GetEventsResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -945,6 +1290,7 @@ type GetEventsResponse struct {
// *GetEventsResponse_ProcessLoader
// *GetEventsResponse_ProcessUprobe
// *GetEventsResponse_ProcessThrottle
+ // *GetEventsResponse_ProcessRuntimeSecurity
// *GetEventsResponse_Test
// *GetEventsResponse_RateLimitInfo
Event isGetEventsResponse_Event `protobuf_oneof:"event"`
@@ -962,7 +1308,7 @@ type GetEventsResponse struct {
func (x *GetEventsResponse) Reset() {
*x = GetEventsResponse{}
if protoimpl.UnsafeEnabled {
- mi := &file_tetragon_events_proto_msgTypes[10]
+ mi := &file_tetragon_events_proto_msgTypes[14]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -975,7 +1321,7 @@ func (x *GetEventsResponse) String() string {
func (*GetEventsResponse) ProtoMessage() {}
func (x *GetEventsResponse) ProtoReflect() protoreflect.Message {
- mi := &file_tetragon_events_proto_msgTypes[10]
+ mi := &file_tetragon_events_proto_msgTypes[14]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -988,7 +1334,7 @@ func (x *GetEventsResponse) ProtoReflect() protoreflect.Message {
// Deprecated: Use GetEventsResponse.ProtoReflect.Descriptor instead.
func (*GetEventsResponse) Descriptor() ([]byte, []int) {
- return file_tetragon_events_proto_rawDescGZIP(), []int{10}
+ return file_tetragon_events_proto_rawDescGZIP(), []int{14}
}
func (m *GetEventsResponse) GetEvent() isGetEventsResponse_Event {
@@ -1047,6 +1393,13 @@ func (x *GetEventsResponse) GetProcessThrottle() *ProcessThrottle {
return nil
}
+func (x *GetEventsResponse) GetProcessRuntimeSecurity() *ProcessRuntimeSecurity {
+ if x, ok := x.GetEvent().(*GetEventsResponse_ProcessRuntimeSecurity); ok {
+ return x.ProcessRuntimeSecurity
+ }
+ return nil
+}
+
func (x *GetEventsResponse) GetTest() *Test {
if x, ok := x.GetEvent().(*GetEventsResponse_Test); ok {
return x.Test
@@ -1121,6 +1474,10 @@ type GetEventsResponse_ProcessThrottle struct {
ProcessThrottle *ProcessThrottle `protobuf:"bytes,27,opt,name=process_throttle,json=processThrottle,proto3,oneof"`
}
+type GetEventsResponse_ProcessRuntimeSecurity struct {
+ ProcessRuntimeSecurity *ProcessRuntimeSecurity `protobuf:"bytes,28,opt,name=process_runtime_security,json=processRuntimeSecurity,proto3,oneof"`
+}
+
type GetEventsResponse_Test struct {
Test *Test `protobuf:"bytes,40000,opt,name=test,proto3,oneof"`
}
@@ -1143,6 +1500,8 @@ func (*GetEventsResponse_ProcessUprobe) isGetEventsResponse_Event() {}
func (*GetEventsResponse_ProcessThrottle) isGetEventsResponse_Event() {}
+func (*GetEventsResponse_ProcessRuntimeSecurity) isGetEventsResponse_Event() {}
+
func (*GetEventsResponse_Test) isGetEventsResponse_Event() {}
func (*GetEventsResponse_RateLimitInfo) isGetEventsResponse_Event() {}
@@ -1274,75 +1633,133 @@ var file_tetragon_events_proto_rawDesc = []byte{
0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79,
0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x02, 0x20, 0x01,
- 0x28, 0x09, 0x52, 0x06, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, 0xf3, 0x05, 0x0a, 0x11, 0x47,
- 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
- 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x65, 0x63,
- 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
- 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x65, 0x63, 0x48, 0x00, 0x52,
- 0x0b, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x65, 0x63, 0x12, 0x3a, 0x0a, 0x0c,
- 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x69, 0x74, 0x18, 0x05, 0x20, 0x01,
- 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69, 0x74, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x6f,
- 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69, 0x74, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x5f, 0x6b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b,
- 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f,
- 0x63, 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x4c, 0x0a, 0x12, 0x70, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74,
- 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
- 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f,
- 0x69, 0x6e, 0x74, 0x48, 0x00, 0x52, 0x11, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72,
- 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b,
- 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f,
- 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x75, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x18, 0x0c, 0x20, 0x01,
- 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70,
- 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x46, 0x0a, 0x10,
- 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65,
- 0x18, 0x1b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
- 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c,
- 0x65, 0x48, 0x00, 0x52, 0x0f, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x6f,
- 0x74, 0x74, 0x6c, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x74, 0x65, 0x73, 0x74, 0x18, 0xc0, 0xb8, 0x02,
- 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
- 0x54, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x04, 0x74, 0x65, 0x73, 0x74, 0x12, 0x43, 0x0a, 0x0f,
- 0x72, 0x61, 0x74, 0x65, 0x5f, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18,
- 0xc1, 0xb8, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67,
- 0x6f, 0x6e, 0x2e, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x49, 0x6e, 0x66, 0x6f,
- 0x48, 0x00, 0x52, 0x0d, 0x72, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x49, 0x6e, 0x66,
- 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0xe8,
- 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12,
- 0x2f, 0x0a, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x18, 0xe9, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
- 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
- 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x04, 0x74, 0x69, 0x6d, 0x65,
- 0x12, 0x45, 0x0a, 0x10, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
- 0x69, 0x6e, 0x66, 0x6f, 0x18, 0xea, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x74, 0x65,
- 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x41, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x69,
- 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x42, 0x07, 0x0a, 0x05, 0x65, 0x76, 0x65, 0x6e, 0x74,
- 0x2a, 0xc7, 0x01, 0x0a, 0x09, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x09,
- 0x0a, 0x05, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x50, 0x52, 0x4f,
- 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x45, 0x43, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x50,
- 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x49, 0x54, 0x10, 0x05, 0x12, 0x12, 0x0a,
- 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10,
- 0x09, 0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x54, 0x52, 0x41,
- 0x43, 0x45, 0x50, 0x4f, 0x49, 0x4e, 0x54, 0x10, 0x0a, 0x12, 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f,
- 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4c, 0x4f, 0x41, 0x44, 0x45, 0x52, 0x10, 0x0b, 0x12, 0x12, 0x0a,
- 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x55, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10,
- 0x0c, 0x12, 0x14, 0x0a, 0x10, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x54, 0x48, 0x52,
- 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x10, 0x1b, 0x12, 0x0a, 0x0a, 0x04, 0x54, 0x45, 0x53, 0x54, 0x10,
- 0xc0, 0xb8, 0x02, 0x12, 0x15, 0x0a, 0x0f, 0x52, 0x41, 0x54, 0x45, 0x5f, 0x4c, 0x49, 0x4d, 0x49,
- 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x10, 0xc1, 0xb8, 0x02, 0x2a, 0x2d, 0x0a, 0x11, 0x46, 0x69,
- 0x65, 0x6c, 0x64, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
- 0x0b, 0x0a, 0x07, 0x49, 0x4e, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07,
- 0x45, 0x58, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x01, 0x2a, 0x4b, 0x0a, 0x0c, 0x54, 0x68, 0x72,
- 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x10, 0x54, 0x48, 0x52,
- 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12,
- 0x12, 0x0a, 0x0e, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x52,
- 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f,
- 0x53, 0x54, 0x4f, 0x50, 0x10, 0x02, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x28, 0x09, 0x52, 0x06, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, 0x49, 0x0a, 0x15, 0x52, 0x75,
+ 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x6f, 0x6c,
+ 0x69, 0x63, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+ 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73,
+ 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65,
+ 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x2e, 0x0a, 0x18, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f,
+ 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+ 0x04, 0x70, 0x61, 0x74, 0x68, 0x22, 0xcb, 0x01, 0x0a, 0x13, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d,
+ 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x35, 0x0a,
+ 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x21, 0x2e, 0x74, 0x65,
+ 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65,
+ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04,
+ 0x74, 0x79, 0x70, 0x65, 0x12, 0x3b, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02,
+ 0x20, 0x01, 0x28, 0x0e, 0x32, 0x23, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
+ 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52,
+ 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f,
+ 0x6e, 0x12, 0x40, 0x0a, 0x09, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03,
+ 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
+ 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x45,
+ 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74,
+ 0x69, 0x6f, 0x6e, 0x22, 0xdc, 0x01, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52,
+ 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x2b,
+ 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
+ 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65,
+ 0x73, 0x73, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x12, 0x29, 0x0a, 0x06, 0x70,
+ 0x61, 0x72, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65,
+ 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x06,
+ 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x12, 0x37, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+ 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
+ 0x6e, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
+ 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12,
+ 0x31, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e,
+ 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x04, 0x72, 0x75,
+ 0x6c, 0x65, 0x22, 0xd1, 0x06, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73,
+ 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x63,
+ 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x65, 0x63, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x45, 0x78, 0x65, 0x63, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73,
+ 0x45, 0x78, 0x65, 0x63, 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f,
+ 0x65, 0x78, 0x69, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x65, 0x74,
+ 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69,
+ 0x74, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69, 0x74,
+ 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6b, 0x70, 0x72, 0x6f,
+ 0x62, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61,
+ 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f, 0x62,
+ 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f,
+ 0x62, 0x65, 0x12, 0x4c, 0x0a, 0x12, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x72,
+ 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x48, 0x00, 0x52, 0x11, 0x70,
+ 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+ 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x61, 0x64,
+ 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61,
+ 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64, 0x65,
+ 0x72, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64,
+ 0x65, 0x72, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x75, 0x70,
+ 0x72, 0x6f, 0x62, 0x65, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74,
+ 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72,
+ 0x6f, 0x62, 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70,
+ 0x72, 0x6f, 0x62, 0x65, 0x12, 0x46, 0x0a, 0x10, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f,
+ 0x74, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x18, 0x1b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x48, 0x00, 0x52, 0x0f, 0x70, 0x72, 0x6f,
+ 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x12, 0x5c, 0x0a, 0x18,
+ 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x5f,
+ 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x18, 0x1c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
+ 0x48, 0x00, 0x52, 0x16, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x75, 0x6e, 0x74, 0x69,
+ 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x26, 0x0a, 0x04, 0x74, 0x65,
+ 0x73, 0x74, 0x18, 0xc0, 0xb8, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x74, 0x65, 0x74,
+ 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x54, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x04, 0x74, 0x65,
+ 0x73, 0x74, 0x12, 0x43, 0x0a, 0x0f, 0x72, 0x61, 0x74, 0x65, 0x5f, 0x6c, 0x69, 0x6d, 0x69, 0x74,
+ 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0xc1, 0xb8, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e,
+ 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d,
+ 0x69, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x48, 0x00, 0x52, 0x0d, 0x72, 0x61, 0x74, 0x65, 0x4c, 0x69,
+ 0x6d, 0x69, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f,
+ 0x6e, 0x61, 0x6d, 0x65, 0x18, 0xe8, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6e, 0x6f, 0x64,
+ 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2f, 0x0a, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x18, 0xe9, 0x07,
+ 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
+ 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
+ 0x52, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x45, 0x0a, 0x10, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67,
+ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0xea, 0x07, 0x20, 0x01, 0x28,
+ 0x0b, 0x32, 0x19, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x41, 0x67, 0x67,
+ 0x72, 0x65, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x61, 0x67,
+ 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x42, 0x07, 0x0a,
+ 0x05, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x2a, 0xe5, 0x01, 0x0a, 0x09, 0x45, 0x76, 0x65, 0x6e, 0x74,
+ 0x54, 0x79, 0x70, 0x65, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12,
+ 0x10, 0x0a, 0x0c, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x45, 0x43, 0x10,
+ 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x49,
+ 0x54, 0x10, 0x05, 0x12, 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4b,
+ 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10, 0x09, 0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x43, 0x45,
+ 0x53, 0x53, 0x5f, 0x54, 0x52, 0x41, 0x43, 0x45, 0x50, 0x4f, 0x49, 0x4e, 0x54, 0x10, 0x0a, 0x12,
+ 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4c, 0x4f, 0x41, 0x44, 0x45,
+ 0x52, 0x10, 0x0b, 0x12, 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x55,
+ 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10, 0x0c, 0x12, 0x14, 0x0a, 0x10, 0x50, 0x52, 0x4f, 0x43, 0x45,
+ 0x53, 0x53, 0x5f, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x10, 0x1b, 0x12, 0x1c, 0x0a,
+ 0x18, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45,
+ 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x10, 0x1c, 0x12, 0x0a, 0x0a, 0x04, 0x54,
+ 0x45, 0x53, 0x54, 0x10, 0xc0, 0xb8, 0x02, 0x12, 0x15, 0x0a, 0x0f, 0x52, 0x41, 0x54, 0x45, 0x5f,
+ 0x4c, 0x49, 0x4d, 0x49, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x10, 0xc1, 0xb8, 0x02, 0x2a, 0x2d,
+ 0x0a, 0x11, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x41, 0x63, 0x74,
+ 0x69, 0x6f, 0x6e, 0x12, 0x0b, 0x0a, 0x07, 0x49, 0x4e, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x00,
+ 0x12, 0x0b, 0x0a, 0x07, 0x45, 0x58, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x01, 0x2a, 0x4b, 0x0a,
+ 0x0c, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a,
+ 0x10, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57,
+ 0x4e, 0x10, 0x00, 0x12, 0x12, 0x0a, 0x0e, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f,
+ 0x53, 0x54, 0x41, 0x52, 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x54, 0x48, 0x52, 0x4f, 0x54,
+ 0x54, 0x4c, 0x45, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x10, 0x02, 0x2a, 0x65, 0x0a, 0x17, 0x52, 0x75,
+ 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c,
+ 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x25, 0x0a, 0x21, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45,
+ 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55,
+ 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f,
+ 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59,
+ 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x45, 0x43, 0x55, 0x54, 0x49, 0x4f, 0x4e, 0x10,
+ 0x01, 0x2a, 0x8a, 0x01, 0x0a, 0x19, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63,
+ 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
+ 0x27, 0x0a, 0x23, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52,
+ 0x49, 0x54, 0x59, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45,
+ 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x21, 0x0a, 0x1d, 0x52, 0x55, 0x4e, 0x54,
+ 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x41, 0x43, 0x54,
+ 0x49, 0x4f, 0x4e, 0x5f, 0x41, 0x55, 0x44, 0x49, 0x54, 0x10, 0x01, 0x12, 0x21, 0x0a, 0x1d, 0x52,
+ 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f,
+ 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4c, 0x4f, 0x43, 0x4b, 0x10, 0x02, 0x62, 0x06,
+ 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -1357,74 +1774,89 @@ func file_tetragon_events_proto_rawDescGZIP() []byte {
return file_tetragon_events_proto_rawDescData
}
-var file_tetragon_events_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_tetragon_events_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_tetragon_events_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
+var file_tetragon_events_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
var file_tetragon_events_proto_goTypes = []interface{}{
- (EventType)(0), // 0: tetragon.EventType
- (FieldFilterAction)(0), // 1: tetragon.FieldFilterAction
- (ThrottleType)(0), // 2: tetragon.ThrottleType
- (*Filter)(nil), // 3: tetragon.Filter
- (*CapFilter)(nil), // 4: tetragon.CapFilter
- (*CapFilterSet)(nil), // 5: tetragon.CapFilterSet
- (*RedactionFilter)(nil), // 6: tetragon.RedactionFilter
- (*FieldFilter)(nil), // 7: tetragon.FieldFilter
- (*GetEventsRequest)(nil), // 8: tetragon.GetEventsRequest
- (*AggregationOptions)(nil), // 9: tetragon.AggregationOptions
- (*AggregationInfo)(nil), // 10: tetragon.AggregationInfo
- (*RateLimitInfo)(nil), // 11: tetragon.RateLimitInfo
- (*ProcessThrottle)(nil), // 12: tetragon.ProcessThrottle
- (*GetEventsResponse)(nil), // 13: tetragon.GetEventsResponse
- (*wrapperspb.BoolValue)(nil), // 14: google.protobuf.BoolValue
- (CapabilitiesType)(0), // 15: tetragon.CapabilitiesType
- (*fieldmaskpb.FieldMask)(nil), // 16: google.protobuf.FieldMask
- (*durationpb.Duration)(nil), // 17: google.protobuf.Duration
- (*ProcessExec)(nil), // 18: tetragon.ProcessExec
- (*ProcessExit)(nil), // 19: tetragon.ProcessExit
- (*ProcessKprobe)(nil), // 20: tetragon.ProcessKprobe
- (*ProcessTracepoint)(nil), // 21: tetragon.ProcessTracepoint
- (*ProcessLoader)(nil), // 22: tetragon.ProcessLoader
- (*ProcessUprobe)(nil), // 23: tetragon.ProcessUprobe
- (*Test)(nil), // 24: tetragon.Test
- (*timestamppb.Timestamp)(nil), // 25: google.protobuf.Timestamp
+ (EventType)(0), // 0: tetragon.EventType
+ (FieldFilterAction)(0), // 1: tetragon.FieldFilterAction
+ (ThrottleType)(0), // 2: tetragon.ThrottleType
+ (RuntimeSecurityRuleType)(0), // 3: tetragon.RuntimeSecurityRuleType
+ (RuntimeSecurityRuleAction)(0), // 4: tetragon.RuntimeSecurityRuleAction
+ (*Filter)(nil), // 5: tetragon.Filter
+ (*CapFilter)(nil), // 6: tetragon.CapFilter
+ (*CapFilterSet)(nil), // 7: tetragon.CapFilterSet
+ (*RedactionFilter)(nil), // 8: tetragon.RedactionFilter
+ (*FieldFilter)(nil), // 9: tetragon.FieldFilter
+ (*GetEventsRequest)(nil), // 10: tetragon.GetEventsRequest
+ (*AggregationOptions)(nil), // 11: tetragon.AggregationOptions
+ (*AggregationInfo)(nil), // 12: tetragon.AggregationInfo
+ (*RateLimitInfo)(nil), // 13: tetragon.RateLimitInfo
+ (*ProcessThrottle)(nil), // 14: tetragon.ProcessThrottle
+ (*RuntimeSecurityPolicy)(nil), // 15: tetragon.RuntimeSecurityPolicy
+ (*RuntimeSecurityExecution)(nil), // 16: tetragon.RuntimeSecurityExecution
+ (*RuntimeSecurityRule)(nil), // 17: tetragon.RuntimeSecurityRule
+ (*ProcessRuntimeSecurity)(nil), // 18: tetragon.ProcessRuntimeSecurity
+ (*GetEventsResponse)(nil), // 19: tetragon.GetEventsResponse
+ (*wrapperspb.BoolValue)(nil), // 20: google.protobuf.BoolValue
+ (CapabilitiesType)(0), // 21: tetragon.CapabilitiesType
+ (*fieldmaskpb.FieldMask)(nil), // 22: google.protobuf.FieldMask
+ (*durationpb.Duration)(nil), // 23: google.protobuf.Duration
+ (*Process)(nil), // 24: tetragon.Process
+ (*ProcessExec)(nil), // 25: tetragon.ProcessExec
+ (*ProcessExit)(nil), // 26: tetragon.ProcessExit
+ (*ProcessKprobe)(nil), // 27: tetragon.ProcessKprobe
+ (*ProcessTracepoint)(nil), // 28: tetragon.ProcessTracepoint
+ (*ProcessLoader)(nil), // 29: tetragon.ProcessLoader
+ (*ProcessUprobe)(nil), // 30: tetragon.ProcessUprobe
+ (*Test)(nil), // 31: tetragon.Test
+ (*timestamppb.Timestamp)(nil), // 32: google.protobuf.Timestamp
}
var file_tetragon_events_proto_depIdxs = []int32{
- 14, // 0: tetragon.Filter.health_check:type_name -> google.protobuf.BoolValue
+ 20, // 0: tetragon.Filter.health_check:type_name -> google.protobuf.BoolValue
0, // 1: tetragon.Filter.event_set:type_name -> tetragon.EventType
- 4, // 2: tetragon.Filter.capabilities:type_name -> tetragon.CapFilter
- 5, // 3: tetragon.CapFilter.permitted:type_name -> tetragon.CapFilterSet
- 5, // 4: tetragon.CapFilter.effective:type_name -> tetragon.CapFilterSet
- 5, // 5: tetragon.CapFilter.inheritable:type_name -> tetragon.CapFilterSet
- 15, // 6: tetragon.CapFilterSet.any:type_name -> tetragon.CapabilitiesType
- 15, // 7: tetragon.CapFilterSet.all:type_name -> tetragon.CapabilitiesType
- 15, // 8: tetragon.CapFilterSet.exactly:type_name -> tetragon.CapabilitiesType
- 15, // 9: tetragon.CapFilterSet.none:type_name -> tetragon.CapabilitiesType
- 3, // 10: tetragon.RedactionFilter.match:type_name -> tetragon.Filter
+ 6, // 2: tetragon.Filter.capabilities:type_name -> tetragon.CapFilter
+ 7, // 3: tetragon.CapFilter.permitted:type_name -> tetragon.CapFilterSet
+ 7, // 4: tetragon.CapFilter.effective:type_name -> tetragon.CapFilterSet
+ 7, // 5: tetragon.CapFilter.inheritable:type_name -> tetragon.CapFilterSet
+ 21, // 6: tetragon.CapFilterSet.any:type_name -> tetragon.CapabilitiesType
+ 21, // 7: tetragon.CapFilterSet.all:type_name -> tetragon.CapabilitiesType
+ 21, // 8: tetragon.CapFilterSet.exactly:type_name -> tetragon.CapabilitiesType
+ 21, // 9: tetragon.CapFilterSet.none:type_name -> tetragon.CapabilitiesType
+ 5, // 10: tetragon.RedactionFilter.match:type_name -> tetragon.Filter
0, // 11: tetragon.FieldFilter.event_set:type_name -> tetragon.EventType
- 16, // 12: tetragon.FieldFilter.fields:type_name -> google.protobuf.FieldMask
+ 22, // 12: tetragon.FieldFilter.fields:type_name -> google.protobuf.FieldMask
1, // 13: tetragon.FieldFilter.action:type_name -> tetragon.FieldFilterAction
- 14, // 14: tetragon.FieldFilter.invert_event_set:type_name -> google.protobuf.BoolValue
- 3, // 15: tetragon.GetEventsRequest.allow_list:type_name -> tetragon.Filter
- 3, // 16: tetragon.GetEventsRequest.deny_list:type_name -> tetragon.Filter
- 9, // 17: tetragon.GetEventsRequest.aggregation_options:type_name -> tetragon.AggregationOptions
- 7, // 18: tetragon.GetEventsRequest.field_filters:type_name -> tetragon.FieldFilter
- 17, // 19: tetragon.AggregationOptions.window_size:type_name -> google.protobuf.Duration
+ 20, // 14: tetragon.FieldFilter.invert_event_set:type_name -> google.protobuf.BoolValue
+ 5, // 15: tetragon.GetEventsRequest.allow_list:type_name -> tetragon.Filter
+ 5, // 16: tetragon.GetEventsRequest.deny_list:type_name -> tetragon.Filter
+ 11, // 17: tetragon.GetEventsRequest.aggregation_options:type_name -> tetragon.AggregationOptions
+ 9, // 18: tetragon.GetEventsRequest.field_filters:type_name -> tetragon.FieldFilter
+ 23, // 19: tetragon.AggregationOptions.window_size:type_name -> google.protobuf.Duration
2, // 20: tetragon.ProcessThrottle.type:type_name -> tetragon.ThrottleType
- 18, // 21: tetragon.GetEventsResponse.process_exec:type_name -> tetragon.ProcessExec
- 19, // 22: tetragon.GetEventsResponse.process_exit:type_name -> tetragon.ProcessExit
- 20, // 23: tetragon.GetEventsResponse.process_kprobe:type_name -> tetragon.ProcessKprobe
- 21, // 24: tetragon.GetEventsResponse.process_tracepoint:type_name -> tetragon.ProcessTracepoint
- 22, // 25: tetragon.GetEventsResponse.process_loader:type_name -> tetragon.ProcessLoader
- 23, // 26: tetragon.GetEventsResponse.process_uprobe:type_name -> tetragon.ProcessUprobe
- 12, // 27: tetragon.GetEventsResponse.process_throttle:type_name -> tetragon.ProcessThrottle
- 24, // 28: tetragon.GetEventsResponse.test:type_name -> tetragon.Test
- 11, // 29: tetragon.GetEventsResponse.rate_limit_info:type_name -> tetragon.RateLimitInfo
- 25, // 30: tetragon.GetEventsResponse.time:type_name -> google.protobuf.Timestamp
- 10, // 31: tetragon.GetEventsResponse.aggregation_info:type_name -> tetragon.AggregationInfo
- 32, // [32:32] is the sub-list for method output_type
- 32, // [32:32] is the sub-list for method input_type
- 32, // [32:32] is the sub-list for extension type_name
- 32, // [32:32] is the sub-list for extension extendee
- 0, // [0:32] is the sub-list for field type_name
+ 3, // 21: tetragon.RuntimeSecurityRule.type:type_name -> tetragon.RuntimeSecurityRuleType
+ 4, // 22: tetragon.RuntimeSecurityRule.action:type_name -> tetragon.RuntimeSecurityRuleAction
+ 16, // 23: tetragon.RuntimeSecurityRule.execution:type_name -> tetragon.RuntimeSecurityExecution
+ 24, // 24: tetragon.ProcessRuntimeSecurity.process:type_name -> tetragon.Process
+ 24, // 25: tetragon.ProcessRuntimeSecurity.parent:type_name -> tetragon.Process
+ 15, // 26: tetragon.ProcessRuntimeSecurity.policy:type_name -> tetragon.RuntimeSecurityPolicy
+ 17, // 27: tetragon.ProcessRuntimeSecurity.rule:type_name -> tetragon.RuntimeSecurityRule
+ 25, // 28: tetragon.GetEventsResponse.process_exec:type_name -> tetragon.ProcessExec
+ 26, // 29: tetragon.GetEventsResponse.process_exit:type_name -> tetragon.ProcessExit
+ 27, // 30: tetragon.GetEventsResponse.process_kprobe:type_name -> tetragon.ProcessKprobe
+ 28, // 31: tetragon.GetEventsResponse.process_tracepoint:type_name -> tetragon.ProcessTracepoint
+ 29, // 32: tetragon.GetEventsResponse.process_loader:type_name -> tetragon.ProcessLoader
+ 30, // 33: tetragon.GetEventsResponse.process_uprobe:type_name -> tetragon.ProcessUprobe
+ 14, // 34: tetragon.GetEventsResponse.process_throttle:type_name -> tetragon.ProcessThrottle
+ 18, // 35: tetragon.GetEventsResponse.process_runtime_security:type_name -> tetragon.ProcessRuntimeSecurity
+ 31, // 36: tetragon.GetEventsResponse.test:type_name -> tetragon.Test
+ 13, // 37: tetragon.GetEventsResponse.rate_limit_info:type_name -> tetragon.RateLimitInfo
+ 32, // 38: tetragon.GetEventsResponse.time:type_name -> google.protobuf.Timestamp
+ 12, // 39: tetragon.GetEventsResponse.aggregation_info:type_name -> tetragon.AggregationInfo
+ 40, // [40:40] is the sub-list for method output_type
+ 40, // [40:40] is the sub-list for method input_type
+ 40, // [40:40] is the sub-list for extension type_name
+ 40, // [40:40] is the sub-list for extension extendee
+ 0, // [0:40] is the sub-list for field type_name
}
func init() { file_tetragon_events_proto_init() }
@@ -1556,6 +1988,54 @@ func file_tetragon_events_proto_init() {
}
}
file_tetragon_events_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*RuntimeSecurityPolicy); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*RuntimeSecurityExecution); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*RuntimeSecurityRule); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ProcessRuntimeSecurity); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*GetEventsResponse); i {
case 0:
return &v.state
@@ -1568,7 +2048,7 @@ func file_tetragon_events_proto_init() {
}
}
}
- file_tetragon_events_proto_msgTypes[10].OneofWrappers = []interface{}{
+ file_tetragon_events_proto_msgTypes[14].OneofWrappers = []interface{}{
(*GetEventsResponse_ProcessExec)(nil),
(*GetEventsResponse_ProcessExit)(nil),
(*GetEventsResponse_ProcessKprobe)(nil),
@@ -1576,6 +2056,7 @@ func file_tetragon_events_proto_init() {
(*GetEventsResponse_ProcessLoader)(nil),
(*GetEventsResponse_ProcessUprobe)(nil),
(*GetEventsResponse_ProcessThrottle)(nil),
+ (*GetEventsResponse_ProcessRuntimeSecurity)(nil),
(*GetEventsResponse_Test)(nil),
(*GetEventsResponse_RateLimitInfo)(nil),
}
@@ -1584,8 +2065,8 @@ func file_tetragon_events_proto_init() {
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_tetragon_events_proto_rawDesc,
- NumEnums: 3,
- NumMessages: 11,
+ NumEnums: 5,
+ NumMessages: 15,
NumExtensions: 0,
NumServices: 0,
},
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.json.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.json.go
index 589d91748f7..4c71251dbf9 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.json.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.json.go
@@ -167,6 +167,70 @@ func (msg *ProcessThrottle) UnmarshalJSON(b []byte) error {
}.Unmarshal(b, msg)
}
+// MarshalJSON implements json.Marshaler
+func (msg *RuntimeSecurityPolicy) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *RuntimeSecurityPolicy) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
+// MarshalJSON implements json.Marshaler
+func (msg *RuntimeSecurityExecution) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *RuntimeSecurityExecution) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
+// MarshalJSON implements json.Marshaler
+func (msg *RuntimeSecurityRule) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *RuntimeSecurityRule) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
+// MarshalJSON implements json.Marshaler
+func (msg *ProcessRuntimeSecurity) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *ProcessRuntimeSecurity) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
// MarshalJSON implements json.Marshaler
func (msg *GetEventsResponse) MarshalJSON() ([]byte, error) {
return protojson.MarshalOptions{
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
index f2bd554645f..3fc6685cea4 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
@@ -26,6 +26,7 @@ enum EventType {
PROCESS_LOADER = 11;
PROCESS_UPROBE = 12;
PROCESS_THROTTLE = 27;
+ PROCESS_RUNTIME_SECURITY = 28;
TEST = 40000;
RATE_LIMIT_INFO = 40001;
@@ -165,6 +166,50 @@ message ProcessThrottle {
string cgroup = 2;
}
+message RuntimeSecurityPolicy {
+ // Name of the RuntimeSecurityPolicy associated with that event.
