chore(WorkloadFilter): Setup CWS and CPSM Filters (#44258)

### What does this PR do?

Initializes container runtime security and container compliance filters within the WorkloadFilter component

### Motivation

Centralize workload filtering definitions across the Agent

### Describe how you validated your changes

Unit Tests

### Additional Notes

N/A

Co-authored-by: gabe.dossantos <[email protected]>

Author: gabedos

comp/core/workloadfilter/baseimpl/base.go

@@ -95,6 +95,8 @@ func NewBaseFilterStore(cfg config.Component, logger logcomp.Component, telemetr
 	baseFilter.RegisterFactory(workloadfilter.ContainerLegacyACExclude, legacyACExcludePrgFactory)
 	baseFilter.RegisterFactory(workloadfilter.ContainerLegacyGlobal, legacyGlobalPrgFactory)
 	baseFilter.RegisterFactory(workloadfilter.ContainerLegacySBOM, catalog.LegacyContainerSBOMProgram)
+	baseFilter.RegisterFactory(workloadfilter.ContainerLegacyRuntimeSecurity, catalog.ContainerLegacyRuntimeSecurityProgram)
+	baseFilter.RegisterFactory(workloadfilter.ContainerLegacyCompliance, catalog.ContainerLegacyComplianceProgram)
 
 	baseFilter.RegisterFactory(workloadfilter.ContainerADAnnotations, genericADProgramFactory)
 	baseFilter.RegisterFactory(workloadfilter.ContainerADAnnotationsMetrics, genericADMetricsProgramFactory)
@@ -177,22 +179,32 @@ func (f *BaseFilterStore) GetEndpointAutodiscoveryFilters(filterScope workloadfi
 
 // GetContainerSharedMetricFilters returns the pre-computed container shared metric filters
 func (f *BaseFilterStore) GetContainerSharedMetricFilters() workloadfilter.FilterBundle {
-	return f.GetContainerFilters(f.selection.GetContainerSharedMetricFilters())
+	return f.GetContainerFilters(f.selection.containerSharedMetric)
 }
 
 // GetContainerPausedFilters returns the pre-computed container paused filters
 func (f *BaseFilterStore) GetContainerPausedFilters() workloadfilter.FilterBundle {
-	return f.GetContainerFilters(f.selection.GetContainerPausedFilters())
+	return f.GetContainerFilters(f.selection.containerPaused)
 }
 
 // GetPodSharedMetricFilters returns the pre-computed pod shared metric filters
 func (f *BaseFilterStore) GetPodSharedMetricFilters() workloadfilter.FilterBundle {
-	return f.GetPodFilters(f.selection.GetPodSharedMetricFilters())
+	return f.GetPodFilters(f.selection.podSharedMetric)
 }
 
 // GetContainerSBOMFilters returns the pre-computed container SBOM filters
 func (f *BaseFilterStore) GetContainerSBOMFilters() workloadfilter.FilterBundle {
-	return f.GetContainerFilters(f.selection.GetContainerSBOMFilters())
+	return f.GetContainerFilters(f.selection.containerSBOM)
+}
+
+// GetContainerRuntimeSecurityFilters returns the pre-computed container runtime security filters
+func (f *BaseFilterStore) GetContainerRuntimeSecurityFilters() workloadfilter.FilterBundle {
+	return f.GetContainerFilters(f.selection.containerRuntimeSecurity)
+}
+
+// GetContainerComplianceFilters returns the pre-computed container compliance filters
+func (f *BaseFilterStore) GetContainerComplianceFilters() workloadfilter.FilterBundle {
+	return f.GetContainerFilters(f.selection.containerCompliance)
 }
 
 // GetContainerFilters returns the filter bundle for the given container filters

comp/core/workloadfilter/baseimpl/filter_utils.go

@@ -9,6 +9,7 @@ package baseimpl
 import (
 	"github.com/DataDog/datadog-agent/comp/core/config"
 	workloadfilter "github.com/DataDog/datadog-agent/comp/core/workloadfilter/def"
+	pkgconfigsetup "github.com/DataDog/datadog-agent/pkg/config/setup" //nolint:pkgconfigusage
 )
 