+ string name = 1;
+ // Namespace of the RuntimeSecurityPolicy associated with that event.
+ string namespace = 2;
+}
+
+enum RuntimeSecurityRuleType {
+ RUNTIME_SECURITY_TYPE_UNSPECIFIED = 0;
+ RUNTIME_SECURITY_TYPE_EXECUTION = 1;
+}
+
+enum RuntimeSecurityRuleAction {
+ RUNTIME_SECURITY_ACTION_UNSPECIFIED = 0;
+ RUNTIME_SECURITY_ACTION_AUDIT = 1;
+ RUNTIME_SECURITY_ACTION_BLOCK = 2;
+}
+
+message RuntimeSecurityExecution {
+ // Path of the binary that triggered the execution rule.
+ string path = 1;
+}
+
+message RuntimeSecurityRule {
+ // Type of the rule that triggered this event.
+ RuntimeSecurityRuleType type = 1;
+ // Action of the rule that triggered this event.
+ RuntimeSecurityRuleAction action = 2;
+ // Execution is set if the rule type is Execution and provide details
+ // specific to execution.
+ RuntimeSecurityExecution execution = 3;
+}
+
+message ProcessRuntimeSecurity {
+ // Process that triggered the exec.
+ Process process = 1;
+ // Immediate parent of the process.
+ Process parent = 2;
+ // RuntimeSecurityPolicy associated with that event.
+ RuntimeSecurityPolicy policy = 3;
+ // Rule is the rule that triggered that event from the RuntimeSecurityPolicy.
+ RuntimeSecurityRule rule = 4;
+}
+
message GetEventsResponse {
// The type-specific fields of an event.
//
@@ -184,6 +229,7 @@ message GetEventsResponse {
ProcessLoader process_loader = 11;
ProcessUprobe process_uprobe = 12;
ProcessThrottle process_throttle = 27;
+ ProcessRuntimeSecurity process_runtime_security = 28;
Test test = 40000;
RateLimitInfo rate_limit_info = 40001;
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/types.pb.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/types.pb.go
index f418b3eaca8..20495cc6a9e 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/types.pb.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/types.pb.go
@@ -167,6 +167,26 @@ func (event *ProcessThrottle) Encapsulate() IsGetEventsResponse_Event {
}
}
+// Encapsulate implements the Event interface.
+// Returns the event wrapped by its GetEventsResponse_* type.
+func (event *ProcessRuntimeSecurity) Encapsulate() IsGetEventsResponse_Event {
+ return &GetEventsResponse_ProcessRuntimeSecurity{
+ ProcessRuntimeSecurity: event,
+ }
+}
+
+// SetProcess implements the ProcessEvent interface.
+// Sets the Process field of an event.
+func (event *ProcessRuntimeSecurity) SetProcess(p *Process) {
+ event.Process = p
+}
+
+// SetParent implements the ParentEvent interface.
+// Sets the Parent field of an event.
+func (event *ProcessRuntimeSecurity) SetParent(p *Process) {
+ event.Parent = p
+}
+
// UnwrapGetEventsResponse gets the inner event type from a GetEventsResponse
func UnwrapGetEventsResponse(response *GetEventsResponse) interface{} {
event := response.GetEvent()
@@ -192,6 +212,8 @@ func UnwrapGetEventsResponse(response *GetEventsResponse) interface{} {
return ev.RateLimitInfo
case *GetEventsResponse_ProcessThrottle:
return ev.ProcessThrottle
+ case *GetEventsResponse_ProcessRuntimeSecurity:
+ return ev.ProcessRuntimeSecurity
}
return nil
}
diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md
index 43609723b87..d22db33d2dd 100644
--- a/docs/content/en/docs/reference/grpc-api.md
+++ b/docs/content/en/docs/reference/grpc-api.md
@@ -795,12 +795,24 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
| process_loader | [ProcessLoader](#tetragon-ProcessLoader) | | |
| process_uprobe | [ProcessUprobe](#tetragon-ProcessUprobe) | | |
| process_throttle | [ProcessThrottle](#tetragon-ProcessThrottle) | | |
+| process_runtime_security | [ProcessRuntimeSecurity](#tetragon-ProcessRuntimeSecurity) | | |
| test | [Test](#tetragon-Test) | | |
| rate_limit_info | [RateLimitInfo](#tetragon-RateLimitInfo) | | |
| node_name | [string](#string) | | Name of the node where this event was observed. |
| time | [google.protobuf.Timestamp](#google-protobuf-Timestamp) | | Timestamp at which this event was observed. For an aggregated response, this field to set to the timestamp at which the event was observed for the first time in a given aggregation time window. |
| aggregation_info | [AggregationInfo](#tetragon-AggregationInfo) | | aggregation_info contains information about aggregation results. This field is set only for aggregated responses. |
+
+
+### ProcessRuntimeSecurity
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| process | [Process](#tetragon-Process) | | Process that triggered the exec. |
+| parent | [Process](#tetragon-Process) | | Immediate parent of the process. |
+| policy | [RuntimeSecurityPolicy](#tetragon-RuntimeSecurityPolicy) | | RuntimeSecurityPolicy associated with that event. |
+| rule | [RuntimeSecurityRule](#tetragon-RuntimeSecurityRule) | | Rule is the rule that triggered that event from the RuntimeSecurityPolicy. |
+
### ProcessThrottle
@@ -828,6 +840,33 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
| redact | [string](#string) | repeated | RE2 regular expressions to use for redaction. Strings inside capture groups are redacted. |
| binary_regex | [string](#string) | repeated | RE2 regular expression to match binary name. If supplied, redactions will only be applied to matching processes. |
+
+
+### RuntimeSecurityExecution
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| path | [string](#string) | | Path of the binary that triggered the execution rule. |
+
+
+
+### RuntimeSecurityPolicy
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| name | [string](#string) | | Name of the RuntimeSecurityPolicy associated with that event. |
+| namespace | [string](#string) | | Namespace of the RuntimeSecurityPolicy associated with that event. |
+
+
+
+### RuntimeSecurityRule
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| type | [RuntimeSecurityRuleType](#tetragon-RuntimeSecurityRuleType) | | Type of the rule that triggered this event. |
+| action | [RuntimeSecurityRuleAction](#tetragon-RuntimeSecurityRuleAction) | | Action of the rule that triggered this event. |
+| execution | [RuntimeSecurityExecution](#tetragon-RuntimeSecurityExecution) | | Execution is set if the rule type is Execution and provide details specific to execution. |
+
### EventType
@@ -846,6 +885,7 @@ GetEventsResponse event oneof.
| PROCESS_LOADER | 11 | |
| PROCESS_UPROBE | 12 | |
| PROCESS_THROTTLE | 27 | |
+| PROCESS_RUNTIME_SECURITY | 28 | |
| TEST | 40000 | |
| RATE_LIMIT_INFO | 40001 | |
@@ -859,6 +899,25 @@ Determines the behavior of a field filter
| INCLUDE | 0 | |
| EXCLUDE | 1 | |
+
+
+### RuntimeSecurityRuleAction
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| RUNTIME_SECURITY_ACTION_UNSPECIFIED | 0 | |
+| RUNTIME_SECURITY_ACTION_AUDIT | 1 | |
+| RUNTIME_SECURITY_ACTION_BLOCK | 2 | |
+
+
+
+### RuntimeSecurityRuleType
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| RUNTIME_SECURITY_TYPE_UNSPECIFIED | 0 | |
+| RUNTIME_SECURITY_TYPE_EXECUTION | 1 | |
+
### ThrottleType
diff --git a/install/kubernetes/tetragon/templates/clusterrole.yaml b/install/kubernetes/tetragon/templates/clusterrole.yaml
index 9c7dfb5e36e..4cb176f750e 100644
--- a/install/kubernetes/tetragon/templates/clusterrole.yaml
+++ b/install/kubernetes/tetragon/templates/clusterrole.yaml
@@ -21,6 +21,7 @@ rules:
- podinfo
- tracingpolicies
- tracingpoliciesnamespaced
+ - runtimesecuritypolicies
verbs:
- get
- list
diff --git a/install/kubernetes/tetragon/templates/operator_clusterrole.yaml b/install/kubernetes/tetragon/templates/operator_clusterrole.yaml
index dd3a7932e26..2ad6d45e641 100644
--- a/install/kubernetes/tetragon/templates/operator_clusterrole.yaml
+++ b/install/kubernetes/tetragon/templates/operator_clusterrole.yaml
@@ -40,6 +40,7 @@ rules:
- tracingpolicies.cilium.io
- tracingpoliciesnamespaced.cilium.io
- podinfo.cilium.io
+ - runtimesecuritypolicies.cilium.io
verbs:
- update
- get
diff --git a/pkg/grpc/runtimesecuritypolicy/runtimesecuritypolicy.go b/pkg/grpc/runtimesecuritypolicy/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..4185b81eae3
--- /dev/null
+++ b/pkg/grpc/runtimesecuritypolicy/runtimesecuritypolicy.go
@@ -0,0 +1,82 @@
+package runtimesecuritypolicy
+
+import (
+ "github.com/cilium/tetragon/api/v1/tetragon"
+ "github.com/cilium/tetragon/pkg/grpc/tracing"
+ "github.com/cilium/tetragon/pkg/ktime"
+ "github.com/cilium/tetragon/pkg/logger"
+ "github.com/cilium/tetragon/pkg/process"
+ "github.com/cilium/tetragon/pkg/reader/node"
+ "github.com/cilium/tetragon/pkg/reader/notify"
+)
+
+var (
+ nodeName = node.GetNodeNameForExport()
+)
+
+type MsgRuntimeSecurity struct {
+ // kprobeMsg is the original message
+ kprobeMsg *tracing.MsgGenericKprobeUnix
+
+ // xlateFn translates the original kprobe event to a ProcessRuntimeSecurity event
+ xlateFn func(og *tracing.MsgGenericKprobeUnix, ev *tetragon.ProcessRuntimeSecurity) error
+}
+
+func NewRuntimeSecurity(
+ msg *tracing.MsgGenericKprobeUnix,
+ xlateFn func(og *tracing.MsgGenericKprobeUnix, ev *tetragon.ProcessRuntimeSecurity) error) *MsgRuntimeSecurity {
+ return &MsgRuntimeSecurity{
+ kprobeMsg: msg,
+ xlateFn: xlateFn,
+ }
+}
+
+func (msg *MsgRuntimeSecurity) HandleMessage() *tetragon.GetEventsResponse {
+ k := tracing.GetProcessKprobe(msg.kprobeMsg)
+ if k == nil {
+ return nil
+ }
+
+ ev := &tetragon.ProcessRuntimeSecurity{
+ Policy: &tetragon.RuntimeSecurityPolicy{
+ Name: msg.kprobeMsg.PolicyName,
+ Namespace: "",
+ },
+ }
+
+ err := msg.Translate(ev)
+ if err != nil {
+ logger.GetLogger().WithError(err).WithField("kprobeEvent", msg.kprobeMsg).Error("error while translating the runtime security event")
+ return nil
+ }
+
+ ev.Process = k.Process
+ ev.Parent = k.Parent
+
+ return &tetragon.GetEventsResponse{
+ Event: &tetragon.GetEventsResponse_ProcessRuntimeSecurity{ProcessRuntimeSecurity: ev},
+ NodeName: nodeName,
+ Time: ktime.ToProto(msg.kprobeMsg.Msg.Common.Ktime),
+ }
+}
+
+func (msg *MsgRuntimeSecurity) RetryInternal(ev notify.Event, timestamp uint64) (*process.ProcessInternal, error) {
+ return msg.kprobeMsg.RetryInternal(ev, timestamp)
+}
+
+func (msg *MsgRuntimeSecurity) Retry(internal *process.ProcessInternal, ev notify.Event) error {
+ return msg.kprobeMsg.Retry(internal, ev)
+}
+
+func (msg *MsgRuntimeSecurity) Notify() bool {
+ return msg.kprobeMsg.Notify()
+}
+
+func (msg *MsgRuntimeSecurity) Cast(o interface{}) notify.Message {
+ t := o.(MsgRuntimeSecurity)
+ return &t
+}
+
+func (msg *MsgRuntimeSecurity) Translate(ev *tetragon.ProcessRuntimeSecurity) error {
+ return msg.xlateFn(msg.kprobeMsg, ev)
+}
diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_runtimesecuritypolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_runtimesecuritypolicies.yaml
new file mode 100644
index 00000000000..7cdb59e0089
--- /dev/null
+++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_runtimesecuritypolicies.yaml
@@ -0,0 +1,174 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ creationTimestamp: null
+ name: runtimesecuritypolicies.cilium.io
+spec:
+ group: cilium.io
+ names:
+ kind: RuntimeSecurityPolicy
+ listKind: RuntimeSecurityPolicyList
+ plural: runtimesecuritypolicies
+ shortNames:
+ - rsp
+ singular: runtimesecuritypolicy
+ scope: Cluster
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Runtime security policy specification.
+ properties:
+ rules:
+ description: Runtime security policy rules to apply.
+ items:
+ oneOf:
+ - properties:
+ executionConfig: {}
+ required:
+ - executionConfig
+ properties:
+ executionConfig:
+ description: Configuration for a rule of type Execution.
+ properties:
+ action:
+ description: A rule execution config action is the set of
+ actions that can be used in an rule execution config.
+ enum:
+ - Audit
+ - Block
+ type: string
+ required:
+ - action
+ type: object
+ type:
+ description: Rule type.
+ enum:
+ - Execution
+ type: string
+ required:
+ - type
+ type: object
+ minItems: 1
+ type: array
+ selectors:
+ description: Selectors to select on which object applying the runtime
+ security policy.
+ properties:
+ executableSelector:
+ properties:
+ matchPaths:
+ items:
+ properties:
+ operator:
+ description: A match paths operator is the set of available
+ operator that can be used in a match paths selector.
+ enum:
+ - In
+ - NotIn
+ type: string
+ pattern:
+ description: A match paths pattern is the set of available
+ pattern that can be used in a match paths selector.
+ enum:
+ - Full
+ - Prefix
+ - Postfix
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - operator
+ - pattern
+ type: object
+ type: array
+ type: object
+ podSelector:
+ description: PodSelector selects pods that this policy applies
+ to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector
+ that contains values, a key, and an operator that relates
+ the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are In, NotIn,
+ Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: values is an array of string values. If
+ the operator is In or NotIn, the values array must
+ be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced
+ during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value from
+ the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A
+ single {key,value} in the matchLabels map is equivalent
+ to an element of matchExpressions, whose key field is "key",
+ the operator is "In", and the values array contains only
+ "value". The requirements are ANDed.
+ type: object
+ type: object
+ type: object
+ required:
+ - rules
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/pkg/k8s/apis/cilium.io/client/register.go b/pkg/k8s/apis/cilium.io/client/register.go
index 6f846e2720b..4d27c19f07d 100644
--- a/pkg/k8s/apis/cilium.io/client/register.go
+++ b/pkg/k8s/apis/cilium.io/client/register.go
@@ -35,9 +35,19 @@ var (
v1alpha1.PIName,
crdsv1Alpha1PodInfo)
+ //go:embed crds/v1alpha1/cilium.io_runtimesecuritypolicies.yaml
+ crdsv1Alpha1RuntimeSecurityPolicies []byte
+
+ RuntimeSecurityPolicyCRD = crdutils.NewCRDBytes(
+ v1alpha1.RuntimeSecurityPolicyCRDName,
+ v1alpha1.RuntimeSecurityPolicyName,
+ crdsv1Alpha1RuntimeSecurityPolicies,
+ )
+
AllCRDs = []crdutils.CRD{
TracingPolicyCRD,
TracingPolicyNamespacedCRD,
PodInfoCRD,
+ RuntimeSecurityPolicyCRD,
}
)
diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/register.go b/pkg/k8s/apis/cilium.io/v1alpha1/register.go
index 07e8ce05575..4cb8a143565 100644
--- a/pkg/k8s/apis/cilium.io/v1alpha1/register.go
+++ b/pkg/k8s/apis/cilium.io/v1alpha1/register.go
@@ -54,6 +54,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&TracingPolicyNamespacedList{},
&PodInfo{},
&PodInfoList{},
+ &RuntimeSecurityPolicy{},
+ &RuntimeSecurityPolicyList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/runtimesecuritypolicy_types.go b/pkg/k8s/apis/cilium.io/v1alpha1/runtimesecuritypolicy_types.go
new file mode 100644
index 00000000000..48ec88a4d06
--- /dev/null
+++ b/pkg/k8s/apis/cilium.io/v1alpha1/runtimesecuritypolicy_types.go
@@ -0,0 +1,127 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package v1alpha1
+
+import (
+ slimv1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1"
+ ciliumio "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+ // RuntimeSecurityPolicyPluralName is the plural name of the Runtime Security Policy
+ RuntimeSecurityPolicyPluralName = "runtimesecuritypolicies"
+
+ // RuntimeSecurityPolicyKindDefinition is the kind name of Runtime Security Policy
+ RuntimeSecurityPolicyKindDefinition = "RuntimeSecurityPolicy"
+
+ // RuntimeSecurityPolicyName is the full name of the Runtime Security Policy
+ RuntimeSecurityPolicyName = RuntimeSecurityPolicyPluralName + "." + ciliumio.GroupName
+
+ // RuntimeSecurityPolicyCRDName is the full name of the Runtime Security Policy CRD.
+ RuntimeSecurityPolicyCRDName = RuntimeSecurityPolicyKindDefinition + "/" + CRDVersion
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type RuntimeSecurityPolicyList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata"`
+ Items []RuntimeSecurityPolicy `json:"items,omitempty"`
+}
+
+// +genclient
+// +genclient:noStatus
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:singular="runtimesecuritypolicy",path="runtimesecuritypolicies",scope="Cluster",shortName={"rsp"}
+type RuntimeSecurityPolicy struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata"`
+ // Runtime security policy specification.
+ // +kubebuilder:validation:Required
+ Spec RuntimeSecurityPolicySpec `json:"spec"`
+}
+
+type RuntimeSecurityPolicySpec struct {
+ // +kubebuilder:validation:Optional
+ // Selectors to select on which object applying the runtime security policy.
+ Selectors *RuntimeSecurityPolicySelector `json:"selectors,omitempty"`
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinItems=1
+ // Runtime security policy rules to apply.
+ Rules []RuntimeSecurityPolicyRule `json:"rules"`
+}
+
+type RuntimeSecurityPolicyRule struct {
+ // +kubebuilder:validation:Enum=Execution
+ // +kubebuilder:validation:Required
+ // Rule type.
+ Type RuntimeSecurityPolicyRuleType `json:"type"`
+ // +kubebuilder:validation:OneOf
+ // Configuration for a rule of type Execution.
+ ExecutionConfig *RuleExecutionConfig `json:"executionConfig,omitempty"`
+}
+
+// A runtime security policy rule type is the set of types that can be used in a runtime security policy rule.
+type RuntimeSecurityPolicyRuleType string
+
+const (
+ RuntimeSecurityPolicyRuleTypeExecution RuntimeSecurityPolicyRuleType = "Execution"
+)
+
+type RuleExecutionConfig struct {
+ // +kubebuilder:validation:Enum=Audit;Block
+ // +kubebuilder:validation:Required
+ Action RuleExecutionConfigAction `json:"action"`
+}
+
+// A rule execution config action is the set of actions that can be used in an rule execution config.
+type RuleExecutionConfigAction string
+
+const (
+ ExecutionConfigActionAudit RuleExecutionConfigAction = "Audit"
+ ExecutionConfigActionBlock RuleExecutionConfigAction = "Block"
+)
+
+type RuntimeSecurityPolicySelector struct {
+ // +kubebuilder:validation:Optional
+ // PodSelector selects pods that this policy applies to
+ PodSelector *slimv1.LabelSelector `json:"podSelector,omitempty"`
+
+ // +kubebuilder:validation:Optional
+ ExecutableSelector *ExecutableSelector `json:"executableSelector,omitempty"`
+}
+
+type ExecutableSelector struct {
+ // +kubebuilder:validation:Optional
+ MatchPaths []MatchPathsSelector `json:"matchPaths,omitempty"`
+}
+
+type MatchPathsSelector struct {
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:Enum=Full;Prefix;Postfix
+ Pattern MatchPathsPattern `json:"pattern"`
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:Enum=In;NotIn
+ Operator MatchPathsOperator `json:"operator"`
+ // +kubebuilder:validation:Optional
+ Values []string `json:"values,omitempty"`
+}
+
+// A match paths pattern is the set of available pattern that can be used in a match paths selector.
+type MatchPathsPattern string
+
+const (
+ MatchPathsPatternFull MatchPathsPattern = "Full"
+ MatchPathsPatternPrefix MatchPathsPattern = "Prefix"
+ MatchPathsPatternPostfix MatchPathsPattern = "Postfix"
+)
+
+// A match paths operator is the set of available operator that can be used in a match paths selector.
+type MatchPathsOperator string
+
+const (
+ MatchPathsOperatorEqual MatchPathsOperator = "In"
+ MatchPathsOperatorNotEqual MatchPathsOperator = "NotIn"
+)
diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go
index e491c37df3e..216f7a8c611 100644
--- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go
+++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go
@@ -68,7 +68,7 @@ type KProbeArg struct {
// +kubebuilder:validation:Minimum=0
// Specifies the position of the corresponding size argument for this argument.
// This field is used only for char_buf and char_iovec types.
- SizeArgIndex uint32 `json:"sizeArgIndex"`
+ SizeArgIndex uint32 `json:"sizeArgIndex,omitempty"`
// +kubebuilder:validation:Optional
// +kubebuilder:default=false
// This field is used only for char_buf and char_iovec types. It indicates
@@ -76,17 +76,17 @@ type KProbeArg struct {
// symbol is triggered) because it might not be populated when the kprobe
// is triggered at the entrance of the function. For example, a buffer
// supplied to read(2) won't have content until kretprobe is triggered.
- ReturnCopy bool `json:"returnCopy"`
+ ReturnCopy bool `json:"returnCopy,omitempty"`
// +kubebuilder:validation:Optional
// +kubebuilder:default=false
// Read maximum possible data (currently 327360). This field is only used
// for char_buff data. When this value is false (default), the bpf program
// will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
// supports fetching up to 327360 bytes if this flag is turned on
- MaxData bool `json:"maxData"`
+ MaxData bool `json:"maxData,omitempty"`
// +kubebuilder:validation:Optional
// Label to output in the JSON
- Label string `json:"label"`
+ Label string `json:"label,omitempty"`
}
type BinarySelector struct {
@@ -201,30 +201,30 @@ type ActionSelector struct {
Action string `json:"action"`
// +kubebuilder:validation:Optional
// An arg index for the fd for fdInstall action
- ArgFd uint32 `json:"argFd"`
+ ArgFd uint32 `json:"argFd,omitempty"`
// +kubebuilder:validation:Optional
// An arg index for the filename for fdInstall action
- ArgName uint32 `json:"argName"`
+ ArgName uint32 `json:"argName,omitempty"`
// +kubebuilder:validation:Optional
// A URL for the getUrl action
- ArgUrl string `json:"argUrl"`
+ ArgUrl string `json:"argUrl,omitempty"`
// +kubebuilder:validation:Optional
// A FQDN to lookup for the dnsLookup action
- ArgFqdn string `json:"argFqdn"`
+ ArgFqdn string `json:"argFqdn,omitempty"`
// +kubebuilder:validation:Optional
// error value for override action
- ArgError int32 `json:"argError"`
+ ArgError int32 `json:"argError,omitempty"`
// +kubebuilder:validation:Optional
// A signal number for signal action
- ArgSig uint32 `json:"argSig"`
+ ArgSig uint32 `json:"argSig,omitempty"`
// +kubebuilder:validation:Optional
// An arg index for the sock for trackSock and untrackSock actions
- ArgSock uint32 `json:"argSock"`
+ ArgSock uint32 `json:"argSock,omitempty"`
// +kubebuilder:validation:Optional
// A time period within which repeated messages will not be posted. Can be
// specified in seconds (default or with 's' suffix), minutes ('m' suffix)
// or hours ('h' suffix). Only valid with the post action.
- RateLimit string `json:"rateLimit"`
+ RateLimit string `json:"rateLimit,omitempty"`
// +kubebuilder:validation:Optional
// The scope of the provided rate limit argument. Can be "thread" (default),
// "process" (all threads for the same process), or "global". If "thread" is
@@ -232,13 +232,13 @@ type ActionSelector struct {
// then rate limiting applies per process; if "global" is selected then rate
// limiting applies regardless of which process or thread caused the action.
// Only valid with the post action and with a rateLimit specified.
- RateLimitScope string `json:"rateLimitScope"`
+ RateLimitScope string `json:"rateLimitScope,omitempty"`
// +kubebuilder:validation:Optional
// Enable kernel stack trace export. Only valid with the post action.
- KernelStackTrace bool `json:"kernelStackTrace"`
+ KernelStackTrace bool `json:"kernelStackTrace,omitempty"`
// +kubebuilder:validation:Optional
// Enable user stack trace export. Only valid with the post action.
- UserStackTrace bool `json:"userStackTrace"`
+ UserStackTrace bool `json:"userStackTrace,omitempty"`
}
type TracepointSpec struct {
diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
index 2dc62a7bb93..314a30c2c50 100644
--- a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
@@ -113,6 +113,29 @@ func (in *EnforcerSpec) DeepCopy() *EnforcerSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExecutableSelector) DeepCopyInto(out *ExecutableSelector) {
+ *out = *in
+ if in.MatchPaths != nil {
+ in, out := &in.MatchPaths, &out.MatchPaths
+ *out = make([]MatchPathsSelector, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecutableSelector.
+func (in *ExecutableSelector) DeepCopy() *ExecutableSelector {
+ if in == nil {
+ return nil
+ }
+ out := new(ExecutableSelector)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KProbeArg) DeepCopyInto(out *KProbeArg) {
*out = *in
@@ -275,6 +298,27 @@ func (in *ListSpec) DeepCopy() *ListSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MatchPathsSelector) DeepCopyInto(out *MatchPathsSelector) {
+ *out = *in
+ if in.Values != nil {
+ in, out := &in.Values, &out.Values
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchPathsSelector.
+func (in *MatchPathsSelector) DeepCopy() *MatchPathsSelector {
+ if in == nil {
+ return nil
+ }
+ out := new(MatchPathsSelector)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NamespaceChangesSelector) DeepCopyInto(out *NamespaceChangesSelector) {
*out = *in
@@ -470,6 +514,157 @@ func (in *PodInfoStatus) DeepCopy() *PodInfoStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleExecutionConfig) DeepCopyInto(out *RuleExecutionConfig) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleExecutionConfig.
+func (in *RuleExecutionConfig) DeepCopy() *RuleExecutionConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(RuleExecutionConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicy) DeepCopyInto(out *RuntimeSecurityPolicy) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicy.
+func (in *RuntimeSecurityPolicy) DeepCopy() *RuntimeSecurityPolicy {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicy)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RuntimeSecurityPolicy) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicyList) DeepCopyInto(out *RuntimeSecurityPolicyList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]RuntimeSecurityPolicy, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicyList.
+func (in *RuntimeSecurityPolicyList) DeepCopy() *RuntimeSecurityPolicyList {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicyList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RuntimeSecurityPolicyList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicyRule) DeepCopyInto(out *RuntimeSecurityPolicyRule) {
+ *out = *in
+ if in.ExecutionConfig != nil {
+ in, out := &in.ExecutionConfig, &out.ExecutionConfig
+ *out = new(RuleExecutionConfig)
+ **out = **in
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicyRule.
+func (in *RuntimeSecurityPolicyRule) DeepCopy() *RuntimeSecurityPolicyRule {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicyRule)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicySelector) DeepCopyInto(out *RuntimeSecurityPolicySelector) {
+ *out = *in
+ if in.PodSelector != nil {
+ in, out := &in.PodSelector, &out.PodSelector
+ *out = new(v1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.ExecutableSelector != nil {
+ in, out := &in.ExecutableSelector, &out.ExecutableSelector
+ *out = new(ExecutableSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicySelector.
+func (in *RuntimeSecurityPolicySelector) DeepCopy() *RuntimeSecurityPolicySelector {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicySelector)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicySpec) DeepCopyInto(out *RuntimeSecurityPolicySpec) {
+ *out = *in
+ if in.Selectors != nil {
+ in, out := &in.Selectors, &out.Selectors
+ *out = new(RuntimeSecurityPolicySelector)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.Rules != nil {
+ in, out := &in.Rules, &out.Rules
+ *out = make([]RuntimeSecurityPolicyRule, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicySpec.
+func (in *RuntimeSecurityPolicySpec) DeepCopy() *RuntimeSecurityPolicySpec {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicySpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TracepointSpec) DeepCopyInto(out *TracepointSpec) {
*out = *in
diff --git a/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/cilium.io_client.go b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/cilium.io_client.go
index 8392d8b2b17..021c1063b3e 100644
--- a/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/cilium.io_client.go
+++ b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/cilium.io_client.go
@@ -16,6 +16,7 @@ import (
type CiliumV1alpha1Interface interface {
RESTClient() rest.Interface
PodInfoGetter
+ RuntimeSecurityPoliciesGetter
TracingPoliciesGetter
TracingPoliciesNamespacedGetter
}
@@ -29,6 +30,10 @@ func (c *CiliumV1alpha1Client) PodInfo(namespace string) PodInfoInterface {
return newPodInfo(c, namespace)
}
+func (c *CiliumV1alpha1Client) RuntimeSecurityPolicies() RuntimeSecurityPolicyInterface {
+ return newRuntimeSecurityPolicies(c)
+}
+
func (c *CiliumV1alpha1Client) TracingPolicies() TracingPolicyInterface {
return newTracingPolicies(c)
}
diff --git a/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/fake/fake_cilium.io_client.go b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/fake/fake_cilium.io_client.go
index d91edfe95e4..36061d9924a 100644
--- a/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/fake/fake_cilium.io_client.go
+++ b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/fake/fake_cilium.io_client.go
@@ -19,6 +19,10 @@ func (c *FakeCiliumV1alpha1) PodInfo(namespace string) v1alpha1.PodInfoInterface
return &FakePodInfo{c, namespace}
}
+func (c *FakeCiliumV1alpha1) RuntimeSecurityPolicies() v1alpha1.RuntimeSecurityPolicyInterface {
+ return &FakeRuntimeSecurityPolicies{c}
+}
+
func (c *FakeCiliumV1alpha1) TracingPolicies() v1alpha1.TracingPolicyInterface {
return &FakeTracingPolicies{c}
}
diff --git a/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/fake/fake_runtimesecuritypolicy.go b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/fake/fake_runtimesecuritypolicy.go
new file mode 100644
index 00000000000..4e6e88ec72a
--- /dev/null
+++ b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/fake/fake_runtimesecuritypolicy.go
@@ -0,0 +1,108 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+ "context"
+
+ v1alpha1 "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ labels "k8s.io/apimachinery/pkg/labels"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ testing "k8s.io/client-go/testing"
+)
+
+// FakeRuntimeSecurityPolicies implements RuntimeSecurityPolicyInterface
+type FakeRuntimeSecurityPolicies struct {
+ Fake *FakeCiliumV1alpha1
+}
+
+var runtimesecuritypoliciesResource = v1alpha1.SchemeGroupVersion.WithResource("runtimesecuritypolicies")
+
+var runtimesecuritypoliciesKind = v1alpha1.SchemeGroupVersion.WithKind("RuntimeSecurityPolicy")
+
+// Get takes name of the runtimeSecurityPolicy, and returns the corresponding runtimeSecurityPolicy object, and an error if there is any.
+func (c *FakeRuntimeSecurityPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootGetAction(runtimesecuritypoliciesResource, name), &v1alpha1.RuntimeSecurityPolicy{})
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.RuntimeSecurityPolicy), err
+}
+
+// List takes label and field selectors, and returns the list of RuntimeSecurityPolicies that match those selectors.
+func (c *FakeRuntimeSecurityPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.RuntimeSecurityPolicyList, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootListAction(runtimesecuritypoliciesResource, runtimesecuritypoliciesKind, opts), &v1alpha1.RuntimeSecurityPolicyList{})
+ if obj == nil {
+ return nil, err
+ }
+
+ label, _, _ := testing.ExtractFromListOptions(opts)
+ if label == nil {
+ label = labels.Everything()
+ }
+ list := &v1alpha1.RuntimeSecurityPolicyList{ListMeta: obj.(*v1alpha1.RuntimeSecurityPolicyList).ListMeta}
+ for _, item := range obj.(*v1alpha1.RuntimeSecurityPolicyList).Items {
+ if label.Matches(labels.Set(item.Labels)) {
+ list.Items = append(list.Items, item)
+ }
+ }
+ return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested runtimeSecurityPolicies.
+func (c *FakeRuntimeSecurityPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ return c.Fake.
+ InvokesWatch(testing.NewRootWatchAction(runtimesecuritypoliciesResource, opts))
+}
+
+// Create takes the representation of a runtimeSecurityPolicy and creates it. Returns the server's representation of the runtimeSecurityPolicy, and an error, if there is any.
+func (c *FakeRuntimeSecurityPolicies) Create(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.CreateOptions) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootCreateAction(runtimesecuritypoliciesResource, runtimeSecurityPolicy), &v1alpha1.RuntimeSecurityPolicy{})
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.RuntimeSecurityPolicy), err
+}
+
+// Update takes the representation of a runtimeSecurityPolicy and updates it. Returns the server's representation of the runtimeSecurityPolicy, and an error, if there is any.
+func (c *FakeRuntimeSecurityPolicies) Update(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.UpdateOptions) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootUpdateAction(runtimesecuritypoliciesResource, runtimeSecurityPolicy), &v1alpha1.RuntimeSecurityPolicy{})
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.RuntimeSecurityPolicy), err
+}
+
+// Delete takes name of the runtimeSecurityPolicy and deletes it. Returns an error if one occurs.
+func (c *FakeRuntimeSecurityPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ _, err := c.Fake.
+ Invokes(testing.NewRootDeleteActionWithOptions(runtimesecuritypoliciesResource, name, opts), &v1alpha1.RuntimeSecurityPolicy{})
+ return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeRuntimeSecurityPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ action := testing.NewRootDeleteCollectionAction(runtimesecuritypoliciesResource, listOpts)
+
+ _, err := c.Fake.Invokes(action, &v1alpha1.RuntimeSecurityPolicyList{})
+ return err
+}
+
+// Patch applies the patch and returns the patched runtimeSecurityPolicy.
+func (c *FakeRuntimeSecurityPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootPatchSubresourceAction(runtimesecuritypoliciesResource, name, pt, data, subresources...), &v1alpha1.RuntimeSecurityPolicy{})
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.RuntimeSecurityPolicy), err
+}
diff --git a/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/generated_expansion.go b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/generated_expansion.go
index 320ab473249..eb2224144f2 100644
--- a/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/generated_expansion.go
+++ b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/generated_expansion.go
@@ -7,6 +7,8 @@ package v1alpha1
type PodInfoExpansion interface{}
+type RuntimeSecurityPolicyExpansion interface{}
+
type TracingPolicyExpansion interface{}
type TracingPolicyNamespacedExpansion interface{}
diff --git a/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/runtimesecuritypolicy.go b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..61f92e1eaf8
--- /dev/null
+++ b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/runtimesecuritypolicy.go
@@ -0,0 +1,155 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ "time"
+
+ v1alpha1 "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ scheme "github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/scheme"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ rest "k8s.io/client-go/rest"
+)
+
+// RuntimeSecurityPoliciesGetter has a method to return a RuntimeSecurityPolicyInterface.
+// A group's client should implement this interface.
+type RuntimeSecurityPoliciesGetter interface {
+ RuntimeSecurityPolicies() RuntimeSecurityPolicyInterface
+}
+
+// RuntimeSecurityPolicyInterface has methods to work with RuntimeSecurityPolicy resources.
+type RuntimeSecurityPolicyInterface interface {
+ Create(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.CreateOptions) (*v1alpha1.RuntimeSecurityPolicy, error)
+ Update(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.UpdateOptions) (*v1alpha1.RuntimeSecurityPolicy, error)
+ Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+ DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+ Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.RuntimeSecurityPolicy, error)
+ List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.RuntimeSecurityPolicyList, error)
+ Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+ Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.RuntimeSecurityPolicy, err error)
+ RuntimeSecurityPolicyExpansion
+}
+
+// runtimeSecurityPolicies implements RuntimeSecurityPolicyInterface
+type runtimeSecurityPolicies struct {
+ client rest.Interface
+}
+
+// newRuntimeSecurityPolicies returns a RuntimeSecurityPolicies
+func newRuntimeSecurityPolicies(c *CiliumV1alpha1Client) *runtimeSecurityPolicies {
+ return &runtimeSecurityPolicies{
+ client: c.RESTClient(),
+ }
+}
+
+// Get takes name of the runtimeSecurityPolicy, and returns the corresponding runtimeSecurityPolicy object, and an error if there is any.
+func (c *runtimeSecurityPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ result = &v1alpha1.RuntimeSecurityPolicy{}
+ err = c.client.Get().
+ Resource("runtimesecuritypolicies").
+ Name(name).
+ VersionedParams(&options, scheme.ParameterCodec).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// List takes label and field selectors, and returns the list of RuntimeSecurityPolicies that match those selectors.
+func (c *runtimeSecurityPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.RuntimeSecurityPolicyList, err error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ result = &v1alpha1.RuntimeSecurityPolicyList{}
+ err = c.client.Get().
+ Resource("runtimesecuritypolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Watch returns a watch.Interface that watches the requested runtimeSecurityPolicies.
+func (c *runtimeSecurityPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ opts.Watch = true
+ return c.client.Get().
+ Resource("runtimesecuritypolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Watch(ctx)
+}
+
+// Create takes the representation of a runtimeSecurityPolicy and creates it. Returns the server's representation of the runtimeSecurityPolicy, and an error, if there is any.
+func (c *runtimeSecurityPolicies) Create(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.CreateOptions) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ result = &v1alpha1.RuntimeSecurityPolicy{}
+ err = c.client.Post().
+ Resource("runtimesecuritypolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(runtimeSecurityPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Update takes the representation of a runtimeSecurityPolicy and updates it. Returns the server's representation of the runtimeSecurityPolicy, and an error, if there is any.
+func (c *runtimeSecurityPolicies) Update(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.UpdateOptions) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ result = &v1alpha1.RuntimeSecurityPolicy{}
+ err = c.client.Put().
+ Resource("runtimesecuritypolicies").
+ Name(runtimeSecurityPolicy.Name).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(runtimeSecurityPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Delete takes name of the runtimeSecurityPolicy and deletes it. Returns an error if one occurs.
+func (c *runtimeSecurityPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ return c.client.Delete().
+ Resource("runtimesecuritypolicies").
+ Name(name).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *runtimeSecurityPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ var timeout time.Duration
+ if listOpts.TimeoutSeconds != nil {
+ timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+ }
+ return c.client.Delete().
+ Resource("runtimesecuritypolicies").
+ VersionedParams(&listOpts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// Patch applies the patch and returns the patched runtimeSecurityPolicy.
+func (c *runtimeSecurityPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ result = &v1alpha1.RuntimeSecurityPolicy{}
+ err = c.client.Patch(pt).
+ Resource("runtimesecuritypolicies").
+ Name(name).
+ SubResource(subresources...).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
diff --git a/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/interface.go b/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/interface.go
index 7629d430363..529974d7f88 100644
--- a/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/interface.go
+++ b/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/interface.go
@@ -13,6 +13,8 @@ import (
type Interface interface {
// PodInfo returns a PodInfoInformer.
PodInfo() PodInfoInformer
+ // RuntimeSecurityPolicies returns a RuntimeSecurityPolicyInformer.
+ RuntimeSecurityPolicies() RuntimeSecurityPolicyInformer
// TracingPolicies returns a TracingPolicyInformer.
TracingPolicies() TracingPolicyInformer
// TracingPoliciesNamespaced returns a TracingPolicyNamespacedInformer.
@@ -35,6 +37,11 @@ func (v *version) PodInfo() PodInfoInformer {
return &podInfoInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
+// RuntimeSecurityPolicies returns a RuntimeSecurityPolicyInformer.
+func (v *version) RuntimeSecurityPolicies() RuntimeSecurityPolicyInformer {
+ return &runtimeSecurityPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
// TracingPolicies returns a TracingPolicyInformer.
func (v *version) TracingPolicies() TracingPolicyInformer {
return &tracingPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
diff --git a/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/runtimesecuritypolicy.go b/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..647a9316b07
--- /dev/null
+++ b/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/runtimesecuritypolicy.go
@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ time "time"
+
+ ciliumiov1alpha1 "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ versioned "github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned"
+ internalinterfaces "github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/internalinterfaces"
+ v1alpha1 "github.com/cilium/tetragon/pkg/k8s/client/listers/cilium.io/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ watch "k8s.io/apimachinery/pkg/watch"
+ cache "k8s.io/client-go/tools/cache"
+)
+
+// RuntimeSecurityPolicyInformer provides access to a shared informer and lister for
+// RuntimeSecurityPolicies.
+type RuntimeSecurityPolicyInformer interface {
+ Informer() cache.SharedIndexInformer
+ Lister() v1alpha1.RuntimeSecurityPolicyLister
+}
+
+type runtimeSecurityPolicyInformer struct {
+ factory internalinterfaces.SharedInformerFactory
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewRuntimeSecurityPolicyInformer constructs a new informer for RuntimeSecurityPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewRuntimeSecurityPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+ return NewFilteredRuntimeSecurityPolicyInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredRuntimeSecurityPolicyInformer constructs a new informer for RuntimeSecurityPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredRuntimeSecurityPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+ return cache.NewSharedIndexInformer(
+ &cache.ListWatch{
+ ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.CiliumV1alpha1().RuntimeSecurityPolicies().List(context.TODO(), options)
+ },
+ WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.CiliumV1alpha1().RuntimeSecurityPolicies().Watch(context.TODO(), options)
+ },
+ },
+ &ciliumiov1alpha1.RuntimeSecurityPolicy{},
+ resyncPeriod,
+ indexers,
+ )
+}
+
+func (f *runtimeSecurityPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+ return NewFilteredRuntimeSecurityPolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *runtimeSecurityPolicyInformer) Informer() cache.SharedIndexInformer {
+ return f.factory.InformerFor(&ciliumiov1alpha1.RuntimeSecurityPolicy{}, f.defaultInformer)
+}
+
+func (f *runtimeSecurityPolicyInformer) Lister() v1alpha1.RuntimeSecurityPolicyLister {
+ return v1alpha1.NewRuntimeSecurityPolicyLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/k8s/client/informers/externalversions/generic.go b/pkg/k8s/client/informers/externalversions/generic.go
index 510dfec2e71..4c86005779f 100644
--- a/pkg/k8s/client/informers/externalversions/generic.go
+++ b/pkg/k8s/client/informers/externalversions/generic.go
@@ -42,6 +42,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=cilium.io, Version=v1alpha1
case v1alpha1.SchemeGroupVersion.WithResource("podinfo"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Cilium().V1alpha1().PodInfo().Informer()}, nil
+ case v1alpha1.SchemeGroupVersion.WithResource("runtimesecuritypolicies"):
+ return &genericInformer{resource: resource.GroupResource(), informer: f.Cilium().V1alpha1().RuntimeSecurityPolicies().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("tracingpolicies"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Cilium().V1alpha1().TracingPolicies().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("tracingpoliciesnamespaced"):
diff --git a/pkg/k8s/client/listers/cilium.io/v1alpha1/expansion_generated.go b/pkg/k8s/client/listers/cilium.io/v1alpha1/expansion_generated.go
index dc536f08a09..b8d1906f56a 100644
--- a/pkg/k8s/client/listers/cilium.io/v1alpha1/expansion_generated.go
+++ b/pkg/k8s/client/listers/cilium.io/v1alpha1/expansion_generated.go
@@ -13,6 +13,10 @@ type PodInfoListerExpansion interface{}
// PodInfoNamespaceLister.
type PodInfoNamespaceListerExpansion interface{}
+// RuntimeSecurityPolicyListerExpansion allows custom methods to be added to
+// RuntimeSecurityPolicyLister.
+type RuntimeSecurityPolicyListerExpansion interface{}
+
// TracingPolicyListerExpansion allows custom methods to be added to
// TracingPolicyLister.
type TracingPolicyListerExpansion interface{}
diff --git a/pkg/k8s/client/listers/cilium.io/v1alpha1/runtimesecuritypolicy.go b/pkg/k8s/client/listers/cilium.io/v1alpha1/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..63aeb7e74f7
--- /dev/null
+++ b/pkg/k8s/client/listers/cilium.io/v1alpha1/runtimesecuritypolicy.go
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ v1alpha1 "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/client-go/tools/cache"
+)
+
+// RuntimeSecurityPolicyLister helps list RuntimeSecurityPolicies.
+// All objects returned here must be treated as read-only.
+type RuntimeSecurityPolicyLister interface {
+ // List lists all RuntimeSecurityPolicies in the indexer.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*v1alpha1.RuntimeSecurityPolicy, err error)
+ // Get retrieves the RuntimeSecurityPolicy from the index for a given name.
+ // Objects returned here must be treated as read-only.
+ Get(name string) (*v1alpha1.RuntimeSecurityPolicy, error)
+ RuntimeSecurityPolicyListerExpansion
+}
+
+// runtimeSecurityPolicyLister implements the RuntimeSecurityPolicyLister interface.
+type runtimeSecurityPolicyLister struct {
+ indexer cache.Indexer
+}
+
+// NewRuntimeSecurityPolicyLister returns a new RuntimeSecurityPolicyLister.
+func NewRuntimeSecurityPolicyLister(indexer cache.Indexer) RuntimeSecurityPolicyLister {
+ return &runtimeSecurityPolicyLister{indexer: indexer}
+}
+
+// List lists all RuntimeSecurityPolicies in the indexer.
+func (s *runtimeSecurityPolicyLister) List(selector labels.Selector) (ret []*v1alpha1.RuntimeSecurityPolicy, err error) {
+ err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha1.RuntimeSecurityPolicy))
+ })
+ return ret, err
+}
+
+// Get retrieves the RuntimeSecurityPolicy from the index for a given name.
+func (s *runtimeSecurityPolicyLister) Get(name string) (*v1alpha1.RuntimeSecurityPolicy, error) {
+ obj, exists, err := s.indexer.GetByKey(name)
+ if err != nil {
+ return nil, err
+ }
+ if !exists {
+ return nil, errors.NewNotFound(v1alpha1.Resource("runtimesecuritypolicy"), name)
+ }
+ return obj.(*v1alpha1.RuntimeSecurityPolicy), nil
+}
diff --git a/pkg/option/config.go b/pkg/option/config.go
index 5c971208d0c..146c3702dcd 100644
--- a/pkg/option/config.go
+++ b/pkg/option/config.go
@@ -46,11 +46,12 @@ type config struct {
ProcessCacheSize int
DataCacheSize int
- MetricsServer string
- MetricsLabelFilter metrics.LabelFilter
- ServerAddress string
- TracingPolicy string
- TracingPolicyDir string
+ MetricsServer string
+ MetricsLabelFilter metrics.LabelFilter
+ ServerAddress string
+ TracingPolicy string
+ TracingPolicyDir string
+ RuntimeSecurityPolicy string
ExportFilename string
ExportFileMaxSizeMB int
@@ -82,8 +83,9 @@ type config struct {
KMods []string
- EnablePodInfo bool
- EnableTracingPolicyCRD bool
+ EnablePodInfo bool
+ EnableTracingPolicyCRD bool
+ EnableRuntimeSecurityPolicyCRD bool
ExposeStackAddresses bool
diff --git a/pkg/option/flags.go b/pkg/option/flags.go
index d6b246afa74..2e12e49d465 100644
--- a/pkg/option/flags.go
+++ b/pkg/option/flags.go
@@ -36,14 +36,15 @@ const (
KeyK8sKubeConfigPath = "k8s-kubeconfig-path"
KeyEnableProcessAncestors = "enable-process-ancestors"
- KeyMetricsServer = "metrics-server"
- KeyMetricsLabelFilter = "metrics-label-filter"
- KeyServerAddress = "server-address"
- KeyGopsAddr = "gops-address"
- KeyEnableProcessCred = "enable-process-cred"
- KeyEnableProcessNs = "enable-process-ns"
- KeyTracingPolicy = "tracing-policy"
- KeyTracingPolicyDir = "tracing-policy-dir"
+ KeyMetricsServer = "metrics-server"
+ KeyMetricsLabelFilter = "metrics-label-filter"
+ KeyServerAddress = "server-address"
+ KeyGopsAddr = "gops-address"
+ KeyEnableProcessCred = "enable-process-cred"
+ KeyEnableProcessNs = "enable-process-ns"
+ KeyTracingPolicy = "tracing-policy"
+ KeyTracingPolicyDir = "tracing-policy-dir"
+ KeyRuntimeSecurityPolicy = "runtime-security-policy"
KeyCpuProfile = "cpuprofile"
KeyMemProfile = "memprofile"
@@ -89,8 +90,9 @@ const (
KeyKmods = "kmods"
- KeyEnablePodInfo = "enable-pod-info"
- KeyEnableTracingPolicyCRD = "enable-tracing-policy-crd"
+ KeyEnablePodInfo = "enable-pod-info"
+ KeyEnableTracingPolicyCRD = "enable-tracing-policy-crd"
+ KeyEnableRuntimeSecurityPolicyCRD = "enable-runtime-security-policy-crd"
KeyExposeStackAddresses = "expose-stack-addresses"
KeyExposeKernelAddresses = "expose-kernel-addresses"
@@ -193,8 +195,10 @@ func ReadAndSetFlags() error {
Config.EnablePodInfo = viper.GetBool(KeyEnablePodInfo)
Config.EnableTracingPolicyCRD = viper.GetBool(KeyEnableTracingPolicyCRD)
+ Config.EnableRuntimeSecurityPolicyCRD = viper.GetBool(KeyEnableRuntimeSecurityPolicyCRD)
Config.TracingPolicy = viper.GetString(KeyTracingPolicy)
+ Config.RuntimeSecurityPolicy = viper.GetString(KeyRuntimeSecurityPolicy)
switch viper.GetString(KeyUsernameMetadata) {
case "unix":
@@ -301,6 +305,8 @@ func AddFlags(flags *pflag.FlagSet) {
flags.String(KeyTracingPolicyDir, defaults.DefaultTpDir, "Directory from where to load Tracing Policies")
+ flags.String(KeyRuntimeSecurityPolicy, "", "Runtime security policy file to load at startup")
+
// Options for debugging/development, not visible to users
flags.String(KeyCpuProfile, "", "Store CPU profile into provided file")
flags.MarkHidden(KeyCpuProfile)
@@ -357,6 +363,7 @@ func AddFlags(flags *pflag.FlagSet) {
flags.Bool(KeyEnablePodInfo, false, "Enable PodInfo custom resource")
flags.Bool(KeyEnableTracingPolicyCRD, true, "Enable TracingPolicy and TracingPolicyNamespaced custom resources")
+ flags.Bool(KeyEnableRuntimeSecurityPolicyCRD, true, "Enable RuntimeSecurityPolicy custom resources")
flags.Bool(KeyExposeKernelAddresses, false, "Expose real kernel addresses in events stack traces")
flags.Bool(KeyExposeStackAddresses, false, "Expose real linear addresses in events stack traces")
diff --git a/pkg/runtimesecuritypolicy/runtimesecuritypolicy.go b/pkg/runtimesecuritypolicy/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..97a203ee9de
--- /dev/null
+++ b/pkg/runtimesecuritypolicy/runtimesecuritypolicy.go
@@ -0,0 +1,170 @@
+package runtimesecuritypolicy
+
+import (
+ "fmt"
+ "strings"
+
+ "github.com/cilium/tetragon/api/v1/tetragon"
+ "github.com/cilium/tetragon/pkg/api/tracingapi"
+ "github.com/cilium/tetragon/pkg/eventhandler"
+ "github.com/cilium/tetragon/pkg/grpc/runtimesecuritypolicy"
+ "github.com/cilium/tetragon/pkg/grpc/tracing"
+ "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ "github.com/cilium/tetragon/pkg/logger"
+ "github.com/cilium/tetragon/pkg/observer"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type RuntimeSecurityTracingPolicy struct {
+ // TracingPolicy is the translated tracing policy that implements the
+ // runtime security policy
+ v1alpha1.TracingPolicy
+
+ // runtimeSecurityPolicy is the original policy
+ runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy
+}
+
+// matchPathsToMatchArgsSelectors converts a RuntimeSecurityPolicy matchPaths
+// into a slice of TracingPolicy KProbeSelector
+func matchPathsToMatchArgsSelectors(matchPaths []v1alpha1.MatchPathsSelector, argIndex int) []v1alpha1.KProbeSelector {
+ if matchPaths == nil {
+ return nil
+ }
+
+ kprobeSelectors := []v1alpha1.KProbeSelector{}
+ for _, mp := range matchPaths {
+ // convert matchPaths pattern and operator into matchArgs operator
+ argOperator := string(mp.Pattern)
+ argOperator = strings.Replace(argOperator, "Full", "Equal", 1)
+ if strings.HasPrefix(string(mp.Operator), "Not") {
+ argOperator = "Not" + argOperator
+ }
+
+ kprobeSelectors = append(kprobeSelectors, v1alpha1.KProbeSelector{
+ MatchArgs: []v1alpha1.ArgSelector{
+ {
+ Index: uint32(argIndex),
+ Operator: argOperator,
+ Values: mp.Values,
+ },
+ },
+ })
+ }
+
+ return kprobeSelectors
+}
+
+// Handler return the handler that is called everytime the agent receives a
+// message that originates from this TracingPolicy, in the case of
+// RuntimeSecurityPolicy, we use it to translate the event from a TracingPolicy
+// event to a RuntimeSecurityPolicy event.