 // filterSelection stores pre-computed filter lists to avoid recalculating them on every call
@@ -21,6 +22,8 @@ type filterSelection struct {
 	containerSharedMetric         [][]workloadfilter.ContainerFilter
 	containerPaused               [][]workloadfilter.ContainerFilter
 	containerSBOM                 [][]workloadfilter.ContainerFilter
+	containerCompliance           [][]workloadfilter.ContainerFilter
+	containerRuntimeSecurity      [][]workloadfilter.ContainerFilter
 
 	// Pod filters
 	podSharedMetric [][]workloadfilter.PodFilter
@@ -50,6 +53,9 @@ func (pf *filterSelection) initializeSelections(cfg config.Component) {
 	pf.containerAutodiscoveryLogs = pf.computeContainerAutodiscoveryFilters(cfg, workloadfilter.LogsFilter)
 	pf.containerSharedMetric = pf.computeContainerSharedMetricFilters(cfg)
 
+	pf.containerCompliance = pf.computeContainerComplianceFilters(cfg)
+	pf.containerRuntimeSecurity = pf.computeContainerRuntimeSecurityFilters(pkgconfigsetup.SystemProbe())
+
 	// Initialize container paused and SBOM filters
 	pf.containerPaused = pf.computeContainerPausedFilters(cfg)
 	pf.containerSBOM = pf.computeContainerSBOMFilters(cfg)
@@ -80,26 +86,6 @@ func (pf *filterSelection) GetContainerAutodiscoveryFilters(filterScope workload
 	}
 }
 
-// GetContainerSharedMetricFilters returns pre-computed container shared metric filters
-func (pf *filterSelection) GetContainerSharedMetricFilters() [][]workloadfilter.ContainerFilter {
-	return pf.containerSharedMetric
-}
-
-// GetContainerPausedFilters returns pre-computed container paused filters
-func (pf *filterSelection) GetContainerPausedFilters() [][]workloadfilter.ContainerFilter {
-	return pf.containerPaused
-}
-
-// GetContainerSBOMFilters returns pre-computed container SBOM filters
-func (pf *filterSelection) GetContainerSBOMFilters() [][]workloadfilter.ContainerFilter {
-	return pf.containerSBOM
-}
-
-// GetPodSharedMetricFilters returns pre-computed pod shared metric filters
-func (pf *filterSelection) GetPodSharedMetricFilters() [][]workloadfilter.PodFilter {
-	return pf.podSharedMetric
-}
-
 // GetServiceAutodiscoveryFilters returns pre-computed service autodiscovery filters
 func (pf *filterSelection) GetServiceAutodiscoveryFilters(filterScope workloadfilter.Scope) [][]workloadfilter.ServiceFilter {
 	switch filterScope {
@@ -246,3 +232,21 @@ func (pf *filterSelection) computeEndpointAutodiscoveryFilters(_ config.Componen
 
 	return flist
 }
+
+// computeContainerComplianceFilters computes container compliance filters
+func (pf *filterSelection) computeContainerComplianceFilters(cfg config.Component) [][]workloadfilter.ContainerFilter {
+	flist := []workloadfilter.ContainerFilter{workloadfilter.ContainerLegacyCompliance}
+	if cfg.GetBool("compliance_config.exclude_pause_containers") {
+		flist = append(flist, workloadfilter.ContainerPaused)
+	}
+	return [][]workloadfilter.ContainerFilter{flist}
+}
+
+// computeContainerRuntimeSecurityFilters computes container runtime security filters
+func (pf *filterSelection) computeContainerRuntimeSecurityFilters(cfg config.Component) [][]workloadfilter.ContainerFilter {
+	flist := []workloadfilter.ContainerFilter{workloadfilter.ContainerLegacyRuntimeSecurity}
+	if cfg.GetBool("runtime_security_config.exclude_pause_containers") {
+		flist = append(flist, workloadfilter.ContainerPaused)
+	}
+	return [][]workloadfilter.ContainerFilter{flist}
+}