+func (p RuntimeSecurityTracingPolicy) Handler() eventhandler.Handler {
+ return func(evs []observer.Event, err error) ([]observer.Event, error) {
+ if err != nil {
+ return nil, fmt.Errorf("error in handling sandbox policy '%s' event: %w", "pizza", err)
+ }
+
+ out := make([]observer.Event, 0, len(evs))
+ for i := range evs {
+ ev := evs[i]
+ switch msg := ev.(type) {
+ case *tracing.MsgGenericKprobeUnix:
+ rsMsg := runtimesecuritypolicy.NewRuntimeSecurity(msg, kprobeToRuntimeSecurityEvents)
+ out = append(out, rsMsg)
+ default:
+ logger.GetLogger().Warn("unexpected event type (%T) in sandbox policy handler", ev)
+ out = append(out, ev)
+ }
+ }
+
+ return out, nil
+ }
+}
+
+func kprobeToRuntimeSecurityEvents(og *tracing.MsgGenericKprobeUnix, ev *tetragon.ProcessRuntimeSecurity) error {
+ if og.FuncName == "security_bprm_creds_from_file" {
+ ev.Rule = &tetragon.RuntimeSecurityRule{
+ Type: tetragon.RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_EXECUTION,
+ }
+
+ if len(og.Args) > 0 {
+ if arg, ok := og.Args[0].(tracingapi.MsgGenericKprobeArgFile); ok {
+ ev.Rule.Execution = &tetragon.RuntimeSecurityExecution{
+ Path: arg.Value,
+ }
+ }
+ }
+
+ switch og.Msg.ActionId {
+ case tracingapi.ActionPost:
+ ev.Rule.Action = tetragon.RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_AUDIT
+ case tracingapi.ActionOverride:
+ ev.Rule.Action = tetragon.RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_BLOCK
+ }
+ }
+ return nil
+}
+
+func ToTracingPolicy(rspolicy v1alpha1.RuntimeSecurityPolicy) (*RuntimeSecurityTracingPolicy, error) {
+ err := validateRuntimeSecurityPolicy(rspolicy)
+ if err != nil {
+ return nil, fmt.Errorf("invalid RuntimeSecurityPolicy: %w", err)
+ }
+
+ tp := v1alpha1.TracingPolicy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: rspolicy.Name,
+ Namespace: rspolicy.Namespace,
+ },
+ }
+
+ // TODO: Perform some validation on the selector
+ var matchPathsSelectors []v1alpha1.KProbeSelector
+ if selectors := rspolicy.Spec.Selectors; selectors != nil && selectors.ExecutableSelector != nil {
+ matchPathsSelectors = matchPathsToMatchArgsSelectors(selectors.ExecutableSelector.MatchPaths, 1)
+ }
+
+ for _, rule := range rspolicy.Spec.Rules {
+ switch rule.Type {
+ case v1alpha1.RuntimeSecurityPolicyRuleTypeExecution:
+ // Validation
+ if rule.ExecutionConfig == nil {
+ return nil, fmt.Errorf("invalid runtimeSecurityPolicy: rule type %s and config missing", rule.Type)
+ }
+
+ // Shared based between process Block and Audit action
+ executionKProbeSpec := v1alpha1.KProbeSpec{
+ Call: "security_bprm_creds_from_file",
+ Syscall: false,
+ Args: []v1alpha1.KProbeArg{
+ {
+ Index: 1,
+ Type: "file",
+ },
+ },
+ }
+
+ executionKProbeSpec.Selectors = matchPathsSelectors
+
+ // Add selector MatchAction for process Block action
+ if rule.ExecutionConfig.Action == v1alpha1.ExecutionConfigActionBlock {
+ for i := 0; i < len(executionKProbeSpec.Selectors); i++ {
+ executionKProbeSpec.Selectors[i].MatchActions = []v1alpha1.ActionSelector{
+ {
+ Action: "Override",
+ ArgError: -1,
+ },
+ }
+ }
+ }
+
+ tp.Spec.KProbes = append(tp.Spec.KProbes, executionKProbeSpec)
+ }
+
+ }
+
+ return &RuntimeSecurityTracingPolicy{
+ TracingPolicy: tp,
+ runtimeSecurityPolicy: &rspolicy,
+ }, nil
+}
diff --git a/pkg/runtimesecuritypolicy/runtimesecuritypolicy_test.go b/pkg/runtimesecuritypolicy/runtimesecuritypolicy_test.go
new file mode 100644
index 00000000000..454d51a64dd
--- /dev/null
+++ b/pkg/runtimesecuritypolicy/runtimesecuritypolicy_test.go
@@ -0,0 +1,136 @@
+package runtimesecuritypolicy
+
+import (
+ "reflect"
+ "testing"
+
+ "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+)
+
+func TestToTracingPolicy(t *testing.T) {
+ tests := []struct {
+ name string
+ rspolicy v1alpha1.RuntimeSecurityPolicy
+ want v1alpha1.TracingPolicySpec
+ wantErr bool
+ }{
+ {
+ name: "simpleAudit",
+ rspolicy: v1alpha1.RuntimeSecurityPolicy{
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{
+ {
+ Pattern: "Full",
+ Operator: "In",
+ Values: []string{"/usr/bin/who", "/usr/bin/ls"},
+ },
+ },
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ want: v1alpha1.TracingPolicySpec{
+ KProbes: []v1alpha1.KProbeSpec{
+ {
+ Call: "security_bprm_creds_from_file",
+ Args: []v1alpha1.KProbeArg{
+ {
+ Index: 1,
+ Type: "file",
+ },
+ },
+ Selectors: []v1alpha1.KProbeSelector{
+ {
+ MatchArgs: []v1alpha1.ArgSelector{
+ {
+ Index: 1,
+ Operator: "Equal",
+ Values: []string{"/usr/bin/who", "/usr/bin/ls"},
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ {
+ name: "simpleBlock",
+ rspolicy: v1alpha1.RuntimeSecurityPolicy{
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{
+ {
+ Pattern: "Full",
+ Operator: "In",
+ Values: []string{"/usr/bin/who", "/usr/bin/ls"},
+ },
+ },
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Block",
+ },
+ },
+ },
+ },
+ },
+ want: v1alpha1.TracingPolicySpec{
+ KProbes: []v1alpha1.KProbeSpec{
+ {
+ Call: "security_bprm_creds_from_file",
+ Args: []v1alpha1.KProbeArg{
+ {
+ Index: 1,
+ Type: "file",
+ },
+ },
+ Selectors: []v1alpha1.KProbeSelector{
+ {
+ MatchArgs: []v1alpha1.ArgSelector{
+ {
+ Index: 1,
+ Operator: "Equal",
+ Values: []string{"/usr/bin/who", "/usr/bin/ls"},
+ },
+ },
+ MatchActions: []v1alpha1.ActionSelector{
+ {
+ Action: "Override",
+ ArgError: -1,
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ got, err := ToTracingPolicy(tt.rspolicy)
+ if (err != nil) != tt.wantErr {
+ t.Errorf("ToTracingPolicy() error = %v, wantErr %v", err, tt.wantErr)
+ return
+ }
+ if !reflect.DeepEqual(got.TracingPolicy.Spec, tt.want) {
+ t.Errorf("ToTracingPolicy() = %v, want %v", got, tt.want)
+ }
+ })
+ }
+}
diff --git a/pkg/runtimesecuritypolicy/validation.go b/pkg/runtimesecuritypolicy/validation.go
new file mode 100644
index 00000000000..329af5739bc
--- /dev/null
+++ b/pkg/runtimesecuritypolicy/validation.go
@@ -0,0 +1,232 @@
+package runtimesecuritypolicy
+
+import (
+ "fmt"
+ "os"
+ "sync"
+
+ "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client"
+ "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ "github.com/cilium/tetragon/pkg/selectors"
+ ext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+ extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+ apischema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
+ structuraldefaulting "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting"
+ "k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
+ apivalidation "k8s.io/apimachinery/pkg/api/validation"
+ "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+ "k8s.io/apimachinery/pkg/runtime/schema"
+ "k8s.io/apimachinery/pkg/util/validation/field"
+ "k8s.io/kube-openapi/pkg/validation/validate"
+ "sigs.k8s.io/yaml"
+)
+
+type validatorMap = map[schema.GroupVersionKind]validation.SchemaValidator
+
+var getStructuralRuntimeSecurityPolicy func() (*apischema.Structural, error) = sync.OnceValues(
+ func() (*apischema.Structural, error) {
+ var crdRuntimeSecurityPolicy ext.CustomResourceDefinition
+ err := extv1.Convert_v1_CustomResourceDefinition_To_apiextensions_CustomResourceDefinition(
+ &client.RuntimeSecurityPolicyCRD.Definition,
+ &crdRuntimeSecurityPolicy,
+ nil,
+ )
+ if err != nil {
+ return nil, fmt.Errorf("failed to convert RuntimeSecurityPolicy CRD: %w", err)
+ }
+ structural, err := apischema.NewStructural(crdRuntimeSecurityPolicy.Spec.Validation.OpenAPIV3Schema)
+ if err != nil {
+ return nil, fmt.Errorf("failed to initialize structural for RuntimeSecurityPolicy: %w", err)
+ }
+ return structural, nil
+ },
+)
+
+var getValidators func() (validatorMap, error) = sync.OnceValues(
+ func() (validatorMap, error) {
+ ret := make(validatorMap)
+
+ crds := []*extv1.CustomResourceDefinition{
+ &client.RuntimeSecurityPolicyCRD.Definition,
+ }
+
+ for _, crd := range crds {
+ for _, ver := range crd.Spec.Versions {
+ internalVer := ext.CustomResourceDefinitionVersion{}
+ extv1.Convert_v1_CustomResourceDefinitionVersion_To_apiextensions_CustomResourceDefinitionVersion(&ver, &internalVer, nil)
+ validator, _, err := validation.NewSchemaValidator(internalVer.Schema.OpenAPIV3Schema)
+ if err != nil {
+ return nil, fmt.Errorf("failed to initialize validator: %w", err)
+ }
+ key := schema.GroupVersionKind{
+ Version: ver.Name,
+ Group: crd.Spec.Group,
+ Kind: crd.Spec.Names.Kind,
+ }
+ ret[key] = validator
+ }
+ }
+
+ return ret, nil
+ },
+)
+
+func FromYAML(data []byte) (*v1alpha1.RuntimeSecurityPolicy, error) {
+ rawPolicy, unstructuredPolicy, err := ApplyCRDDefault(data)
+ if err != nil {
+ return nil, fmt.Errorf("error applying CRD defaults: %w", err)
+ }
+
+ var runtimeSecurityPolicy v1alpha1.RuntimeSecurityPolicy
+
+ kind := unstructuredPolicy.GetKind()
+ switch kind {
+ case v1alpha1.RuntimeSecurityPolicyKindDefinition:
+ err = yaml.UnmarshalStrict(rawPolicy, &runtimeSecurityPolicy)
+ if err != nil {
+ return nil, fmt.Errorf("failed to unmarshal object with defaults: %w", err)
+ }
+ default:
+ return nil, fmt.Errorf("unknown kind: %s", kind)
+ }
+
+ validationResult, err := ValidateCRD(runtimeSecurityPolicy)
+ if err != nil {
+ return nil, fmt.Errorf("validation failed on policy %s: %w", runtimeSecurityPolicy.ObjectMeta.Name, err)
+ }
+
+ if len(validationResult.Errors) > 0 {
+ return nil, fmt.Errorf("validation failed: %q: %w", runtimeSecurityPolicy.ObjectMeta.Name, validationResult.AsError())
+ }
+
+ return &runtimeSecurityPolicy, nil
+}
+
+func FromYAMLToTracingPolicy(data []byte) (*RuntimeSecurityTracingPolicy, error) {
+ rsp, err := FromYAML(data)
+ if err != nil {
+ return nil, err
+ }
+
+ return ToTracingPolicy(*rsp)
+}
+
+func FromFile(path string) (*v1alpha1.RuntimeSecurityPolicy, error) {
+ policy, err := os.ReadFile(path)
+ if err != nil {
+ return nil, err
+ }
+ tp, err := FromYAML(policy)
+ if err != nil {
+ return nil, fmt.Errorf("failed loading runtime security policy file %q: %w", path, err)
+ }
+ return tp, nil
+}
+
+func FromFileToTracingPolicy(path string) (*RuntimeSecurityTracingPolicy, error) {
+ rsp, err := FromFile(path)
+ if err != nil {
+ return nil, err
+ }
+ return ToTracingPolicy(*rsp)
+}
+
+func ValidateCRD(policy v1alpha1.RuntimeSecurityPolicy) (*validate.Result, error) {
+ metaErrors := ValidateCRDMeta(policy)
+
+ specErrors, err := ValidateCRDSpec(policy)
+ if err != nil {
+ return nil, err
+ }
+
+ // combine meta and spec validation errors
+ specErrors.Errors = append(metaErrors, specErrors.Errors...)
+ return specErrors, nil
+}
+
+func ValidateCRDMeta(policy v1alpha1.RuntimeSecurityPolicy) []error {
+ errs := []error{}
+ requireNamespace := false
+ // if policy.GetObjectKind().GroupVersionKind().Kind == v1alpha1.RuntimeSecurityPolicyKindDefinition {
+ // requireNamespace = true
+ // }
+
+ errorList := apivalidation.ValidateObjectMeta(&policy.ObjectMeta, requireNamespace, apivalidation.NameIsDNSSubdomain, field.NewPath("metadata"))
+ for _, err := range errorList {
+ errs = append(errs, err)
+ }
+ return errs
+}
+
+func ValidateCRDSpec(policy v1alpha1.RuntimeSecurityPolicy) (*validate.Result, error) {
+ validatorMap, err := getValidators()
+ if err != nil {
+ return nil, fmt.Errorf("failed to initialize validators: %w", err)
+ }
+
+ v, ok := validatorMap[policy.GroupVersionKind()]
+ if !ok {
+ return nil, fmt.Errorf("could not find validator for %s", policy.GroupVersionKind().String())
+ }
+
+ return v.Validate(policy), nil
+}
+
+func ApplyCRDDefault(rawPolicy []byte) ([]byte, unstructured.Unstructured, error) {
+ // unmarshall into an unstructured object
+ var policyUnstr unstructured.Unstructured
+ err := yaml.UnmarshalStrict(rawPolicy, &policyUnstr)
+ if err != nil {
+ return nil, policyUnstr, fmt.Errorf("failed to unmarshall policy: %v", err)
+ }
+
+ // apply defaults
+ switch policyUnstr.GetKind() {
+ case v1alpha1.RuntimeSecurityPolicyKindDefinition:
+ structural, err := getStructuralRuntimeSecurityPolicy()
+ if err != nil {
+ return nil, policyUnstr, fmt.Errorf("failed to get structural: %w", err)
+ }
+ structuraldefaulting.Default(policyUnstr.Object, structural)
+ default:
+ return nil, policyUnstr, fmt.Errorf("default: unknown kind: %s", policyUnstr.GetKind())
+ }
+
+ // marshal defaulted unstructured object into json
+ rawPolicyWithDefault, err := policyUnstr.MarshalJSON()
+ if err != nil {
+ return nil, policyUnstr, fmt.Errorf("failed to marshal defaulted object: %w", err)
+ }
+
+ return rawPolicyWithDefault, policyUnstr, nil
+}
+
+// validateRuntimeSecurityPolicy validates the policy and should run after the
+// CRD validation step, it is assuming that the CRD validation step is already
+// enforced.
+func validateRuntimeSecurityPolicy(policy v1alpha1.RuntimeSecurityPolicy) error {
+ // The CRD validation steps verify that oneOf [executionConfig] is set
+ // because we can't use CEL (yet) to capture that executionConfig should be
+ // set if and only if Type is "Execution"
+ for _, rule := range policy.Spec.Rules {
+ switch rule.Type {
+ case "Execution":
+ if rule.ExecutionConfig == nil {
+ return fmt.Errorf("rule type is Execution and ExecutionConfig is nil")
+ }
+ }
+ }
+
+ if sel := policy.Spec.Selectors; sel != nil && sel.ExecutableSelector != nil {
+ for i, mp := range sel.ExecutableSelector.MatchPaths {
+ for j, value := range mp.Values {
+ err := selectors.ArgStringValueMaxLength(value)
+ if err != nil {
+ return fmt.Errorf("invalid executable selector value matchPaths[%d].value[%d]: %w", i, j, err)
+ }
+ }
+ }
+ }
+
+ return nil
+}
diff --git a/pkg/runtimesecuritypolicy/validation_test.go b/pkg/runtimesecuritypolicy/validation_test.go
new file mode 100644
index 00000000000..94d93068fa0
--- /dev/null
+++ b/pkg/runtimesecuritypolicy/validation_test.go
@@ -0,0 +1,463 @@
+package runtimesecuritypolicy
+
+import (
+ "testing"
+
+ "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestValidateCRD(t *testing.T) {
+ typeMeta := v1.TypeMeta{
+ Kind: "RuntimeSecurityPolicy",
+ APIVersion: "cilium.io/v1alpha1",
+ }
+
+ tests := []struct {
+ name string
+ policy v1alpha1.RuntimeSecurityPolicy
+ wantValidationError bool
+ wantErr bool
+ }{
+ {
+ name: "requireName",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "invalidName",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "invalid_name",
+ },
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "nullRules",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{},
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "emptyRules",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{},
+ },
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "invalidRuleType",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "invalid",
+ },
+ },
+ },
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "invalidRuleExecutionWithoutConfig",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ },
+ },
+ },
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "invalidRuleExecutionConfigAction",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "invalid",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "validRuleExecutionAudit",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: false,
+ },
+ {
+ name: "validRuleExecutionAudit",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: false,
+ },
+ {
+ name: "emptySelector",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{},
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: false,
+ },
+ {
+ name: "emptyExecutableSelector",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{},
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: false,
+ },
+ {
+ name: "emptyExecutableMatchPathsSelector",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{},
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: false,
+ },
+ {
+ name: "emptyMatchPathsSelector",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{
+ {},
+ },
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "invalidMatchPathsSelectorPattern",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{
+ {
+ Pattern: "invalid",
+ Operator: "In",
+ },
+ },
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "invalidMatchPathsSelectorOperator",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{
+ {
+ Pattern: "Full",
+ Operator: "invalid",
+ },
+ },
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: true,
+ },
+ {
+ name: "validMatchPathsSelector",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{
+ {
+ Pattern: "Full",
+ Operator: "In",
+ },
+ },
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: false,
+ },
+ {
+ name: "validMatchPathsSelectorWithValues",
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ TypeMeta: typeMeta,
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{
+ {
+ Pattern: "Full",
+ Operator: "In",
+ Values: []string{"/usr/bin/who", "/usr/bin/ps"},
+ },
+ },
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ wantValidationError: false,
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ got, err := ValidateCRD(tt.policy)
+ if (err != nil) != tt.wantErr {
+ t.Errorf("error = %v, wantErr %v", err, tt.wantErr)
+ return
+ }
+ if len(got.Errors) == 0 && tt.wantValidationError {
+ t.Errorf("got no validation error when it expected one, policy: %v", tt.policy)
+ }
+ if len(got.Errors) > 0 && !tt.wantValidationError {
+ t.Errorf("got validation error when it expected none, policy: %v, validation errors: %v", tt.policy, got.Errors)
+ }
+ })
+ }
+}
+
+func Test_validateRuntimeSecurityPolicy(t *testing.T) {
+ tests := []struct {
+ name string
+ policy v1alpha1.RuntimeSecurityPolicy
+ wantErr bool
+ }{
+ {
+ name: "validPolicy",
+ wantErr: false,
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{
+ {
+ Pattern: "Full",
+ Operator: "In",
+ Values: []string{"/usr/bin/who", "/usr/bin/ps"},
+ },
+ },
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ ExecutionConfig: &v1alpha1.RuleExecutionConfig{
+ Action: "Audit",
+ },
+ },
+ },
+ },
+ },
+ },
+ {
+ name: "noExecutionConfig",
+ wantErr: true,
+ policy: v1alpha1.RuntimeSecurityPolicy{
+ ObjectMeta: v1.ObjectMeta{
+ Name: "valid-name",
+ },
+ Spec: v1alpha1.RuntimeSecurityPolicySpec{
+ Selectors: &v1alpha1.RuntimeSecurityPolicySelector{
+ ExecutableSelector: &v1alpha1.ExecutableSelector{
+ MatchPaths: []v1alpha1.MatchPathsSelector{
+ {
+ Pattern: "Full",
+ Operator: "In",
+ Values: []string{"/usr/bin/who", "/usr/bin/ps"},
+ },
+ },
+ },
+ },
+ Rules: []v1alpha1.RuntimeSecurityPolicyRule{
+ {
+ Type: "Execution",
+ },
+ },
+ },
+ },
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ if err := validateRuntimeSecurityPolicy(tt.policy); (err != nil) != tt.wantErr {
+ t.Errorf("validateRuntimeSecurityPolicy error = %v, wantErr %v", err, tt.wantErr)
+ }
+ })
+ }
+}
diff --git a/pkg/selectors/selectors.go b/pkg/selectors/selectors.go
index 27bd49fd82b..e4ac0c3824a 100644
--- a/pkg/selectors/selectors.go
+++ b/pkg/selectors/selectors.go
@@ -338,6 +338,25 @@ func stringPaddedLen(s int) int {
return StringMapSize7a - 2
}
+// ArgStringValueMaxLength return the max length that can be used in a matchArgs
+// with a string type depending on the kernel version
+func ArgStringValueMaxLength(str string) error {
+ s := len([]byte(str))
+ if kernels.MinKernelVersion("5.11") {
+ if s > MaxStringMapsSize-2 {
+ return fmt.Errorf("string is too long: length (%d) > maximum limit (%d)", s, MaxStringMapsSize-2)
+ }
+ } else if kernels.MinKernelVersion("5.4") {
+ if s > StringMapSize7a-2 {
+ return fmt.Errorf("string is too long: length (%d) > maximum limit (%d)", s, StringMapSize7a-2)
+ }
+ }
+ if s > stringMapSize5-1 {
+ return fmt.Errorf("string is too long: length (%d) > maximum limit (%d)", s, stringMapSize5-1)
+ }
+ return nil
+}
+
func ArgStringSelectorValue(v string, removeNul bool) ([MaxStringMapsSize]byte, int, error) {
if removeNul {
// Remove any trailing nul characters ("\0" or 0x00)
@@ -346,21 +365,12 @@ func ArgStringSelectorValue(v string, removeNul bool) ([MaxStringMapsSize]byte,
}
}
ret := [MaxStringMapsSize]byte{}
+ err := ArgStringValueMaxLength(v)
+ if err != nil {
+ return ret, 0, err
+ }
b := []byte(v)
s := len(b)
- if kernels.MinKernelVersion("5.11") {
- if s > MaxStringMapsSize-2 {
- return ret, 0, fmt.Errorf("string is too long")
- }
- } else if kernels.MinKernelVersion("5.4") {
- if s > StringMapSize7a-2 {
- return ret, 0, fmt.Errorf("string is too long")
- }
- } else {
- if s > stringMapSize5-1 {
- return ret, 0, fmt.Errorf("string is too long")
- }
- }
if s == 0 {
return ret, 0, fmt.Errorf("string is empty")
}
diff --git a/pkg/watcher/crd/runtimesecuritypolicy.go b/pkg/watcher/crd/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..48d665e6d5f
--- /dev/null
+++ b/pkg/watcher/crd/runtimesecuritypolicy.go
@@ -0,0 +1,164 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package crd
+
+import (
+ "context"
+ "fmt"
+
+ "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ "github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned"
+ "github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions"
+ "github.com/cilium/tetragon/pkg/logger"
+ "github.com/cilium/tetragon/pkg/runtimesecuritypolicy"
+ "github.com/cilium/tetragon/pkg/sensors"
+ k8sconf "github.com/cilium/tetragon/pkg/watcher/conf"
+ "github.com/sirupsen/logrus"
+ "k8s.io/apimachinery/pkg/util/wait"
+ "k8s.io/client-go/tools/cache"
+)
+
+func addRuntimeSecurityPolicy(ctx context.Context, log logrus.FieldLogger, s *sensors.Manager,
+ obj interface{},
+) {
+ switch rsp := obj.(type) {
+ case *v1alpha1.RuntimeSecurityPolicy:
+ if rsp != nil {
+ log.WithField("name", rsp.Name).Info("converting RuntimeSecurityPolicy and adding TracingPolicy")
+ tp, err := runtimesecuritypolicy.ToTracingPolicy(*rsp)
+ if err != nil {
+ log.WithError(err).WithField("name", rsp.Name).Warn("converting RuntimeSecurityPolicy failed")
+ return
+ }
+ err = s.AddTracingPolicy(ctx, tp)
+ if err != nil {
+ log.WithError(err).WithField("name", rsp.Name).Warn("adding RuntimeSecurityPolicy failed")
+ return
+ }
+ }
+ default:
+ log.WithFields(logrus.Fields{
+ "obj": obj,
+ "obj-type": fmt.Sprintf("%T", obj),
+ }).Warn("addRuntimeSecurityPolicy: invalid type")
+ return
+ }
+}
+
+func deleteRuntimeSecurityPolicy(ctx context.Context, log logrus.FieldLogger, s *sensors.Manager,
+ obj interface{},
+) {
+ switch rsp := obj.(type) {
+ case *v1alpha1.RuntimeSecurityPolicy:
+ if rsp != nil {
+ log.WithField("name", rsp.Name).Info("deleting TracingPolicy associated with RuntimeSecurityPolicy")
+ err := s.DeleteTracingPolicy(ctx, rsp.Name, rsp.Namespace)
+ if err != nil {
+ log.WithError(err).WithField("name", rsp.Name).Warn("deleting RuntimeSecurityPolicy failed")
+ return
+ }
+ }
+ default:
+ log.WithFields(logrus.Fields{
+ "obj": obj,
+ "obj-type": fmt.Sprintf("%T", obj),
+ }).Warn("deleteRuntimeSecurityPolicy: invalid type")
+ return
+ }
+}
+
+// func updateTracingPolicy(ctx context.Context, log logrus.FieldLogger, s *sensors.Manager,
+// oldObj interface{}, newObj interface{}) {
+
+// update := func(oldTp, newTp tracingpolicy.TracingPolicy) {
+// if err := s.DeleteTracingPolicy(ctx, oldTp.TpName()); err != nil {
+// log.WithError(err).WithField(
+// "old-name", oldTp.TpName(),
+// ).Warnf("updateTracingPolicy: failed to remove old policy")
+// return
+// }
+// if err := s.AddTracingPolicy(ctx, newTp); err != nil {
+// log.WithError(err).WithField(
+// "new-name", newTp.TpName(),
+// ).Warnf("updateTracingPolicy: failed to add new policy")
+// return
+// }
+// }
+
+// var err error
+// switch oldTp := oldObj.(type) {
+// case *v1alpha1.TracingPolicy:
+// newTp, ok := newObj.(*v1alpha1.TracingPolicy)
+// if !ok {
+// err = fmt.Errorf("type mismatch")
+// break
+// }
+// // FIXME: add proper DeepEquals. The resource might have different
+// // resource versions but the fields that matter to us are still the
+// // same.
+// if oldTp.ResourceVersion == newTp.ResourceVersion {
+// return
+// }
+
+// log.WithFields(logrus.Fields{
+// "old": oldTp.TpName(),
+// "new": newTp.TpName(),
+// }).Info("updating tracing policy")
+// update(oldTp, newTp)
+
+// case *v1alpha1.TracingPolicyNamespaced:
+// newTp, ok := newObj.(*v1alpha1.TracingPolicyNamespaced)
+// if !ok {
+// err = fmt.Errorf("type mismatch")
+// break
+// }
+// // FIXME: add proper DeepEquals. The resource might have different
+// // resource versions but the fields that matter to us are still the
+// // same.
+// if oldTp.ResourceVersion == newTp.ResourceVersion {
+// return
+// }
+
+// log.WithFields(logrus.Fields{
+// "old": oldTp.TpName(),
+// "new": newTp.TpName(),
+// }).Info("updating namespaced tracing policy")
+// update(oldTp, newTp)
+// }
+
+// if err != nil {
+// log.WithFields(logrus.Fields{
+// "old-obj": oldObj,
+// "old-obj-type": fmt.Sprintf("%T", oldObj),
+// "new-obj": newObj,
+// "new-obj-type": fmt.Sprintf("%T", newObj),
+// }).Warnf("updateTracingPolicy: %s", err.Error())
+// }
+// }
+
+func WatchRuntimeSecurityPolicy(ctx context.Context, s *sensors.Manager) {
+ log := logger.GetLogger()
+ conf, err := k8sconf.K8sConfig()
+ if err != nil {
+ log.WithError(err).Fatal("couldn't get cluster config")
+ }
+ client := versioned.NewForConfigOrDie(conf)
+ factory := externalversions.NewSharedInformerFactory(client, 0)
+
+ factory.Cilium().V1alpha1().TracingPolicies().Informer().AddEventHandler(
+ cache.ResourceEventHandlerFuncs{
+ AddFunc: func(obj interface{}) {
+ addRuntimeSecurityPolicy(ctx, log, s, obj)
+ },
+ DeleteFunc: func(obj interface{}) {
+ deleteRuntimeSecurityPolicy(ctx, log, s, obj)
+ },
+ UpdateFunc: func(oldObj interface{}, newObj interface{}) {
+ // updateTracingPolicy(ctx, log, s, oldObj, newObj)
+ }})
+
+ go factory.Start(wait.NeverStop)
+ factory.WaitForCacheSync(wait.NeverStop)
+ log.Info("Started watching runtime security policies")
+}
diff --git a/pkg/watcher/crd/watcher.go b/pkg/watcher/crd/tracingpolicy.go
similarity index 100%
rename from pkg/watcher/crd/watcher.go
rename to pkg/watcher/crd/tracingpolicy.go
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
index 7d5f8e8c5ca..dd7bee1b7dd 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
@@ -282,6 +282,8 @@ func CheckerFromEvent(event Event) (EventChecker, error) {
return NewRateLimitInfoChecker("").FromRateLimitInfo(ev), nil
case *tetragon.ProcessThrottle:
return NewProcessThrottleChecker("").FromProcessThrottle(ev), nil
+ case *tetragon.ProcessRuntimeSecurity:
+ return NewProcessRuntimeSecurityChecker("").FromProcessRuntimeSecurity(ev), nil
default:
return nil, fmt.Errorf("Unhandled event type %T", event)
@@ -344,6 +346,8 @@ func EventFromResponse(response *tetragon.GetEventsResponse) (Event, error) {
return ev.RateLimitInfo, nil
case *tetragon.GetEventsResponse_ProcessThrottle:
return ev.ProcessThrottle, nil
+ case *tetragon.GetEventsResponse_ProcessRuntimeSecurity:
+ return ev.ProcessRuntimeSecurity, nil
default:
return nil, fmt.Errorf("Unknown event type %T", response.Event)
@@ -2050,6 +2054,126 @@ func (checker *ProcessThrottleChecker) FromProcessThrottle(event *tetragon.Proce
return checker
}
+// ProcessRuntimeSecurityChecker implements a checker struct to check a ProcessRuntimeSecurity event
+type ProcessRuntimeSecurityChecker struct {
+ CheckerName string `json:"checkerName"`
+ Process *ProcessChecker `json:"process,omitempty"`
+ Parent *ProcessChecker `json:"parent,omitempty"`
+ Policy *RuntimeSecurityPolicyChecker `json:"policy,omitempty"`
+ Rule *RuntimeSecurityRuleChecker `json:"rule,omitempty"`
+}
+
+// CheckEvent checks a single event and implements the EventChecker interface
+func (checker *ProcessRuntimeSecurityChecker) CheckEvent(event Event) error {
+ if ev, ok := event.(*tetragon.ProcessRuntimeSecurity); ok {
+ return checker.Check(ev)
+ }
+ return fmt.Errorf("%s: %T is not a ProcessRuntimeSecurity event", CheckerLogPrefix(checker), event)
+}
+
+// CheckResponse checks a single gRPC response and implements the EventChecker interface
+func (checker *ProcessRuntimeSecurityChecker) CheckResponse(response *tetragon.GetEventsResponse) error {
+ event, err := EventFromResponse(response)
+ if err != nil {
+ return err
+ }
+ return checker.CheckEvent(event)
+}
+
+// NewProcessRuntimeSecurityChecker creates a new ProcessRuntimeSecurityChecker
+func NewProcessRuntimeSecurityChecker(name string) *ProcessRuntimeSecurityChecker {
+ return &ProcessRuntimeSecurityChecker{CheckerName: name}
+}
+
+// Get the name associated with the checker
+func (checker *ProcessRuntimeSecurityChecker) GetCheckerName() string {
+ return checker.CheckerName
+}
+
+// Get the type of the checker as a string
+func (checker *ProcessRuntimeSecurityChecker) GetCheckerType() string {
+ return "ProcessRuntimeSecurityChecker"
+}
+
+// Check checks a ProcessRuntimeSecurity event
+func (checker *ProcessRuntimeSecurityChecker) Check(event *tetragon.ProcessRuntimeSecurity) error {
+ if event == nil {
+ return fmt.Errorf("%s: ProcessRuntimeSecurity event is nil", CheckerLogPrefix(checker))
+ }
+
+ fieldChecks := func() error {
+ if checker.Process != nil {
+ if err := checker.Process.Check(event.Process); err != nil {
+ return fmt.Errorf("Process check failed: %w", err)
+ }
+ }
+ if checker.Parent != nil {
+ if err := checker.Parent.Check(event.Parent); err != nil {
+ return fmt.Errorf("Parent check failed: %w", err)
+ }
+ }
+ if checker.Policy != nil {
+ if err := checker.Policy.Check(event.Policy); err != nil {
+ return fmt.Errorf("Policy check failed: %w", err)
+ }
+ }
+ if checker.Rule != nil {
+ if err := checker.Rule.Check(event.Rule); err != nil {
+ return fmt.Errorf("Rule check failed: %w", err)
+ }
+ }
+ return nil
+ }
+ if err := fieldChecks(); err != nil {
+ return fmt.Errorf("%s: %w", CheckerLogPrefix(checker), err)
+ }
+ return nil
+}
+
+// WithProcess adds a Process check to the ProcessRuntimeSecurityChecker
+func (checker *ProcessRuntimeSecurityChecker) WithProcess(check *ProcessChecker) *ProcessRuntimeSecurityChecker {
+ checker.Process = check
+ return checker
+}
+
+// WithParent adds a Parent check to the ProcessRuntimeSecurityChecker
+func (checker *ProcessRuntimeSecurityChecker) WithParent(check *ProcessChecker) *ProcessRuntimeSecurityChecker {
+ checker.Parent = check
+ return checker
+}
+
+// WithPolicy adds a Policy check to the ProcessRuntimeSecurityChecker
+func (checker *ProcessRuntimeSecurityChecker) WithPolicy(check *RuntimeSecurityPolicyChecker) *ProcessRuntimeSecurityChecker {
+ checker.Policy = check
+ return checker
+}
+
+// WithRule adds a Rule check to the ProcessRuntimeSecurityChecker
+func (checker *ProcessRuntimeSecurityChecker) WithRule(check *RuntimeSecurityRuleChecker) *ProcessRuntimeSecurityChecker {
+ checker.Rule = check
+ return checker
+}
+
+//FromProcessRuntimeSecurity populates the ProcessRuntimeSecurityChecker using data from a ProcessRuntimeSecurity event
+func (checker *ProcessRuntimeSecurityChecker) FromProcessRuntimeSecurity(event *tetragon.ProcessRuntimeSecurity) *ProcessRuntimeSecurityChecker {
+ if event == nil {
+ return checker
+ }
+ if event.Process != nil {
+ checker.Process = NewProcessChecker().FromProcess(event.Process)
+ }
+ if event.Parent != nil {
+ checker.Parent = NewProcessChecker().FromProcess(event.Parent)
+ }
+ if event.Policy != nil {
+ checker.Policy = NewRuntimeSecurityPolicyChecker().FromRuntimeSecurityPolicy(event.Policy)
+ }
+ if event.Rule != nil {
+ checker.Rule = NewRuntimeSecurityRuleChecker().FromRuntimeSecurityRule(event.Rule)
+ }
+ return checker
+}
+
// ImageChecker implements a checker struct to check a Image field
type ImageChecker struct {
Id *stringmatcher.StringMatcher `json:"id,omitempty"`
@@ -6308,6 +6432,199 @@ func (checker *StackTraceEntryChecker) FromStackTraceEntry(event *tetragon.Stack
return checker
}
+// RuntimeSecurityPolicyChecker implements a checker struct to check a RuntimeSecurityPolicy field
+type RuntimeSecurityPolicyChecker struct {
+ Name *stringmatcher.StringMatcher `json:"name,omitempty"`
+ Namespace *stringmatcher.StringMatcher `json:"namespace,omitempty"`
+}
+
+// NewRuntimeSecurityPolicyChecker creates a new RuntimeSecurityPolicyChecker
+func NewRuntimeSecurityPolicyChecker() *RuntimeSecurityPolicyChecker {
+ return &RuntimeSecurityPolicyChecker{}
+}
+
+// Get the type of the checker as a string
+func (checker *RuntimeSecurityPolicyChecker) GetCheckerType() string {
+ return "RuntimeSecurityPolicyChecker"
+}
+
+// Check checks a RuntimeSecurityPolicy field
+func (checker *RuntimeSecurityPolicyChecker) Check(event *tetragon.RuntimeSecurityPolicy) error {
+ if event == nil {
+ return fmt.Errorf("%s: RuntimeSecurityPolicy field is nil", CheckerLogPrefix(checker))
+ }
+
+ fieldChecks := func() error {
+ if checker.Name != nil {
+ if err := checker.Name.Match(event.Name); err != nil {
+ return fmt.Errorf("Name check failed: %w", err)
+ }
+ }
+ if checker.Namespace != nil {
+ if err := checker.Namespace.Match(event.Namespace); err != nil {
+ return fmt.Errorf("Namespace check failed: %w", err)
+ }
+ }
+ return nil
+ }
+ if err := fieldChecks(); err != nil {
+ return fmt.Errorf("%s: %w", CheckerLogPrefix(checker), err)
+ }
+ return nil
+}
+
+// WithName adds a Name check to the RuntimeSecurityPolicyChecker
+func (checker *RuntimeSecurityPolicyChecker) WithName(check *stringmatcher.StringMatcher) *RuntimeSecurityPolicyChecker {
+ checker.Name = check
+ return checker
+}
+
+// WithNamespace adds a Namespace check to the RuntimeSecurityPolicyChecker
+func (checker *RuntimeSecurityPolicyChecker) WithNamespace(check *stringmatcher.StringMatcher) *RuntimeSecurityPolicyChecker {
+ checker.Namespace = check
+ return checker
+}
+
+//FromRuntimeSecurityPolicy populates the RuntimeSecurityPolicyChecker using data from a RuntimeSecurityPolicy field
+func (checker *RuntimeSecurityPolicyChecker) FromRuntimeSecurityPolicy(event *tetragon.RuntimeSecurityPolicy) *RuntimeSecurityPolicyChecker {
+ if event == nil {
+ return checker
+ }
+ checker.Name = stringmatcher.Full(event.Name)
+ checker.Namespace = stringmatcher.Full(event.Namespace)
+ return checker
+}
+
+// RuntimeSecurityExecutionChecker implements a checker struct to check a RuntimeSecurityExecution field
+type RuntimeSecurityExecutionChecker struct {
+ Path *stringmatcher.StringMatcher `json:"path,omitempty"`
+}
+
+// NewRuntimeSecurityExecutionChecker creates a new RuntimeSecurityExecutionChecker
+func NewRuntimeSecurityExecutionChecker() *RuntimeSecurityExecutionChecker {
+ return &RuntimeSecurityExecutionChecker{}
+}
+
+// Get the type of the checker as a string
+func (checker *RuntimeSecurityExecutionChecker) GetCheckerType() string {
+ return "RuntimeSecurityExecutionChecker"
+}
+
+// Check checks a RuntimeSecurityExecution field
+func (checker *RuntimeSecurityExecutionChecker) Check(event *tetragon.RuntimeSecurityExecution) error {
+ if event == nil {
+ return fmt.Errorf("%s: RuntimeSecurityExecution field is nil", CheckerLogPrefix(checker))
+ }
+
+ fieldChecks := func() error {
+ if checker.Path != nil {
+ if err := checker.Path.Match(event.Path); err != nil {
+ return fmt.Errorf("Path check failed: %w", err)
+ }
+ }
+ return nil
+ }
+ if err := fieldChecks(); err != nil {
+ return fmt.Errorf("%s: %w", CheckerLogPrefix(checker), err)
+ }
+ return nil
+}
+
+// WithPath adds a Path check to the RuntimeSecurityExecutionChecker
+func (checker *RuntimeSecurityExecutionChecker) WithPath(check *stringmatcher.StringMatcher) *RuntimeSecurityExecutionChecker {
+ checker.Path = check
+ return checker
+}
+
+//FromRuntimeSecurityExecution populates the RuntimeSecurityExecutionChecker using data from a RuntimeSecurityExecution field
+func (checker *RuntimeSecurityExecutionChecker) FromRuntimeSecurityExecution(event *tetragon.RuntimeSecurityExecution) *RuntimeSecurityExecutionChecker {
+ if event == nil {
+ return checker
+ }
+ checker.Path = stringmatcher.Full(event.Path)
+ return checker
+}
+
+// RuntimeSecurityRuleChecker implements a checker struct to check a RuntimeSecurityRule field
+type RuntimeSecurityRuleChecker struct {
+ Type *RuntimeSecurityRuleTypeChecker `json:"type,omitempty"`
+ Action *RuntimeSecurityRuleActionChecker `json:"action,omitempty"`
+ Execution *RuntimeSecurityExecutionChecker `json:"execution,omitempty"`
+}
+
+// NewRuntimeSecurityRuleChecker creates a new RuntimeSecurityRuleChecker
+func NewRuntimeSecurityRuleChecker() *RuntimeSecurityRuleChecker {
+ return &RuntimeSecurityRuleChecker{}
+}
+
+// Get the type of the checker as a string
+func (checker *RuntimeSecurityRuleChecker) GetCheckerType() string {
+ return "RuntimeSecurityRuleChecker"
+}
+
+// Check checks a RuntimeSecurityRule field
+func (checker *RuntimeSecurityRuleChecker) Check(event *tetragon.RuntimeSecurityRule) error {
+ if event == nil {
+ return fmt.Errorf("%s: RuntimeSecurityRule field is nil", CheckerLogPrefix(checker))
+ }
+
+ fieldChecks := func() error {
+ if checker.Type != nil {
+ if err := checker.Type.Check(&event.Type); err != nil {
+ return fmt.Errorf("Type check failed: %w", err)
+ }
+ }
+ if checker.Action != nil {
+ if err := checker.Action.Check(&event.Action); err != nil {
+ return fmt.Errorf("Action check failed: %w", err)
+ }
+ }
+ if checker.Execution != nil {
+ if err := checker.Execution.Check(event.Execution); err != nil {
+ return fmt.Errorf("Execution check failed: %w", err)
+ }
+ }
+ return nil
+ }
+ if err := fieldChecks(); err != nil {
+ return fmt.Errorf("%s: %w", CheckerLogPrefix(checker), err)
+ }
+ return nil
+}
+
+// WithType adds a Type check to the RuntimeSecurityRuleChecker
+func (checker *RuntimeSecurityRuleChecker) WithType(check tetragon.RuntimeSecurityRuleType) *RuntimeSecurityRuleChecker {
+ wrappedCheck := RuntimeSecurityRuleTypeChecker(check)
+ checker.Type = &wrappedCheck
+ return checker
+}
+
+// WithAction adds a Action check to the RuntimeSecurityRuleChecker
+func (checker *RuntimeSecurityRuleChecker) WithAction(check tetragon.RuntimeSecurityRuleAction) *RuntimeSecurityRuleChecker {
+ wrappedCheck := RuntimeSecurityRuleActionChecker(check)
+ checker.Action = &wrappedCheck
+ return checker
+}
+
+// WithExecution adds a Execution check to the RuntimeSecurityRuleChecker
+func (checker *RuntimeSecurityRuleChecker) WithExecution(check *RuntimeSecurityExecutionChecker) *RuntimeSecurityRuleChecker {
+ checker.Execution = check
+ return checker
+}
+
+//FromRuntimeSecurityRule populates the RuntimeSecurityRuleChecker using data from a RuntimeSecurityRule field
+func (checker *RuntimeSecurityRuleChecker) FromRuntimeSecurityRule(event *tetragon.RuntimeSecurityRule) *RuntimeSecurityRuleChecker {
+ if event == nil {
+ return checker
+ }
+ checker.Type = NewRuntimeSecurityRuleTypeChecker(event.Type)
+ checker.Action = NewRuntimeSecurityRuleActionChecker(event.Action)
+ if event.Execution != nil {
+ checker.Execution = NewRuntimeSecurityExecutionChecker().FromRuntimeSecurityExecution(event.Execution)
+ }
+ return checker
+}
+
// CapabilitiesTypeChecker checks a tetragon.CapabilitiesType
type CapabilitiesTypeChecker tetragon.CapabilitiesType
@@ -6619,3 +6936,107 @@ func (enum *ThrottleTypeChecker) Check(val *tetragon.ThrottleType) error {
}
return nil
}
+
+// RuntimeSecurityRuleTypeChecker checks a tetragon.RuntimeSecurityRuleType
+type RuntimeSecurityRuleTypeChecker tetragon.RuntimeSecurityRuleType
+
+// MarshalJSON implements json.Marshaler interface
+func (enum RuntimeSecurityRuleTypeChecker) MarshalJSON() ([]byte, error) {
+ if name, ok := tetragon.RuntimeSecurityRuleType_name[int32(enum)]; ok {
+ name = strings.TrimPrefix(name, "RUNTIME_SECURITY_TYPE_")
+ return json.Marshal(name)
+ }
+
+ return nil, fmt.Errorf("Unknown RuntimeSecurityRuleType %d", enum)
+}
+
+// UnmarshalJSON implements json.Unmarshaler interface
+func (enum *RuntimeSecurityRuleTypeChecker) UnmarshalJSON(b []byte) error {
+ var str string
+ if err := yaml.UnmarshalStrict(b, &str); err != nil {
+ return err
+ }
+
+ // Convert to uppercase if not already
+ str = strings.ToUpper(str)
+
+ // Look up the value from the enum values map
+ if n, ok := tetragon.RuntimeSecurityRuleType_value[str]; ok {
+ *enum = RuntimeSecurityRuleTypeChecker(n)
+ } else if n, ok := tetragon.RuntimeSecurityRuleType_value["RUNTIME_SECURITY_TYPE_"+str]; ok {
+ *enum = RuntimeSecurityRuleTypeChecker(n)
+ } else {
+ return fmt.Errorf("Unknown RuntimeSecurityRuleType %s", str)
+ }
+
+ return nil
+}
+
+// NewRuntimeSecurityRuleTypeChecker creates a new RuntimeSecurityRuleTypeChecker
+func NewRuntimeSecurityRuleTypeChecker(val tetragon.RuntimeSecurityRuleType) *RuntimeSecurityRuleTypeChecker {
+ enum := RuntimeSecurityRuleTypeChecker(val)
+ return &enum
+}
+
+// Check checks a RuntimeSecurityRuleType against the checker
+func (enum *RuntimeSecurityRuleTypeChecker) Check(val *tetragon.RuntimeSecurityRuleType) error {
+ if val == nil {
+ return fmt.Errorf("RuntimeSecurityRuleTypeChecker: RuntimeSecurityRuleType is nil and does not match expected value %s", tetragon.RuntimeSecurityRuleType(*enum))
+ }
+ if *enum != RuntimeSecurityRuleTypeChecker(*val) {
+ return fmt.Errorf("RuntimeSecurityRuleTypeChecker: RuntimeSecurityRuleType has value %s which does not match expected value %s", (*val), tetragon.RuntimeSecurityRuleType(*enum))
+ }
+ return nil
+}
+
+// RuntimeSecurityRuleActionChecker checks a tetragon.RuntimeSecurityRuleAction
+type RuntimeSecurityRuleActionChecker tetragon.RuntimeSecurityRuleAction
+
+// MarshalJSON implements json.Marshaler interface
+func (enum RuntimeSecurityRuleActionChecker) MarshalJSON() ([]byte, error) {
+ if name, ok := tetragon.RuntimeSecurityRuleAction_name[int32(enum)]; ok {
+ name = strings.TrimPrefix(name, "RUNTIME_SECURITY_ACTION_")
+ return json.Marshal(name)
+ }
+
+ return nil, fmt.Errorf("Unknown RuntimeSecurityRuleAction %d", enum)
+}
+
+// UnmarshalJSON implements json.Unmarshaler interface
+func (enum *RuntimeSecurityRuleActionChecker) UnmarshalJSON(b []byte) error {
+ var str string
+ if err := yaml.UnmarshalStrict(b, &str); err != nil {
+ return err
+ }
+
+ // Convert to uppercase if not already
+ str = strings.ToUpper(str)
+
+ // Look up the value from the enum values map
+ if n, ok := tetragon.RuntimeSecurityRuleAction_value[str]; ok {
+ *enum = RuntimeSecurityRuleActionChecker(n)
+ } else if n, ok := tetragon.RuntimeSecurityRuleAction_value["RUNTIME_SECURITY_ACTION_"+str]; ok {
+ *enum = RuntimeSecurityRuleActionChecker(n)
+ } else {
+ return fmt.Errorf("Unknown RuntimeSecurityRuleAction %s", str)
+ }
+
+ return nil
+}
+
+// NewRuntimeSecurityRuleActionChecker creates a new RuntimeSecurityRuleActionChecker
+func NewRuntimeSecurityRuleActionChecker(val tetragon.RuntimeSecurityRuleAction) *RuntimeSecurityRuleActionChecker {
+ enum := RuntimeSecurityRuleActionChecker(val)
+ return &enum
+}
+
+// Check checks a RuntimeSecurityRuleAction against the checker
+func (enum *RuntimeSecurityRuleActionChecker) Check(val *tetragon.RuntimeSecurityRuleAction) error {
+ if val == nil {
+ return fmt.Errorf("RuntimeSecurityRuleActionChecker: RuntimeSecurityRuleAction is nil and does not match expected value %s", tetragon.RuntimeSecurityRuleAction(*enum))
+ }
+ if *enum != RuntimeSecurityRuleActionChecker(*val) {
+ return fmt.Errorf("RuntimeSecurityRuleActionChecker: RuntimeSecurityRuleAction has value %s which does not match expected value %s", (*val), tetragon.RuntimeSecurityRuleAction(*enum))
+ }
+ return nil
+}
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/yaml/yaml.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/yaml/yaml.pb.go
index f3ff5347a95..cc2b948d6cb 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/yaml/yaml.pb.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/yaml/yaml.pb.go
@@ -140,15 +140,16 @@ func (conf *EventCheckerConf) WriteYamlFile(file string) error {
}
type eventCheckerHelper struct {
- ProcessExec *eventchecker.ProcessExecChecker `json:"exec,omitempty"`
- ProcessExit *eventchecker.ProcessExitChecker `json:"exit,omitempty"`
- ProcessKprobe *eventchecker.ProcessKprobeChecker `json:"kprobe,omitempty"`
- ProcessTracepoint *eventchecker.ProcessTracepointChecker `json:"tracepoint,omitempty"`
- ProcessUprobe *eventchecker.ProcessUprobeChecker `json:"uprobe,omitempty"`
- Test *eventchecker.TestChecker `json:"test,omitempty"`
- ProcessLoader *eventchecker.ProcessLoaderChecker `json:"loader,omitempty"`
- RateLimitInfo *eventchecker.RateLimitInfoChecker `json:"rateLimitInfo,omitempty"`
- ProcessThrottle *eventchecker.ProcessThrottleChecker `json:"throttle,omitempty"`
+ ProcessExec *eventchecker.ProcessExecChecker `json:"exec,omitempty"`
+ ProcessExit *eventchecker.ProcessExitChecker `json:"exit,omitempty"`
+ ProcessKprobe *eventchecker.ProcessKprobeChecker `json:"kprobe,omitempty"`
+ ProcessTracepoint *eventchecker.ProcessTracepointChecker `json:"tracepoint,omitempty"`
+ ProcessUprobe *eventchecker.ProcessUprobeChecker `json:"uprobe,omitempty"`
+ Test *eventchecker.TestChecker `json:"test,omitempty"`
+ ProcessLoader *eventchecker.ProcessLoaderChecker `json:"loader,omitempty"`
+ RateLimitInfo *eventchecker.RateLimitInfoChecker `json:"rateLimitInfo,omitempty"`
+ ProcessThrottle *eventchecker.ProcessThrottleChecker `json:"throttle,omitempty"`
+ ProcessRuntimeSecurity *eventchecker.ProcessRuntimeSecurityChecker `json:"runtimeSecurity,omitempty"`
}
// EventChecker is a wrapper around the EventChecker interface to help unmarshaling
@@ -217,6 +218,12 @@ func (checker *EventChecker) UnmarshalJSON(b []byte) error {
}
eventChecker = helper.ProcessThrottle
}
+ if helper.ProcessRuntimeSecurity != nil {
+ if eventChecker != nil {
+ return fmt.Errorf("EventChecker: cannot define more than one checker, got %T but already had %T", helper.ProcessRuntimeSecurity, eventChecker)
+ }
+ eventChecker = helper.ProcessRuntimeSecurity
+ }
checker.EventChecker = eventChecker
return nil
}
@@ -243,6 +250,8 @@ func (checker EventChecker) MarshalJSON() ([]byte, error) {
helper.RateLimitInfo = c
case *eventchecker.ProcessThrottleChecker:
helper.ProcessThrottle = c
+ case *eventchecker.ProcessRuntimeSecurityChecker:
+ helper.ProcessRuntimeSecurity = c
default:
return nil, fmt.Errorf("EventChecker: unknown checker type %T", c)
}
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/helpers/helpers.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/helpers/helpers.pb.go
index 55f80b413ef..e474bceccb4 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/helpers/helpers.pb.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/helpers/helpers.pb.go
@@ -36,6 +36,8 @@ func ResponseTypeString(response *tetragon.GetEventsResponse) (string, error) {
return tetragon.EventType_PROCESS_UPROBE.String(), nil
case *tetragon.GetEventsResponse_ProcessThrottle:
return tetragon.EventType_PROCESS_THROTTLE.String(), nil
+ case *tetragon.GetEventsResponse_ProcessRuntimeSecurity:
+ return tetragon.EventType_PROCESS_RUNTIME_SECURITY.String(), nil
case *tetragon.GetEventsResponse_Test:
return tetragon.EventType_TEST.String(), nil
case *tetragon.GetEventsResponse_RateLimitInfo:
@@ -74,6 +76,8 @@ func ResponseInnerGetProcess(event tetragon.IsGetEventsResponse_Event) *tetragon
return ev.ProcessUprobe.Process
case *tetragon.GetEventsResponse_ProcessLoader:
return ev.ProcessLoader.Process
+ case *tetragon.GetEventsResponse_ProcessRuntimeSecurity:
+ return ev.ProcessRuntimeSecurity.Process
}
return nil
@@ -115,6 +119,8 @@ func ResponseInnerGetParent(event tetragon.IsGetEventsResponse_Event) *tetragon.
return ev.ProcessTracepoint.Parent
case *tetragon.GetEventsResponse_ProcessUprobe:
return ev.ProcessUprobe.Parent
+ case *tetragon.GetEventsResponse_ProcessRuntimeSecurity:
+ return ev.ProcessRuntimeSecurity.Parent
}
return nil
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
index f11dc36ba6c..c92f57c64d5 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
@@ -34,16 +34,17 @@ const (
type EventType int32
const (
- EventType_UNDEF EventType = 0
- EventType_PROCESS_EXEC EventType = 1
- EventType_PROCESS_EXIT EventType = 5
- EventType_PROCESS_KPROBE EventType = 9
- EventType_PROCESS_TRACEPOINT EventType = 10
- EventType_PROCESS_LOADER EventType = 11
- EventType_PROCESS_UPROBE EventType = 12
- EventType_PROCESS_THROTTLE EventType = 27
- EventType_TEST EventType = 40000
- EventType_RATE_LIMIT_INFO EventType = 40001
+ EventType_UNDEF EventType = 0
+ EventType_PROCESS_EXEC EventType = 1
+ EventType_PROCESS_EXIT EventType = 5
+ EventType_PROCESS_KPROBE EventType = 9
+ EventType_PROCESS_TRACEPOINT EventType = 10
+ EventType_PROCESS_LOADER EventType = 11
+ EventType_PROCESS_UPROBE EventType = 12
+ EventType_PROCESS_THROTTLE EventType = 27
+ EventType_PROCESS_RUNTIME_SECURITY EventType = 28
+ EventType_TEST EventType = 40000
+ EventType_RATE_LIMIT_INFO EventType = 40001
)
// Enum value maps for EventType.
@@ -57,20 +58,22 @@ var (
11: "PROCESS_LOADER",
12: "PROCESS_UPROBE",
27: "PROCESS_THROTTLE",
+ 28: "PROCESS_RUNTIME_SECURITY",
40000: "TEST",
40001: "RATE_LIMIT_INFO",
}
EventType_value = map[string]int32{
- "UNDEF": 0,
- "PROCESS_EXEC": 1,
- "PROCESS_EXIT": 5,
- "PROCESS_KPROBE": 9,
- "PROCESS_TRACEPOINT": 10,
- "PROCESS_LOADER": 11,
- "PROCESS_UPROBE": 12,
- "PROCESS_THROTTLE": 27,
- "TEST": 40000,
- "RATE_LIMIT_INFO": 40001,
+ "UNDEF": 0,
+ "PROCESS_EXEC": 1,
+ "PROCESS_EXIT": 5,
+ "PROCESS_KPROBE": 9,
+ "PROCESS_TRACEPOINT": 10,
+ "PROCESS_LOADER": 11,
+ "PROCESS_UPROBE": 12,
+ "PROCESS_THROTTLE": 27,
+ "PROCESS_RUNTIME_SECURITY": 28,
+ "TEST": 40000,
+ "RATE_LIMIT_INFO": 40001,
}
)
@@ -197,6 +200,101 @@ func (ThrottleType) EnumDescriptor() ([]byte, []int) {
return file_tetragon_events_proto_rawDescGZIP(), []int{2}
}
+type RuntimeSecurityRuleType int32
+
+const (
+ RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_UNSPECIFIED RuntimeSecurityRuleType = 0
+ RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_EXECUTION RuntimeSecurityRuleType = 1
+)
+
+// Enum value maps for RuntimeSecurityRuleType.
+var (
+ RuntimeSecurityRuleType_name = map[int32]string{
+ 0: "RUNTIME_SECURITY_TYPE_UNSPECIFIED",
+ 1: "RUNTIME_SECURITY_TYPE_EXECUTION",
+ }
+ RuntimeSecurityRuleType_value = map[string]int32{
+ "RUNTIME_SECURITY_TYPE_UNSPECIFIED": 0,
+ "RUNTIME_SECURITY_TYPE_EXECUTION": 1,
+ }
+)
+
+func (x RuntimeSecurityRuleType) Enum() *RuntimeSecurityRuleType {
+ p := new(RuntimeSecurityRuleType)
+ *p = x
+ return p
+}
+
+func (x RuntimeSecurityRuleType) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (RuntimeSecurityRuleType) Descriptor() protoreflect.EnumDescriptor {
+ return file_tetragon_events_proto_enumTypes[3].Descriptor()
+}
+
+func (RuntimeSecurityRuleType) Type() protoreflect.EnumType {
+ return &file_tetragon_events_proto_enumTypes[3]
+}
+
+func (x RuntimeSecurityRuleType) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use RuntimeSecurityRuleType.Descriptor instead.
+func (RuntimeSecurityRuleType) EnumDescriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{3}
+}
+
+type RuntimeSecurityRuleAction int32
+
+const (
+ RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_UNSPECIFIED RuntimeSecurityRuleAction = 0
+ RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_AUDIT RuntimeSecurityRuleAction = 1
+ RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_BLOCK RuntimeSecurityRuleAction = 2
+)
+
+// Enum value maps for RuntimeSecurityRuleAction.
+var (
+ RuntimeSecurityRuleAction_name = map[int32]string{
+ 0: "RUNTIME_SECURITY_ACTION_UNSPECIFIED",
+ 1: "RUNTIME_SECURITY_ACTION_AUDIT",
+ 2: "RUNTIME_SECURITY_ACTION_BLOCK",
+ }
+ RuntimeSecurityRuleAction_value = map[string]int32{
+ "RUNTIME_SECURITY_ACTION_UNSPECIFIED": 0,
+ "RUNTIME_SECURITY_ACTION_AUDIT": 1,
+ "RUNTIME_SECURITY_ACTION_BLOCK": 2,
+ }
+)
+
+func (x RuntimeSecurityRuleAction) Enum() *RuntimeSecurityRuleAction {
+ p := new(RuntimeSecurityRuleAction)
+ *p = x
+ return p
+}
+
+func (x RuntimeSecurityRuleAction) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (RuntimeSecurityRuleAction) Descriptor() protoreflect.EnumDescriptor {
+ return file_tetragon_events_proto_enumTypes[4].Descriptor()
+}
+
+func (RuntimeSecurityRuleAction) Type() protoreflect.EnumType {
+ return &file_tetragon_events_proto_enumTypes[4]
+}
+
+func (x RuntimeSecurityRuleAction) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use RuntimeSecurityRuleAction.Descriptor instead.
+func (RuntimeSecurityRuleAction) EnumDescriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{4}
+}
+
type Filter struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -927,6 +1025,253 @@ func (x *ProcessThrottle) GetCgroup() string {
return ""
}
+type RuntimeSecurityPolicy struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Name of the RuntimeSecurityPolicy associated with that event.
+ Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+ // Namespace of the RuntimeSecurityPolicy associated with that event.
+ Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+}
+
+func (x *RuntimeSecurityPolicy) Reset() {
+ *x = RuntimeSecurityPolicy{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[10]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *RuntimeSecurityPolicy) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RuntimeSecurityPolicy) ProtoMessage() {}
+
+func (x *RuntimeSecurityPolicy) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[10]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use RuntimeSecurityPolicy.ProtoReflect.Descriptor instead.
+func (*RuntimeSecurityPolicy) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *RuntimeSecurityPolicy) GetName() string {
+ if x != nil {
+ return x.Name
+ }
+ return ""
+}
+
+func (x *RuntimeSecurityPolicy) GetNamespace() string {
+ if x != nil {
+ return x.Namespace
+ }
+ return ""
+}
+
+type RuntimeSecurityExecution struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Path of the binary that triggered the execution rule.
+ Path string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
+}
+
+func (x *RuntimeSecurityExecution) Reset() {
+ *x = RuntimeSecurityExecution{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[11]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *RuntimeSecurityExecution) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RuntimeSecurityExecution) ProtoMessage() {}
+
+func (x *RuntimeSecurityExecution) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[11]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use RuntimeSecurityExecution.ProtoReflect.Descriptor instead.
+func (*RuntimeSecurityExecution) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *RuntimeSecurityExecution) GetPath() string {
+ if x != nil {
+ return x.Path
+ }
+ return ""
+}
+
+type RuntimeSecurityRule struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Type of the rule that triggered this event.
+ Type RuntimeSecurityRuleType `protobuf:"varint,1,opt,name=type,proto3,enum=tetragon.RuntimeSecurityRuleType" json:"type,omitempty"`
+ // Action of the rule that triggered this event.
+ Action RuntimeSecurityRuleAction `protobuf:"varint,2,opt,name=action,proto3,enum=tetragon.RuntimeSecurityRuleAction" json:"action,omitempty"`
+ // Execution is set if the rule type is Execution and provide details
+ // specific to execution.
+ Execution *RuntimeSecurityExecution `protobuf:"bytes,3,opt,name=execution,proto3" json:"execution,omitempty"`
+}
+
+func (x *RuntimeSecurityRule) Reset() {
+ *x = RuntimeSecurityRule{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[12]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *RuntimeSecurityRule) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RuntimeSecurityRule) ProtoMessage() {}
+
+func (x *RuntimeSecurityRule) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[12]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use RuntimeSecurityRule.ProtoReflect.Descriptor instead.
+func (*RuntimeSecurityRule) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *RuntimeSecurityRule) GetType() RuntimeSecurityRuleType {
+ if x != nil {
+ return x.Type
+ }
+ return RuntimeSecurityRuleType_RUNTIME_SECURITY_TYPE_UNSPECIFIED
+}
+
+func (x *RuntimeSecurityRule) GetAction() RuntimeSecurityRuleAction {
+ if x != nil {
+ return x.Action
+ }
+ return RuntimeSecurityRuleAction_RUNTIME_SECURITY_ACTION_UNSPECIFIED
+}
+
+func (x *RuntimeSecurityRule) GetExecution() *RuntimeSecurityExecution {
+ if x != nil {
+ return x.Execution
+ }
+ return nil
+}
+
+type ProcessRuntimeSecurity struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Process that triggered the exec.
+ Process *Process `protobuf:"bytes,1,opt,name=process,proto3" json:"process,omitempty"`
+ // Immediate parent of the process.
+ Parent *Process `protobuf:"bytes,2,opt,name=parent,proto3" json:"parent,omitempty"`
+ // RuntimeSecurityPolicy associated with that event.
+ Policy *RuntimeSecurityPolicy `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"`
+ // Rule is the rule that triggered that event from the RuntimeSecurityPolicy.
+ Rule *RuntimeSecurityRule `protobuf:"bytes,4,opt,name=rule,proto3" json:"rule,omitempty"`
+}
+
+func (x *ProcessRuntimeSecurity) Reset() {
+ *x = ProcessRuntimeSecurity{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_tetragon_events_proto_msgTypes[13]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ProcessRuntimeSecurity) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ProcessRuntimeSecurity) ProtoMessage() {}
+
+func (x *ProcessRuntimeSecurity) ProtoReflect() protoreflect.Message {
+ mi := &file_tetragon_events_proto_msgTypes[13]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ProcessRuntimeSecurity.ProtoReflect.Descriptor instead.
+func (*ProcessRuntimeSecurity) Descriptor() ([]byte, []int) {
+ return file_tetragon_events_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *ProcessRuntimeSecurity) GetProcess() *Process {
+ if x != nil {
+ return x.Process
+ }
+ return nil
+}
+
+func (x *ProcessRuntimeSecurity) GetParent() *Process {
+ if x != nil {
+ return x.Parent
+ }
+ return nil
+}
+
+func (x *ProcessRuntimeSecurity) GetPolicy() *RuntimeSecurityPolicy {
+ if x != nil {
+ return x.Policy
+ }
+ return nil
+}
+
+func (x *ProcessRuntimeSecurity) GetRule() *RuntimeSecurityRule {
+ if x != nil {
+ return x.Rule
+ }
+ return nil
+}
+
type GetEventsResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -945,6 +1290,7 @@ type GetEventsResponse struct {
// *GetEventsResponse_ProcessLoader
// *GetEventsResponse_ProcessUprobe
// *GetEventsResponse_ProcessThrottle
+ // *GetEventsResponse_ProcessRuntimeSecurity
// *GetEventsResponse_Test
// *GetEventsResponse_RateLimitInfo
Event isGetEventsResponse_Event `protobuf_oneof:"event"`
@@ -962,7 +1308,7 @@ type GetEventsResponse struct {
func (x *GetEventsResponse) Reset() {
*x = GetEventsResponse{}
if protoimpl.UnsafeEnabled {
- mi := &file_tetragon_events_proto_msgTypes[10]
+ mi := &file_tetragon_events_proto_msgTypes[14]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -975,7 +1321,7 @@ func (x *GetEventsResponse) String() string {
func (*GetEventsResponse) ProtoMessage() {}
func (x *GetEventsResponse) ProtoReflect() protoreflect.Message {
- mi := &file_tetragon_events_proto_msgTypes[10]
+ mi := &file_tetragon_events_proto_msgTypes[14]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -988,7 +1334,7 @@ func (x *GetEventsResponse) ProtoReflect() protoreflect.Message {
// Deprecated: Use GetEventsResponse.ProtoReflect.Descriptor instead.
func (*GetEventsResponse) Descriptor() ([]byte, []int) {
- return file_tetragon_events_proto_rawDescGZIP(), []int{10}
+ return file_tetragon_events_proto_rawDescGZIP(), []int{14}
}
func (m *GetEventsResponse) GetEvent() isGetEventsResponse_Event {
@@ -1047,6 +1393,13 @@ func (x *GetEventsResponse) GetProcessThrottle() *ProcessThrottle {
return nil
}
+func (x *GetEventsResponse) GetProcessRuntimeSecurity() *ProcessRuntimeSecurity {
+ if x, ok := x.GetEvent().(*GetEventsResponse_ProcessRuntimeSecurity); ok {
+ return x.ProcessRuntimeSecurity
+ }
+ return nil
+}
+
func (x *GetEventsResponse) GetTest() *Test {
if x, ok := x.GetEvent().(*GetEventsResponse_Test); ok {
return x.Test
@@ -1121,6 +1474,10 @@ type GetEventsResponse_ProcessThrottle struct {
ProcessThrottle *ProcessThrottle `protobuf:"bytes,27,opt,name=process_throttle,json=processThrottle,proto3,oneof"`
}
+type GetEventsResponse_ProcessRuntimeSecurity struct {
+ ProcessRuntimeSecurity *ProcessRuntimeSecurity `protobuf:"bytes,28,opt,name=process_runtime_security,json=processRuntimeSecurity,proto3,oneof"`
+}
+
type GetEventsResponse_Test struct {
Test *Test `protobuf:"bytes,40000,opt,name=test,proto3,oneof"`
}
@@ -1143,6 +1500,8 @@ func (*GetEventsResponse_ProcessUprobe) isGetEventsResponse_Event() {}
func (*GetEventsResponse_ProcessThrottle) isGetEventsResponse_Event() {}
+func (*GetEventsResponse_ProcessRuntimeSecurity) isGetEventsResponse_Event() {}
+
func (*GetEventsResponse_Test) isGetEventsResponse_Event() {}
func (*GetEventsResponse_RateLimitInfo) isGetEventsResponse_Event() {}
@@ -1274,75 +1633,133 @@ var file_tetragon_events_proto_rawDesc = []byte{
0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79,
0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x02, 0x20, 0x01,
- 0x28, 0x09, 0x52, 0x06, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, 0xf3, 0x05, 0x0a, 0x11, 0x47,
- 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
- 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x65, 0x63,
- 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
- 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x65, 0x63, 0x48, 0x00, 0x52,
- 0x0b, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x65, 0x63, 0x12, 0x3a, 0x0a, 0x0c,
- 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x69, 0x74, 0x18, 0x05, 0x20, 0x01,
- 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69, 0x74, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x6f,
- 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69, 0x74, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x5f, 0x6b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b,
- 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f,
- 0x63, 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x4c, 0x0a, 0x12, 0x70, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74,
- 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
- 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f,
- 0x69, 0x6e, 0x74, 0x48, 0x00, 0x52, 0x11, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72,
- 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b,
- 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f,
- 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x72, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x75, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x18, 0x0c, 0x20, 0x01,
- 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72,
- 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70,
- 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x46, 0x0a, 0x10,
- 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65,
- 0x18, 0x1b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
- 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c,
- 0x65, 0x48, 0x00, 0x52, 0x0f, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x6f,
- 0x74, 0x74, 0x6c, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x74, 0x65, 0x73, 0x74, 0x18, 0xc0, 0xb8, 0x02,
- 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
- 0x54, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x04, 0x74, 0x65, 0x73, 0x74, 0x12, 0x43, 0x0a, 0x0f,
- 0x72, 0x61, 0x74, 0x65, 0x5f, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18,
- 0xc1, 0xb8, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67,
- 0x6f, 0x6e, 0x2e, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x49, 0x6e, 0x66, 0x6f,
- 0x48, 0x00, 0x52, 0x0d, 0x72, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x49, 0x6e, 0x66,
- 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0xe8,
- 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12,
- 0x2f, 0x0a, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x18, 0xe9, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
- 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
- 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x04, 0x74, 0x69, 0x6d, 0x65,
- 0x12, 0x45, 0x0a, 0x10, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
- 0x69, 0x6e, 0x66, 0x6f, 0x18, 0xea, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x74, 0x65,
- 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x41, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x69,
- 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x42, 0x07, 0x0a, 0x05, 0x65, 0x76, 0x65, 0x6e, 0x74,
- 0x2a, 0xc7, 0x01, 0x0a, 0x09, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x09,
- 0x0a, 0x05, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x50, 0x52, 0x4f,
- 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x45, 0x43, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x50,
- 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x49, 0x54, 0x10, 0x05, 0x12, 0x12, 0x0a,
- 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10,
- 0x09, 0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x54, 0x52, 0x41,
- 0x43, 0x45, 0x50, 0x4f, 0x49, 0x4e, 0x54, 0x10, 0x0a, 0x12, 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f,
- 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4c, 0x4f, 0x41, 0x44, 0x45, 0x52, 0x10, 0x0b, 0x12, 0x12, 0x0a,
- 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x55, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10,
- 0x0c, 0x12, 0x14, 0x0a, 0x10, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x54, 0x48, 0x52,
- 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x10, 0x1b, 0x12, 0x0a, 0x0a, 0x04, 0x54, 0x45, 0x53, 0x54, 0x10,
- 0xc0, 0xb8, 0x02, 0x12, 0x15, 0x0a, 0x0f, 0x52, 0x41, 0x54, 0x45, 0x5f, 0x4c, 0x49, 0x4d, 0x49,
- 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x10, 0xc1, 0xb8, 0x02, 0x2a, 0x2d, 0x0a, 0x11, 0x46, 0x69,
- 0x65, 0x6c, 0x64, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
- 0x0b, 0x0a, 0x07, 0x49, 0x4e, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07,
- 0x45, 0x58, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x01, 0x2a, 0x4b, 0x0a, 0x0c, 0x54, 0x68, 0x72,
- 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x10, 0x54, 0x48, 0x52,
- 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12,
- 0x12, 0x0a, 0x0e, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x52,
- 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f,
- 0x53, 0x54, 0x4f, 0x50, 0x10, 0x02, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x28, 0x09, 0x52, 0x06, 0x63, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, 0x49, 0x0a, 0x15, 0x52, 0x75,
+ 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x6f, 0x6c,
+ 0x69, 0x63, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+ 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73,
+ 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65,
+ 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x2e, 0x0a, 0x18, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f,
+ 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+ 0x04, 0x70, 0x61, 0x74, 0x68, 0x22, 0xcb, 0x01, 0x0a, 0x13, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d,
+ 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x35, 0x0a,
+ 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x21, 0x2e, 0x74, 0x65,
+ 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65,
+ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04,
+ 0x74, 0x79, 0x70, 0x65, 0x12, 0x3b, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02,
+ 0x20, 0x01, 0x28, 0x0e, 0x32, 0x23, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
+ 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52,
+ 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f,
+ 0x6e, 0x12, 0x40, 0x0a, 0x09, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03,
+ 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e,
+ 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x45,
+ 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74,
+ 0x69, 0x6f, 0x6e, 0x22, 0xdc, 0x01, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52,
+ 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x2b,
+ 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
+ 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65,
+ 0x73, 0x73, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x12, 0x29, 0x0a, 0x06, 0x70,
+ 0x61, 0x72, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65,
+ 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x06,
+ 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x12, 0x37, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+ 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f,
+ 0x6e, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
+ 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12,
+ 0x31, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e,
+ 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x04, 0x72, 0x75,
+ 0x6c, 0x65, 0x22, 0xd1, 0x06, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73,
+ 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x63,
+ 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x65, 0x63, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x45, 0x78, 0x65, 0x63, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73,
+ 0x45, 0x78, 0x65, 0x63, 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f,
+ 0x65, 0x78, 0x69, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x65, 0x74,
+ 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69,
+ 0x74, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x45, 0x78, 0x69, 0x74,
+ 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6b, 0x70, 0x72, 0x6f,
+ 0x62, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61,
+ 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f, 0x62,
+ 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4b, 0x70, 0x72, 0x6f,
+ 0x62, 0x65, 0x12, 0x4c, 0x0a, 0x12, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x72,
+ 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x48, 0x00, 0x52, 0x11, 0x70,
+ 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+ 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x61, 0x64,
+ 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61,
+ 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64, 0x65,
+ 0x72, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x61, 0x64,
+ 0x65, 0x72, 0x12, 0x40, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x75, 0x70,
+ 0x72, 0x6f, 0x62, 0x65, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x74, 0x65, 0x74,
+ 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72,
+ 0x6f, 0x62, 0x65, 0x48, 0x00, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70,
+ 0x72, 0x6f, 0x62, 0x65, 0x12, 0x46, 0x0a, 0x10, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f,
+ 0x74, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x18, 0x1b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x48, 0x00, 0x52, 0x0f, 0x70, 0x72, 0x6f,
+ 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x12, 0x5c, 0x0a, 0x18,
+ 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x5f,
+ 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x18, 0x1c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20,
+ 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
+ 0x48, 0x00, 0x52, 0x16, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x75, 0x6e, 0x74, 0x69,
+ 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x26, 0x0a, 0x04, 0x74, 0x65,
+ 0x73, 0x74, 0x18, 0xc0, 0xb8, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x74, 0x65, 0x74,
+ 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x54, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x04, 0x74, 0x65,
+ 0x73, 0x74, 0x12, 0x43, 0x0a, 0x0f, 0x72, 0x61, 0x74, 0x65, 0x5f, 0x6c, 0x69, 0x6d, 0x69, 0x74,
+ 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0xc1, 0xb8, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e,
+ 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d,
+ 0x69, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x48, 0x00, 0x52, 0x0d, 0x72, 0x61, 0x74, 0x65, 0x4c, 0x69,
+ 0x6d, 0x69, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f,
+ 0x6e, 0x61, 0x6d, 0x65, 0x18, 0xe8, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6e, 0x6f, 0x64,
+ 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2f, 0x0a, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x18, 0xe9, 0x07,
+ 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
+ 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
+ 0x52, 0x04, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x45, 0x0a, 0x10, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67,
+ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0xea, 0x07, 0x20, 0x01, 0x28,
+ 0x0b, 0x32, 0x19, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x41, 0x67, 0x67,
+ 0x72, 0x65, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x61, 0x67,
+ 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x42, 0x07, 0x0a,
+ 0x05, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x2a, 0xe5, 0x01, 0x0a, 0x09, 0x45, 0x76, 0x65, 0x6e, 0x74,
+ 0x54, 0x79, 0x70, 0x65, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12,
+ 0x10, 0x0a, 0x0c, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x45, 0x43, 0x10,
+ 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x45, 0x58, 0x49,
+ 0x54, 0x10, 0x05, 0x12, 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4b,
+ 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10, 0x09, 0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x43, 0x45,
+ 0x53, 0x53, 0x5f, 0x54, 0x52, 0x41, 0x43, 0x45, 0x50, 0x4f, 0x49, 0x4e, 0x54, 0x10, 0x0a, 0x12,
+ 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x4c, 0x4f, 0x41, 0x44, 0x45,
+ 0x52, 0x10, 0x0b, 0x12, 0x12, 0x0a, 0x0e, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x55,
+ 0x50, 0x52, 0x4f, 0x42, 0x45, 0x10, 0x0c, 0x12, 0x14, 0x0a, 0x10, 0x50, 0x52, 0x4f, 0x43, 0x45,
+ 0x53, 0x53, 0x5f, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x10, 0x1b, 0x12, 0x1c, 0x0a,
+ 0x18, 0x50, 0x52, 0x4f, 0x43, 0x45, 0x53, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45,
+ 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x10, 0x1c, 0x12, 0x0a, 0x0a, 0x04, 0x54,
+ 0x45, 0x53, 0x54, 0x10, 0xc0, 0xb8, 0x02, 0x12, 0x15, 0x0a, 0x0f, 0x52, 0x41, 0x54, 0x45, 0x5f,
+ 0x4c, 0x49, 0x4d, 0x49, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x10, 0xc1, 0xb8, 0x02, 0x2a, 0x2d,
+ 0x0a, 0x11, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x41, 0x63, 0x74,
+ 0x69, 0x6f, 0x6e, 0x12, 0x0b, 0x0a, 0x07, 0x49, 0x4e, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x00,
+ 0x12, 0x0b, 0x0a, 0x07, 0x45, 0x58, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x10, 0x01, 0x2a, 0x4b, 0x0a,
+ 0x0c, 0x54, 0x68, 0x72, 0x6f, 0x74, 0x74, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a,
+ 0x10, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57,
+ 0x4e, 0x10, 0x00, 0x12, 0x12, 0x0a, 0x0e, 0x54, 0x48, 0x52, 0x4f, 0x54, 0x54, 0x4c, 0x45, 0x5f,
+ 0x53, 0x54, 0x41, 0x52, 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x54, 0x48, 0x52, 0x4f, 0x54,
+ 0x54, 0x4c, 0x45, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x10, 0x02, 0x2a, 0x65, 0x0a, 0x17, 0x52, 0x75,
+ 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c,
+ 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x25, 0x0a, 0x21, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45,
+ 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55,
+ 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f,
+ 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59,
+ 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x45, 0x43, 0x55, 0x54, 0x49, 0x4f, 0x4e, 0x10,
+ 0x01, 0x2a, 0x8a, 0x01, 0x0a, 0x19, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x53, 0x65, 0x63,
+ 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
+ 0x27, 0x0a, 0x23, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52,
+ 0x49, 0x54, 0x59, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45,
+ 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x21, 0x0a, 0x1d, 0x52, 0x55, 0x4e, 0x54,
+ 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x41, 0x43, 0x54,
+ 0x49, 0x4f, 0x4e, 0x5f, 0x41, 0x55, 0x44, 0x49, 0x54, 0x10, 0x01, 0x12, 0x21, 0x0a, 0x1d, 0x52,
+ 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f,
+ 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4c, 0x4f, 0x43, 0x4b, 0x10, 0x02, 0x62, 0x06,
+ 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -1357,74 +1774,89 @@ func file_tetragon_events_proto_rawDescGZIP() []byte {
return file_tetragon_events_proto_rawDescData
}
-var file_tetragon_events_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_tetragon_events_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_tetragon_events_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
+var file_tetragon_events_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
var file_tetragon_events_proto_goTypes = []interface{}{
- (EventType)(0), // 0: tetragon.EventType
- (FieldFilterAction)(0), // 1: tetragon.FieldFilterAction
- (ThrottleType)(0), // 2: tetragon.ThrottleType
- (*Filter)(nil), // 3: tetragon.Filter
- (*CapFilter)(nil), // 4: tetragon.CapFilter
- (*CapFilterSet)(nil), // 5: tetragon.CapFilterSet
- (*RedactionFilter)(nil), // 6: tetragon.RedactionFilter
- (*FieldFilter)(nil), // 7: tetragon.FieldFilter
- (*GetEventsRequest)(nil), // 8: tetragon.GetEventsRequest
- (*AggregationOptions)(nil), // 9: tetragon.AggregationOptions
- (*AggregationInfo)(nil), // 10: tetragon.AggregationInfo
- (*RateLimitInfo)(nil), // 11: tetragon.RateLimitInfo
- (*ProcessThrottle)(nil), // 12: tetragon.ProcessThrottle
- (*GetEventsResponse)(nil), // 13: tetragon.GetEventsResponse
- (*wrapperspb.BoolValue)(nil), // 14: google.protobuf.BoolValue
- (CapabilitiesType)(0), // 15: tetragon.CapabilitiesType
- (*fieldmaskpb.FieldMask)(nil), // 16: google.protobuf.FieldMask
- (*durationpb.Duration)(nil), // 17: google.protobuf.Duration
- (*ProcessExec)(nil), // 18: tetragon.ProcessExec
- (*ProcessExit)(nil), // 19: tetragon.ProcessExit
- (*ProcessKprobe)(nil), // 20: tetragon.ProcessKprobe
- (*ProcessTracepoint)(nil), // 21: tetragon.ProcessTracepoint
- (*ProcessLoader)(nil), // 22: tetragon.ProcessLoader
- (*ProcessUprobe)(nil), // 23: tetragon.ProcessUprobe
- (*Test)(nil), // 24: tetragon.Test
- (*timestamppb.Timestamp)(nil), // 25: google.protobuf.Timestamp
+ (EventType)(0), // 0: tetragon.EventType
+ (FieldFilterAction)(0), // 1: tetragon.FieldFilterAction
+ (ThrottleType)(0), // 2: tetragon.ThrottleType
+ (RuntimeSecurityRuleType)(0), // 3: tetragon.RuntimeSecurityRuleType
+ (RuntimeSecurityRuleAction)(0), // 4: tetragon.RuntimeSecurityRuleAction
+ (*Filter)(nil), // 5: tetragon.Filter
+ (*CapFilter)(nil), // 6: tetragon.CapFilter
+ (*CapFilterSet)(nil), // 7: tetragon.CapFilterSet
+ (*RedactionFilter)(nil), // 8: tetragon.RedactionFilter
+ (*FieldFilter)(nil), // 9: tetragon.FieldFilter
+ (*GetEventsRequest)(nil), // 10: tetragon.GetEventsRequest
+ (*AggregationOptions)(nil), // 11: tetragon.AggregationOptions
+ (*AggregationInfo)(nil), // 12: tetragon.AggregationInfo
+ (*RateLimitInfo)(nil), // 13: tetragon.RateLimitInfo
+ (*ProcessThrottle)(nil), // 14: tetragon.ProcessThrottle
+ (*RuntimeSecurityPolicy)(nil), // 15: tetragon.RuntimeSecurityPolicy
+ (*RuntimeSecurityExecution)(nil), // 16: tetragon.RuntimeSecurityExecution
+ (*RuntimeSecurityRule)(nil), // 17: tetragon.RuntimeSecurityRule
+ (*ProcessRuntimeSecurity)(nil), // 18: tetragon.ProcessRuntimeSecurity
+ (*GetEventsResponse)(nil), // 19: tetragon.GetEventsResponse
+ (*wrapperspb.BoolValue)(nil), // 20: google.protobuf.BoolValue
+ (CapabilitiesType)(0), // 21: tetragon.CapabilitiesType
+ (*fieldmaskpb.FieldMask)(nil), // 22: google.protobuf.FieldMask
+ (*durationpb.Duration)(nil), // 23: google.protobuf.Duration
+ (*Process)(nil), // 24: tetragon.Process
+ (*ProcessExec)(nil), // 25: tetragon.ProcessExec
+ (*ProcessExit)(nil), // 26: tetragon.ProcessExit
+ (*ProcessKprobe)(nil), // 27: tetragon.ProcessKprobe
+ (*ProcessTracepoint)(nil), // 28: tetragon.ProcessTracepoint
+ (*ProcessLoader)(nil), // 29: tetragon.ProcessLoader
+ (*ProcessUprobe)(nil), // 30: tetragon.ProcessUprobe
+ (*Test)(nil), // 31: tetragon.Test
+ (*timestamppb.Timestamp)(nil), // 32: google.protobuf.Timestamp
}
var file_tetragon_events_proto_depIdxs = []int32{
- 14, // 0: tetragon.Filter.health_check:type_name -> google.protobuf.BoolValue
+ 20, // 0: tetragon.Filter.health_check:type_name -> google.protobuf.BoolValue
0, // 1: tetragon.Filter.event_set:type_name -> tetragon.EventType
- 4, // 2: tetragon.Filter.capabilities:type_name -> tetragon.CapFilter
- 5, // 3: tetragon.CapFilter.permitted:type_name -> tetragon.CapFilterSet
- 5, // 4: tetragon.CapFilter.effective:type_name -> tetragon.CapFilterSet
- 5, // 5: tetragon.CapFilter.inheritable:type_name -> tetragon.CapFilterSet
- 15, // 6: tetragon.CapFilterSet.any:type_name -> tetragon.CapabilitiesType
- 15, // 7: tetragon.CapFilterSet.all:type_name -> tetragon.CapabilitiesType
- 15, // 8: tetragon.CapFilterSet.exactly:type_name -> tetragon.CapabilitiesType
- 15, // 9: tetragon.CapFilterSet.none:type_name -> tetragon.CapabilitiesType
- 3, // 10: tetragon.RedactionFilter.match:type_name -> tetragon.Filter
+ 6, // 2: tetragon.Filter.capabilities:type_name -> tetragon.CapFilter
+ 7, // 3: tetragon.CapFilter.permitted:type_name -> tetragon.CapFilterSet
+ 7, // 4: tetragon.CapFilter.effective:type_name -> tetragon.CapFilterSet
+ 7, // 5: tetragon.CapFilter.inheritable:type_name -> tetragon.CapFilterSet
+ 21, // 6: tetragon.CapFilterSet.any:type_name -> tetragon.CapabilitiesType
+ 21, // 7: tetragon.CapFilterSet.all:type_name -> tetragon.CapabilitiesType
+ 21, // 8: tetragon.CapFilterSet.exactly:type_name -> tetragon.CapabilitiesType
+ 21, // 9: tetragon.CapFilterSet.none:type_name -> tetragon.CapabilitiesType
+ 5, // 10: tetragon.RedactionFilter.match:type_name -> tetragon.Filter
0, // 11: tetragon.FieldFilter.event_set:type_name -> tetragon.EventType
- 16, // 12: tetragon.FieldFilter.fields:type_name -> google.protobuf.FieldMask
+ 22, // 12: tetragon.FieldFilter.fields:type_name -> google.protobuf.FieldMask
1, // 13: tetragon.FieldFilter.action:type_name -> tetragon.FieldFilterAction
- 14, // 14: tetragon.FieldFilter.invert_event_set:type_name -> google.protobuf.BoolValue
- 3, // 15: tetragon.GetEventsRequest.allow_list:type_name -> tetragon.Filter
- 3, // 16: tetragon.GetEventsRequest.deny_list:type_name -> tetragon.Filter
- 9, // 17: tetragon.GetEventsRequest.aggregation_options:type_name -> tetragon.AggregationOptions
- 7, // 18: tetragon.GetEventsRequest.field_filters:type_name -> tetragon.FieldFilter
- 17, // 19: tetragon.AggregationOptions.window_size:type_name -> google.protobuf.Duration
+ 20, // 14: tetragon.FieldFilter.invert_event_set:type_name -> google.protobuf.BoolValue
+ 5, // 15: tetragon.GetEventsRequest.allow_list:type_name -> tetragon.Filter
+ 5, // 16: tetragon.GetEventsRequest.deny_list:type_name -> tetragon.Filter
+ 11, // 17: tetragon.GetEventsRequest.aggregation_options:type_name -> tetragon.AggregationOptions
+ 9, // 18: tetragon.GetEventsRequest.field_filters:type_name -> tetragon.FieldFilter
+ 23, // 19: tetragon.AggregationOptions.window_size:type_name -> google.protobuf.Duration
2, // 20: tetragon.ProcessThrottle.type:type_name -> tetragon.ThrottleType
- 18, // 21: tetragon.GetEventsResponse.process_exec:type_name -> tetragon.ProcessExec
- 19, // 22: tetragon.GetEventsResponse.process_exit:type_name -> tetragon.ProcessExit
- 20, // 23: tetragon.GetEventsResponse.process_kprobe:type_name -> tetragon.ProcessKprobe
- 21, // 24: tetragon.GetEventsResponse.process_tracepoint:type_name -> tetragon.ProcessTracepoint
- 22, // 25: tetragon.GetEventsResponse.process_loader:type_name -> tetragon.ProcessLoader
- 23, // 26: tetragon.GetEventsResponse.process_uprobe:type_name -> tetragon.ProcessUprobe
- 12, // 27: tetragon.GetEventsResponse.process_throttle:type_name -> tetragon.ProcessThrottle
- 24, // 28: tetragon.GetEventsResponse.test:type_name -> tetragon.Test
- 11, // 29: tetragon.GetEventsResponse.rate_limit_info:type_name -> tetragon.RateLimitInfo
- 25, // 30: tetragon.GetEventsResponse.time:type_name -> google.protobuf.Timestamp
- 10, // 31: tetragon.GetEventsResponse.aggregation_info:type_name -> tetragon.AggregationInfo
- 32, // [32:32] is the sub-list for method output_type
- 32, // [32:32] is the sub-list for method input_type
- 32, // [32:32] is the sub-list for extension type_name
- 32, // [32:32] is the sub-list for extension extendee
- 0, // [0:32] is the sub-list for field type_name
+ 3, // 21: tetragon.RuntimeSecurityRule.type:type_name -> tetragon.RuntimeSecurityRuleType
+ 4, // 22: tetragon.RuntimeSecurityRule.action:type_name -> tetragon.RuntimeSecurityRuleAction
+ 16, // 23: tetragon.RuntimeSecurityRule.execution:type_name -> tetragon.RuntimeSecurityExecution
+ 24, // 24: tetragon.ProcessRuntimeSecurity.process:type_name -> tetragon.Process
+ 24, // 25: tetragon.ProcessRuntimeSecurity.parent:type_name -> tetragon.Process
+ 15, // 26: tetragon.ProcessRuntimeSecurity.policy:type_name -> tetragon.RuntimeSecurityPolicy
+ 17, // 27: tetragon.ProcessRuntimeSecurity.rule:type_name -> tetragon.RuntimeSecurityRule
+ 25, // 28: tetragon.GetEventsResponse.process_exec:type_name -> tetragon.ProcessExec
+ 26, // 29: tetragon.GetEventsResponse.process_exit:type_name -> tetragon.ProcessExit
+ 27, // 30: tetragon.GetEventsResponse.process_kprobe:type_name -> tetragon.ProcessKprobe
+ 28, // 31: tetragon.GetEventsResponse.process_tracepoint:type_name -> tetragon.ProcessTracepoint
+ 29, // 32: tetragon.GetEventsResponse.process_loader:type_name -> tetragon.ProcessLoader
+ 30, // 33: tetragon.GetEventsResponse.process_uprobe:type_name -> tetragon.ProcessUprobe
+ 14, // 34: tetragon.GetEventsResponse.process_throttle:type_name -> tetragon.ProcessThrottle
+ 18, // 35: tetragon.GetEventsResponse.process_runtime_security:type_name -> tetragon.ProcessRuntimeSecurity
+ 31, // 36: tetragon.GetEventsResponse.test:type_name -> tetragon.Test
+ 13, // 37: tetragon.GetEventsResponse.rate_limit_info:type_name -> tetragon.RateLimitInfo
+ 32, // 38: tetragon.GetEventsResponse.time:type_name -> google.protobuf.Timestamp
+ 12, // 39: tetragon.GetEventsResponse.aggregation_info:type_name -> tetragon.AggregationInfo
+ 40, // [40:40] is the sub-list for method output_type
+ 40, // [40:40] is the sub-list for method input_type
+ 40, // [40:40] is the sub-list for extension type_name
+ 40, // [40:40] is the sub-list for extension extendee
+ 0, // [0:40] is the sub-list for field type_name
}
func init() { file_tetragon_events_proto_init() }
@@ -1556,6 +1988,54 @@ func file_tetragon_events_proto_init() {
}
}
file_tetragon_events_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*RuntimeSecurityPolicy); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*RuntimeSecurityExecution); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*RuntimeSecurityRule); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ProcessRuntimeSecurity); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_tetragon_events_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*GetEventsResponse); i {
case 0:
return &v.state
@@ -1568,7 +2048,7 @@ func file_tetragon_events_proto_init() {
}
}
}
- file_tetragon_events_proto_msgTypes[10].OneofWrappers = []interface{}{
+ file_tetragon_events_proto_msgTypes[14].OneofWrappers = []interface{}{
(*GetEventsResponse_ProcessExec)(nil),
(*GetEventsResponse_ProcessExit)(nil),
(*GetEventsResponse_ProcessKprobe)(nil),
@@ -1576,6 +2056,7 @@ func file_tetragon_events_proto_init() {
(*GetEventsResponse_ProcessLoader)(nil),
(*GetEventsResponse_ProcessUprobe)(nil),
(*GetEventsResponse_ProcessThrottle)(nil),
+ (*GetEventsResponse_ProcessRuntimeSecurity)(nil),
(*GetEventsResponse_Test)(nil),
(*GetEventsResponse_RateLimitInfo)(nil),
}
@@ -1584,8 +2065,8 @@ func file_tetragon_events_proto_init() {
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_tetragon_events_proto_rawDesc,
- NumEnums: 3,
- NumMessages: 11,
+ NumEnums: 5,
+ NumMessages: 15,
NumExtensions: 0,
NumServices: 0,
},
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.json.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.json.go
index 589d91748f7..4c71251dbf9 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.json.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.json.go
@@ -167,6 +167,70 @@ func (msg *ProcessThrottle) UnmarshalJSON(b []byte) error {
}.Unmarshal(b, msg)
}
+// MarshalJSON implements json.Marshaler
+func (msg *RuntimeSecurityPolicy) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *RuntimeSecurityPolicy) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
+// MarshalJSON implements json.Marshaler
+func (msg *RuntimeSecurityExecution) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *RuntimeSecurityExecution) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
+// MarshalJSON implements json.Marshaler
+func (msg *RuntimeSecurityRule) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *RuntimeSecurityRule) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
+// MarshalJSON implements json.Marshaler
+func (msg *ProcessRuntimeSecurity) MarshalJSON() ([]byte, error) {
+ return protojson.MarshalOptions{
+ UseEnumNumbers: false,
+ EmitUnpopulated: false,
+ UseProtoNames: true,
+ }.Marshal(msg)
+}
+
+// UnmarshalJSON implements json.Unmarshaler
+func (msg *ProcessRuntimeSecurity) UnmarshalJSON(b []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: false,
+ }.Unmarshal(b, msg)
+}
+
// MarshalJSON implements json.Marshaler
func (msg *GetEventsResponse) MarshalJSON() ([]byte, error) {
return protojson.MarshalOptions{
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
index f2bd554645f..3fc6685cea4 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
@@ -26,6 +26,7 @@ enum EventType {
PROCESS_LOADER = 11;
PROCESS_UPROBE = 12;
PROCESS_THROTTLE = 27;
+ PROCESS_RUNTIME_SECURITY = 28;
TEST = 40000;
RATE_LIMIT_INFO = 40001;
@@ -165,6 +166,50 @@ message ProcessThrottle {
string cgroup = 2;
}
+message RuntimeSecurityPolicy {
+ // Name of the RuntimeSecurityPolicy associated with that event.
+ string name = 1;
+ // Namespace of the RuntimeSecurityPolicy associated with that event.
+ string namespace = 2;
+}
+
+enum RuntimeSecurityRuleType {
+ RUNTIME_SECURITY_TYPE_UNSPECIFIED = 0;
+ RUNTIME_SECURITY_TYPE_EXECUTION = 1;
+}
+
+enum RuntimeSecurityRuleAction {
+ RUNTIME_SECURITY_ACTION_UNSPECIFIED = 0;
+ RUNTIME_SECURITY_ACTION_AUDIT = 1;
+ RUNTIME_SECURITY_ACTION_BLOCK = 2;
+}
+
+message RuntimeSecurityExecution {
+ // Path of the binary that triggered the execution rule.
+ string path = 1;
+}
+
+message RuntimeSecurityRule {
+ // Type of the rule that triggered this event.
+ RuntimeSecurityRuleType type = 1;
+ // Action of the rule that triggered this event.
+ RuntimeSecurityRuleAction action = 2;
+ // Execution is set if the rule type is Execution and provide details
+ // specific to execution.
+ RuntimeSecurityExecution execution = 3;
+}
+
+message ProcessRuntimeSecurity {
+ // Process that triggered the exec.
+ Process process = 1;
+ // Immediate parent of the process.
+ Process parent = 2;
+ // RuntimeSecurityPolicy associated with that event.
+ RuntimeSecurityPolicy policy = 3;
+ // Rule is the rule that triggered that event from the RuntimeSecurityPolicy.
+ RuntimeSecurityRule rule = 4;
+}
+
message GetEventsResponse {
// The type-specific fields of an event.
//
@@ -184,6 +229,7 @@ message GetEventsResponse {
ProcessLoader process_loader = 11;
ProcessUprobe process_uprobe = 12;
ProcessThrottle process_throttle = 27;
+ ProcessRuntimeSecurity process_runtime_security = 28;
Test test = 40000;
RateLimitInfo rate_limit_info = 40001;
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/types.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/types.pb.go
index f418b3eaca8..20495cc6a9e 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/types.pb.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/types.pb.go
@@ -167,6 +167,26 @@ func (event *ProcessThrottle) Encapsulate() IsGetEventsResponse_Event {
}
}
+// Encapsulate implements the Event interface.
+// Returns the event wrapped by its GetEventsResponse_* type.
+func (event *ProcessRuntimeSecurity) Encapsulate() IsGetEventsResponse_Event {
+ return &GetEventsResponse_ProcessRuntimeSecurity{
+ ProcessRuntimeSecurity: event,
+ }
+}
+
+// SetProcess implements the ProcessEvent interface.
+// Sets the Process field of an event.
+func (event *ProcessRuntimeSecurity) SetProcess(p *Process) {
+ event.Process = p
+}
+
+// SetParent implements the ParentEvent interface.
+// Sets the Parent field of an event.
+func (event *ProcessRuntimeSecurity) SetParent(p *Process) {
+ event.Parent = p
+}
+
// UnwrapGetEventsResponse gets the inner event type from a GetEventsResponse
func UnwrapGetEventsResponse(response *GetEventsResponse) interface{} {
event := response.GetEvent()
@@ -192,6 +212,8 @@ func UnwrapGetEventsResponse(response *GetEventsResponse) interface{} {
return ev.RateLimitInfo
case *GetEventsResponse_ProcessThrottle:
return ev.ProcessThrottle
+ case *GetEventsResponse_ProcessRuntimeSecurity:
+ return ev.ProcessRuntimeSecurity
}
return nil
}
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_runtimesecuritypolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_runtimesecuritypolicies.yaml
new file mode 100644
index 00000000000..7cdb59e0089
--- /dev/null
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_runtimesecuritypolicies.yaml
@@ -0,0 +1,174 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.14.0
+ creationTimestamp: null
+ name: runtimesecuritypolicies.cilium.io
+spec:
+ group: cilium.io
+ names:
+ kind: RuntimeSecurityPolicy
+ listKind: RuntimeSecurityPolicyList
+ plural: runtimesecuritypolicies
+ shortNames:
+ - rsp
+ singular: runtimesecuritypolicy
+ scope: Cluster
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Runtime security policy specification.
+ properties:
+ rules:
+ description: Runtime security policy rules to apply.
+ items:
+ oneOf:
+ - properties:
+ executionConfig: {}
+ required:
+ - executionConfig
+ properties:
+ executionConfig:
+ description: Configuration for a rule of type Execution.
+ properties:
+ action:
+ description: A rule execution config action is the set of
+ actions that can be used in an rule execution config.
+ enum:
+ - Audit
+ - Block
+ type: string
+ required:
+ - action
+ type: object
+ type:
+ description: Rule type.
+ enum:
+ - Execution
+ type: string
+ required:
+ - type
+ type: object
+ minItems: 1
+ type: array
+ selectors:
+ description: Selectors to select on which object applying the runtime
+ security policy.
+ properties:
+ executableSelector:
+ properties:
+ matchPaths:
+ items:
+ properties:
+ operator:
+ description: A match paths operator is the set of available
+ operator that can be used in a match paths selector.
+ enum:
+ - In
+ - NotIn
+ type: string
+ pattern:
+ description: A match paths pattern is the set of available
+ pattern that can be used in a match paths selector.
+ enum:
+ - Full
+ - Prefix
+ - Postfix
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - operator
+ - pattern
+ type: object
+ type: array
+ type: object
+ podSelector:
+ description: PodSelector selects pods that this policy applies
+ to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector
+ that contains values, a key, and an operator that relates
+ the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are In, NotIn,
+ Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: values is an array of string values. If
+ the operator is In or NotIn, the values array must
+ be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced
+ during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value from
+ the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A
+ single {key,value} in the matchLabels map is equivalent
+ to an element of matchExpressions, whose key field is "key",
+ the operator is "In", and the values array contains only
+ "value". The requirements are ANDed.
+ type: object
+ type: object
+ type: object
+ required:
+ - rules
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/register.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/register.go
index 6f846e2720b..4d27c19f07d 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/register.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/register.go
@@ -35,9 +35,19 @@ var (
v1alpha1.PIName,
crdsv1Alpha1PodInfo)
+ //go:embed crds/v1alpha1/cilium.io_runtimesecuritypolicies.yaml
+ crdsv1Alpha1RuntimeSecurityPolicies []byte
+
+ RuntimeSecurityPolicyCRD = crdutils.NewCRDBytes(
+ v1alpha1.RuntimeSecurityPolicyCRDName,
+ v1alpha1.RuntimeSecurityPolicyName,
+ crdsv1Alpha1RuntimeSecurityPolicies,
+ )
+
AllCRDs = []crdutils.CRD{
TracingPolicyCRD,
TracingPolicyNamespacedCRD,
PodInfoCRD,
+ RuntimeSecurityPolicyCRD,
}
)
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/register.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/register.go
index 07e8ce05575..4cb8a143565 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/register.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/register.go
@@ -54,6 +54,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&TracingPolicyNamespacedList{},
&PodInfo{},
&PodInfoList{},
+ &RuntimeSecurityPolicy{},
+ &RuntimeSecurityPolicyList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/runtimesecuritypolicy_types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/runtimesecuritypolicy_types.go
new file mode 100644
index 00000000000..48ec88a4d06
--- /dev/null
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/runtimesecuritypolicy_types.go
@@ -0,0 +1,127 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package v1alpha1
+
+import (
+ slimv1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1"
+ ciliumio "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+ // RuntimeSecurityPolicyPluralName is the plural name of the Runtime Security Policy
+ RuntimeSecurityPolicyPluralName = "runtimesecuritypolicies"
+
+ // RuntimeSecurityPolicyKindDefinition is the kind name of Runtime Security Policy
+ RuntimeSecurityPolicyKindDefinition = "RuntimeSecurityPolicy"
+
+ // RuntimeSecurityPolicyName is the full name of the Runtime Security Policy
+ RuntimeSecurityPolicyName = RuntimeSecurityPolicyPluralName + "." + ciliumio.GroupName
+
+ // RuntimeSecurityPolicyCRDName is the full name of the Runtime Security Policy CRD.
+ RuntimeSecurityPolicyCRDName = RuntimeSecurityPolicyKindDefinition + "/" + CRDVersion
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type RuntimeSecurityPolicyList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata"`
+ Items []RuntimeSecurityPolicy `json:"items,omitempty"`
+}
+
+// +genclient
+// +genclient:noStatus
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:singular="runtimesecuritypolicy",path="runtimesecuritypolicies",scope="Cluster",shortName={"rsp"}
+type RuntimeSecurityPolicy struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata"`
+ // Runtime security policy specification.
+ // +kubebuilder:validation:Required
+ Spec RuntimeSecurityPolicySpec `json:"spec"`
+}
+
+type RuntimeSecurityPolicySpec struct {
+ // +kubebuilder:validation:Optional
+ // Selectors to select on which object applying the runtime security policy.
+ Selectors *RuntimeSecurityPolicySelector `json:"selectors,omitempty"`
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:MinItems=1
+ // Runtime security policy rules to apply.
+ Rules []RuntimeSecurityPolicyRule `json:"rules"`
+}
+
+type RuntimeSecurityPolicyRule struct {
+ // +kubebuilder:validation:Enum=Execution
+ // +kubebuilder:validation:Required
+ // Rule type.
+ Type RuntimeSecurityPolicyRuleType `json:"type"`
+ // +kubebuilder:validation:OneOf
+ // Configuration for a rule of type Execution.
+ ExecutionConfig *RuleExecutionConfig `json:"executionConfig,omitempty"`
+}
+
+// A runtime security policy rule type is the set of types that can be used in a runtime security policy rule.
+type RuntimeSecurityPolicyRuleType string
+
+const (
+ RuntimeSecurityPolicyRuleTypeExecution RuntimeSecurityPolicyRuleType = "Execution"
+)
+
+type RuleExecutionConfig struct {
+ // +kubebuilder:validation:Enum=Audit;Block
+ // +kubebuilder:validation:Required
+ Action RuleExecutionConfigAction `json:"action"`
+}
+
+// A rule execution config action is the set of actions that can be used in an rule execution config.
+type RuleExecutionConfigAction string
+
+const (
+ ExecutionConfigActionAudit RuleExecutionConfigAction = "Audit"
+ ExecutionConfigActionBlock RuleExecutionConfigAction = "Block"
+)
+
+type RuntimeSecurityPolicySelector struct {
+ // +kubebuilder:validation:Optional
+ // PodSelector selects pods that this policy applies to
+ PodSelector *slimv1.LabelSelector `json:"podSelector,omitempty"`
+
+ // +kubebuilder:validation:Optional
+ ExecutableSelector *ExecutableSelector `json:"executableSelector,omitempty"`
+}
+
+type ExecutableSelector struct {
+ // +kubebuilder:validation:Optional
+ MatchPaths []MatchPathsSelector `json:"matchPaths,omitempty"`
+}
+
+type MatchPathsSelector struct {
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:Enum=Full;Prefix;Postfix
+ Pattern MatchPathsPattern `json:"pattern"`
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:Enum=In;NotIn
+ Operator MatchPathsOperator `json:"operator"`
+ // +kubebuilder:validation:Optional
+ Values []string `json:"values,omitempty"`
+}
+
+// A match paths pattern is the set of available pattern that can be used in a match paths selector.
+type MatchPathsPattern string
+
+const (
+ MatchPathsPatternFull MatchPathsPattern = "Full"
+ MatchPathsPatternPrefix MatchPathsPattern = "Prefix"
+ MatchPathsPatternPostfix MatchPathsPattern = "Postfix"
+)
+
+// A match paths operator is the set of available operator that can be used in a match paths selector.
+type MatchPathsOperator string
+
+const (
+ MatchPathsOperatorEqual MatchPathsOperator = "In"
+ MatchPathsOperatorNotEqual MatchPathsOperator = "NotIn"
+)
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go
index e491c37df3e..216f7a8c611 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go
@@ -68,7 +68,7 @@ type KProbeArg struct {
// +kubebuilder:validation:Minimum=0
// Specifies the position of the corresponding size argument for this argument.
// This field is used only for char_buf and char_iovec types.
- SizeArgIndex uint32 `json:"sizeArgIndex"`
+ SizeArgIndex uint32 `json:"sizeArgIndex,omitempty"`
// +kubebuilder:validation:Optional
// +kubebuilder:default=false
// This field is used only for char_buf and char_iovec types. It indicates
@@ -76,17 +76,17 @@ type KProbeArg struct {
// symbol is triggered) because it might not be populated when the kprobe
// is triggered at the entrance of the function. For example, a buffer
// supplied to read(2) won't have content until kretprobe is triggered.
- ReturnCopy bool `json:"returnCopy"`
+ ReturnCopy bool `json:"returnCopy,omitempty"`
// +kubebuilder:validation:Optional
// +kubebuilder:default=false
// Read maximum possible data (currently 327360). This field is only used
// for char_buff data. When this value is false (default), the bpf program
// will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
// supports fetching up to 327360 bytes if this flag is turned on
- MaxData bool `json:"maxData"`
+ MaxData bool `json:"maxData,omitempty"`
// +kubebuilder:validation:Optional
// Label to output in the JSON
- Label string `json:"label"`
+ Label string `json:"label,omitempty"`
}
type BinarySelector struct {
@@ -201,30 +201,30 @@ type ActionSelector struct {
Action string `json:"action"`
// +kubebuilder:validation:Optional
// An arg index for the fd for fdInstall action
- ArgFd uint32 `json:"argFd"`
+ ArgFd uint32 `json:"argFd,omitempty"`
// +kubebuilder:validation:Optional
// An arg index for the filename for fdInstall action
- ArgName uint32 `json:"argName"`
+ ArgName uint32 `json:"argName,omitempty"`
// +kubebuilder:validation:Optional
// A URL for the getUrl action
- ArgUrl string `json:"argUrl"`
+ ArgUrl string `json:"argUrl,omitempty"`
// +kubebuilder:validation:Optional
// A FQDN to lookup for the dnsLookup action
- ArgFqdn string `json:"argFqdn"`
+ ArgFqdn string `json:"argFqdn,omitempty"`
// +kubebuilder:validation:Optional
// error value for override action
- ArgError int32 `json:"argError"`
+ ArgError int32 `json:"argError,omitempty"`
// +kubebuilder:validation:Optional
// A signal number for signal action
- ArgSig uint32 `json:"argSig"`
+ ArgSig uint32 `json:"argSig,omitempty"`
// +kubebuilder:validation:Optional
// An arg index for the sock for trackSock and untrackSock actions
- ArgSock uint32 `json:"argSock"`
+ ArgSock uint32 `json:"argSock,omitempty"`
// +kubebuilder:validation:Optional
// A time period within which repeated messages will not be posted. Can be
// specified in seconds (default or with 's' suffix), minutes ('m' suffix)
// or hours ('h' suffix). Only valid with the post action.
- RateLimit string `json:"rateLimit"`
+ RateLimit string `json:"rateLimit,omitempty"`
// +kubebuilder:validation:Optional
// The scope of the provided rate limit argument. Can be "thread" (default),
// "process" (all threads for the same process), or "global". If "thread" is
@@ -232,13 +232,13 @@ type ActionSelector struct {
// then rate limiting applies per process; if "global" is selected then rate
// limiting applies regardless of which process or thread caused the action.
// Only valid with the post action and with a rateLimit specified.
- RateLimitScope string `json:"rateLimitScope"`
+ RateLimitScope string `json:"rateLimitScope,omitempty"`
// +kubebuilder:validation:Optional
// Enable kernel stack trace export. Only valid with the post action.
- KernelStackTrace bool `json:"kernelStackTrace"`
+ KernelStackTrace bool `json:"kernelStackTrace,omitempty"`
// +kubebuilder:validation:Optional
// Enable user stack trace export. Only valid with the post action.
- UserStackTrace bool `json:"userStackTrace"`
+ UserStackTrace bool `json:"userStackTrace,omitempty"`
}
type TracepointSpec struct {
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
index 2dc62a7bb93..314a30c2c50 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
@@ -113,6 +113,29 @@ func (in *EnforcerSpec) DeepCopy() *EnforcerSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExecutableSelector) DeepCopyInto(out *ExecutableSelector) {
+ *out = *in
+ if in.MatchPaths != nil {
+ in, out := &in.MatchPaths, &out.MatchPaths
+ *out = make([]MatchPathsSelector, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecutableSelector.
+func (in *ExecutableSelector) DeepCopy() *ExecutableSelector {
+ if in == nil {
+ return nil
+ }
+ out := new(ExecutableSelector)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KProbeArg) DeepCopyInto(out *KProbeArg) {
*out = *in
@@ -275,6 +298,27 @@ func (in *ListSpec) DeepCopy() *ListSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MatchPathsSelector) DeepCopyInto(out *MatchPathsSelector) {
+ *out = *in
+ if in.Values != nil {
+ in, out := &in.Values, &out.Values
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchPathsSelector.
+func (in *MatchPathsSelector) DeepCopy() *MatchPathsSelector {
+ if in == nil {
+ return nil
+ }
+ out := new(MatchPathsSelector)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NamespaceChangesSelector) DeepCopyInto(out *NamespaceChangesSelector) {
*out = *in
@@ -470,6 +514,157 @@ func (in *PodInfoStatus) DeepCopy() *PodInfoStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleExecutionConfig) DeepCopyInto(out *RuleExecutionConfig) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleExecutionConfig.
+func (in *RuleExecutionConfig) DeepCopy() *RuleExecutionConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(RuleExecutionConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicy) DeepCopyInto(out *RuntimeSecurityPolicy) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicy.
+func (in *RuntimeSecurityPolicy) DeepCopy() *RuntimeSecurityPolicy {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicy)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RuntimeSecurityPolicy) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicyList) DeepCopyInto(out *RuntimeSecurityPolicyList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]RuntimeSecurityPolicy, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicyList.
+func (in *RuntimeSecurityPolicyList) DeepCopy() *RuntimeSecurityPolicyList {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicyList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RuntimeSecurityPolicyList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicyRule) DeepCopyInto(out *RuntimeSecurityPolicyRule) {
+ *out = *in
+ if in.ExecutionConfig != nil {
+ in, out := &in.ExecutionConfig, &out.ExecutionConfig
+ *out = new(RuleExecutionConfig)
+ **out = **in
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicyRule.
+func (in *RuntimeSecurityPolicyRule) DeepCopy() *RuntimeSecurityPolicyRule {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicyRule)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicySelector) DeepCopyInto(out *RuntimeSecurityPolicySelector) {
+ *out = *in
+ if in.PodSelector != nil {
+ in, out := &in.PodSelector, &out.PodSelector
+ *out = new(v1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.ExecutableSelector != nil {
+ in, out := &in.ExecutableSelector, &out.ExecutableSelector
+ *out = new(ExecutableSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicySelector.
+func (in *RuntimeSecurityPolicySelector) DeepCopy() *RuntimeSecurityPolicySelector {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicySelector)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuntimeSecurityPolicySpec) DeepCopyInto(out *RuntimeSecurityPolicySpec) {
+ *out = *in
+ if in.Selectors != nil {
+ in, out := &in.Selectors, &out.Selectors
+ *out = new(RuntimeSecurityPolicySelector)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.Rules != nil {
+ in, out := &in.Rules, &out.Rules
+ *out = make([]RuntimeSecurityPolicyRule, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeSecurityPolicySpec.
+func (in *RuntimeSecurityPolicySpec) DeepCopy() *RuntimeSecurityPolicySpec {
+ if in == nil {
+ return nil
+ }
+ out := new(RuntimeSecurityPolicySpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TracepointSpec) DeepCopyInto(out *TracepointSpec) {
*out = *in
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/cilium.io_client.go b/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/cilium.io_client.go
index 8392d8b2b17..021c1063b3e 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/cilium.io_client.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/cilium.io_client.go
@@ -16,6 +16,7 @@ import (
type CiliumV1alpha1Interface interface {
RESTClient() rest.Interface
PodInfoGetter
+ RuntimeSecurityPoliciesGetter
TracingPoliciesGetter
TracingPoliciesNamespacedGetter
}
@@ -29,6 +30,10 @@ func (c *CiliumV1alpha1Client) PodInfo(namespace string) PodInfoInterface {
return newPodInfo(c, namespace)
}
+func (c *CiliumV1alpha1Client) RuntimeSecurityPolicies() RuntimeSecurityPolicyInterface {
+ return newRuntimeSecurityPolicies(c)
+}
+
func (c *CiliumV1alpha1Client) TracingPolicies() TracingPolicyInterface {
return newTracingPolicies(c)
}
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/generated_expansion.go b/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/generated_expansion.go
index 320ab473249..eb2224144f2 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/generated_expansion.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/generated_expansion.go
@@ -7,6 +7,8 @@ package v1alpha1
type PodInfoExpansion interface{}
+type RuntimeSecurityPolicyExpansion interface{}
+
type TracingPolicyExpansion interface{}
type TracingPolicyNamespacedExpansion interface{}
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/runtimesecuritypolicy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..61f92e1eaf8
--- /dev/null
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/typed/cilium.io/v1alpha1/runtimesecuritypolicy.go
@@ -0,0 +1,155 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ "time"
+
+ v1alpha1 "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ scheme "github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned/scheme"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ rest "k8s.io/client-go/rest"
+)
+
+// RuntimeSecurityPoliciesGetter has a method to return a RuntimeSecurityPolicyInterface.
+// A group's client should implement this interface.
+type RuntimeSecurityPoliciesGetter interface {
+ RuntimeSecurityPolicies() RuntimeSecurityPolicyInterface
+}
+
+// RuntimeSecurityPolicyInterface has methods to work with RuntimeSecurityPolicy resources.
+type RuntimeSecurityPolicyInterface interface {
+ Create(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.CreateOptions) (*v1alpha1.RuntimeSecurityPolicy, error)
+ Update(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.UpdateOptions) (*v1alpha1.RuntimeSecurityPolicy, error)
+ Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+ DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+ Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.RuntimeSecurityPolicy, error)
+ List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.RuntimeSecurityPolicyList, error)
+ Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+ Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.RuntimeSecurityPolicy, err error)
+ RuntimeSecurityPolicyExpansion
+}
+
+// runtimeSecurityPolicies implements RuntimeSecurityPolicyInterface
+type runtimeSecurityPolicies struct {
+ client rest.Interface
+}
+
+// newRuntimeSecurityPolicies returns a RuntimeSecurityPolicies
+func newRuntimeSecurityPolicies(c *CiliumV1alpha1Client) *runtimeSecurityPolicies {
+ return &runtimeSecurityPolicies{
+ client: c.RESTClient(),
+ }
+}
+
+// Get takes name of the runtimeSecurityPolicy, and returns the corresponding runtimeSecurityPolicy object, and an error if there is any.
+func (c *runtimeSecurityPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ result = &v1alpha1.RuntimeSecurityPolicy{}
+ err = c.client.Get().
+ Resource("runtimesecuritypolicies").
+ Name(name).
+ VersionedParams(&options, scheme.ParameterCodec).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// List takes label and field selectors, and returns the list of RuntimeSecurityPolicies that match those selectors.
+func (c *runtimeSecurityPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.RuntimeSecurityPolicyList, err error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ result = &v1alpha1.RuntimeSecurityPolicyList{}
+ err = c.client.Get().
+ Resource("runtimesecuritypolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Watch returns a watch.Interface that watches the requested runtimeSecurityPolicies.
+func (c *runtimeSecurityPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ opts.Watch = true
+ return c.client.Get().
+ Resource("runtimesecuritypolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Watch(ctx)
+}
+
+// Create takes the representation of a runtimeSecurityPolicy and creates it. Returns the server's representation of the runtimeSecurityPolicy, and an error, if there is any.
+func (c *runtimeSecurityPolicies) Create(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.CreateOptions) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ result = &v1alpha1.RuntimeSecurityPolicy{}
+ err = c.client.Post().
+ Resource("runtimesecuritypolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(runtimeSecurityPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Update takes the representation of a runtimeSecurityPolicy and updates it. Returns the server's representation of the runtimeSecurityPolicy, and an error, if there is any.
+func (c *runtimeSecurityPolicies) Update(ctx context.Context, runtimeSecurityPolicy *v1alpha1.RuntimeSecurityPolicy, opts v1.UpdateOptions) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ result = &v1alpha1.RuntimeSecurityPolicy{}
+ err = c.client.Put().
+ Resource("runtimesecuritypolicies").
+ Name(runtimeSecurityPolicy.Name).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(runtimeSecurityPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Delete takes name of the runtimeSecurityPolicy and deletes it. Returns an error if one occurs.
+func (c *runtimeSecurityPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ return c.client.Delete().
+ Resource("runtimesecuritypolicies").
+ Name(name).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *runtimeSecurityPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ var timeout time.Duration
+ if listOpts.TimeoutSeconds != nil {
+ timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+ }
+ return c.client.Delete().
+ Resource("runtimesecuritypolicies").
+ VersionedParams(&listOpts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// Patch applies the patch and returns the patched runtimeSecurityPolicy.
+func (c *runtimeSecurityPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.RuntimeSecurityPolicy, err error) {
+ result = &v1alpha1.RuntimeSecurityPolicy{}
+ err = c.client.Patch(pt).
+ Resource("runtimesecuritypolicies").
+ Name(name).
+ SubResource(subresources...).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/interface.go b/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/interface.go
index 7629d430363..529974d7f88 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/interface.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/interface.go
@@ -13,6 +13,8 @@ import (
type Interface interface {
// PodInfo returns a PodInfoInformer.
PodInfo() PodInfoInformer
+ // RuntimeSecurityPolicies returns a RuntimeSecurityPolicyInformer.
+ RuntimeSecurityPolicies() RuntimeSecurityPolicyInformer
// TracingPolicies returns a TracingPolicyInformer.
TracingPolicies() TracingPolicyInformer
// TracingPoliciesNamespaced returns a TracingPolicyNamespacedInformer.
@@ -35,6 +37,11 @@ func (v *version) PodInfo() PodInfoInformer {
return &podInfoInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
+// RuntimeSecurityPolicies returns a RuntimeSecurityPolicyInformer.
+func (v *version) RuntimeSecurityPolicies() RuntimeSecurityPolicyInformer {
+ return &runtimeSecurityPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
// TracingPolicies returns a TracingPolicyInformer.
func (v *version) TracingPolicies() TracingPolicyInformer {
return &tracingPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/runtimesecuritypolicy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..647a9316b07
--- /dev/null
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/cilium.io/v1alpha1/runtimesecuritypolicy.go
@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ time "time"
+
+ ciliumiov1alpha1 "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ versioned "github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned"
+ internalinterfaces "github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/internalinterfaces"
+ v1alpha1 "github.com/cilium/tetragon/pkg/k8s/client/listers/cilium.io/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ watch "k8s.io/apimachinery/pkg/watch"
+ cache "k8s.io/client-go/tools/cache"
+)
+
+// RuntimeSecurityPolicyInformer provides access to a shared informer and lister for
+// RuntimeSecurityPolicies.
+type RuntimeSecurityPolicyInformer interface {
+ Informer() cache.SharedIndexInformer
+ Lister() v1alpha1.RuntimeSecurityPolicyLister
+}
+
+type runtimeSecurityPolicyInformer struct {
+ factory internalinterfaces.SharedInformerFactory
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewRuntimeSecurityPolicyInformer constructs a new informer for RuntimeSecurityPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewRuntimeSecurityPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+ return NewFilteredRuntimeSecurityPolicyInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredRuntimeSecurityPolicyInformer constructs a new informer for RuntimeSecurityPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredRuntimeSecurityPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+ return cache.NewSharedIndexInformer(
+ &cache.ListWatch{
+ ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.CiliumV1alpha1().RuntimeSecurityPolicies().List(context.TODO(), options)
+ },
+ WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.CiliumV1alpha1().RuntimeSecurityPolicies().Watch(context.TODO(), options)
+ },
+ },
+ &ciliumiov1alpha1.RuntimeSecurityPolicy{},
+ resyncPeriod,
+ indexers,
+ )
+}
+
+func (f *runtimeSecurityPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+ return NewFilteredRuntimeSecurityPolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *runtimeSecurityPolicyInformer) Informer() cache.SharedIndexInformer {
+ return f.factory.InformerFor(&ciliumiov1alpha1.RuntimeSecurityPolicy{}, f.defaultInformer)
+}
+
+func (f *runtimeSecurityPolicyInformer) Lister() v1alpha1.RuntimeSecurityPolicyLister {
+ return v1alpha1.NewRuntimeSecurityPolicyLister(f.Informer().GetIndexer())
+}
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/generic.go b/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/generic.go
index 510dfec2e71..4c86005779f 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/generic.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/client/informers/externalversions/generic.go
@@ -42,6 +42,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=cilium.io, Version=v1alpha1
case v1alpha1.SchemeGroupVersion.WithResource("podinfo"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Cilium().V1alpha1().PodInfo().Informer()}, nil
+ case v1alpha1.SchemeGroupVersion.WithResource("runtimesecuritypolicies"):
+ return &genericInformer{resource: resource.GroupResource(), informer: f.Cilium().V1alpha1().RuntimeSecurityPolicies().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("tracingpolicies"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Cilium().V1alpha1().TracingPolicies().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("tracingpoliciesnamespaced"):
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/client/listers/cilium.io/v1alpha1/expansion_generated.go b/vendor/github.com/cilium/tetragon/pkg/k8s/client/listers/cilium.io/v1alpha1/expansion_generated.go
index dc536f08a09..b8d1906f56a 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/client/listers/cilium.io/v1alpha1/expansion_generated.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/client/listers/cilium.io/v1alpha1/expansion_generated.go
@@ -13,6 +13,10 @@ type PodInfoListerExpansion interface{}
// PodInfoNamespaceLister.
type PodInfoNamespaceListerExpansion interface{}
+// RuntimeSecurityPolicyListerExpansion allows custom methods to be added to
+// RuntimeSecurityPolicyLister.
+type RuntimeSecurityPolicyListerExpansion interface{}
+
// TracingPolicyListerExpansion allows custom methods to be added to
// TracingPolicyLister.
type TracingPolicyListerExpansion interface{}
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/client/listers/cilium.io/v1alpha1/runtimesecuritypolicy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/client/listers/cilium.io/v1alpha1/runtimesecuritypolicy.go
new file mode 100644
index 00000000000..63aeb7e74f7
--- /dev/null
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/client/listers/cilium.io/v1alpha1/runtimesecuritypolicy.go
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ v1alpha1 "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+ "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/client-go/tools/cache"
+)
+
+// RuntimeSecurityPolicyLister helps list RuntimeSecurityPolicies.
+// All objects returned here must be treated as read-only.
+type RuntimeSecurityPolicyLister interface {
+ // List lists all RuntimeSecurityPolicies in the indexer.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*v1alpha1.RuntimeSecurityPolicy, err error)
+ // Get retrieves the RuntimeSecurityPolicy from the index for a given name.
+ // Objects returned here must be treated as read-only.
+ Get(name string) (*v1alpha1.RuntimeSecurityPolicy, error)
+ RuntimeSecurityPolicyListerExpansion
+}
+
+// runtimeSecurityPolicyLister implements the RuntimeSecurityPolicyLister interface.
+type runtimeSecurityPolicyLister struct {
+ indexer cache.Indexer
+}
+
+// NewRuntimeSecurityPolicyLister returns a new RuntimeSecurityPolicyLister.
+func NewRuntimeSecurityPolicyLister(indexer cache.Indexer) RuntimeSecurityPolicyLister {
+ return &runtimeSecurityPolicyLister{indexer: indexer}
+}
+
+// List lists all RuntimeSecurityPolicies in the indexer.
+func (s *runtimeSecurityPolicyLister) List(selector labels.Selector) (ret []*v1alpha1.RuntimeSecurityPolicy, err error) {
+ err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha1.RuntimeSecurityPolicy))
+ })
+ return ret, err
+}
+
+// Get retrieves the RuntimeSecurityPolicy from the index for a given name.
+func (s *runtimeSecurityPolicyLister) Get(name string) (*v1alpha1.RuntimeSecurityPolicy, error) {
+ obj, exists, err := s.indexer.GetByKey(name)
+ if err != nil {
+ return nil, err
+ }
+ if !exists {
+ return nil, errors.NewNotFound(v1alpha1.Resource("runtimesecuritypolicy"), name)
+ }
+ return obj.(*v1alpha1.RuntimeSecurityPolicy), nil
+}