comp/core/workloadfilter/catalog/container.go

@@ -41,3 +41,13 @@ func ContainerCELGlobalProgram(filterConfig *FilterConfig, logger log.Component)
 	rule := filterConfig.GetCELRulesForProduct(workloadfilter.ProductGlobal, workloadfilter.ContainerType)
 	return createCELExcludeProgram(string(workloadfilter.ContainerCELGlobal), rule, workloadfilter.ContainerType, logger)
 }
+
+// ContainerLegacyRuntimeSecurityProgram creates a program for filtering containers for runtime security
+func ContainerLegacyRuntimeSecurityProgram(filterConfig *FilterConfig, logger log.Component) program.FilterProgram {
+	return createLegacyContainerProgram(string(workloadfilter.ContainerLegacyRuntimeSecurity), filterConfig.ContainerRuntimeSecurityInclude, filterConfig.ContainerRuntimeSecurityExclude, logger)
+}
+
+// ContainerLegacyComplianceProgram creates a program for filtering containers for compliance
+func ContainerLegacyComplianceProgram(filterConfig *FilterConfig, logger log.Component) program.FilterProgram {
+	return createLegacyContainerProgram(string(workloadfilter.ContainerLegacyCompliance), filterConfig.ContainerComplianceInclude, filterConfig.ContainerComplianceExclude, logger)
+}

comp/core/workloadfilter/catalog/filter_config.go

@@ -18,6 +18,7 @@ import (
 	"github.com/DataDog/datadog-agent/comp/core/config"
 	workloadfilter "github.com/DataDog/datadog-agent/comp/core/workloadfilter/def"
 	"github.com/DataDog/datadog-agent/comp/core/workloadfilter/impl/parse"
+	pkgconfigsetup "github.com/DataDog/datadog-agent/pkg/config/setup" //nolint:pkgconfigusage
 	"github.com/DataDog/datadog-agent/pkg/config/structure"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
@@ -32,6 +33,11 @@ type FilterConfig struct {
 	ContainerIncludeLogs    []string `json:"container_include_logs"`
 	ContainerExcludeLogs    []string `json:"container_exclude_logs"`
 
+	ContainerRuntimeSecurityInclude []string
+	ContainerRuntimeSecurityExclude []string
+	ContainerComplianceInclude      []string
+	ContainerComplianceExclude      []string
+
 	// Legacy AC filters
 	ACInclude []string `json:"ac_include"`
 	ACExclude []string `json:"ac_exclude"`
@@ -68,6 +74,8 @@ func NewFilterConfig(cfg config.Component) (*FilterConfig, error) {
 		processBlacklistPatterns = cfg.GetStringSlice("process_config.blacklist_patterns")
 	}
 
+	systemProbeCfg := pkgconfigsetup.SystemProbe()
+
 	return &FilterConfig{
 		// Legacy container filters
 		ContainerInclude:        cfg.GetStringSlice("container_include"),
@@ -77,6 +85,12 @@ func NewFilterConfig(cfg config.Component) (*FilterConfig, error) {
 		ContainerIncludeLogs:    cfg.GetStringSlice("container_include_logs"),
 		ContainerExcludeLogs:    cfg.GetStringSlice("container_exclude_logs"),
 
+		ContainerComplianceInclude: cfg.GetStringSlice("compliance_config.container_include"),
+		ContainerComplianceExclude: cfg.GetStringSlice("compliance_config.container_exclude"),
+
+		ContainerRuntimeSecurityInclude: systemProbeCfg.GetStringSlice("runtime_security_config.container_include"),
+		ContainerRuntimeSecurityExclude: systemProbeCfg.GetStringSlice("runtime_security_config.container_exclude"),
+
 		// Legacy AC filters
 		ACInclude: cfg.GetStringSlice("ac_include"),
 		ACExclude: cfg.GetStringSlice("ac_exclude"),

comp/core/workloadfilter/def/component.go

@@ -32,15 +32,19 @@ type Component interface {
 	// GetEndpointAutodiscoveryFilters retrieves the endpoint AD FilterBundle
 	GetEndpointAutodiscoveryFilters(filterScope Scope) FilterBundle
 
-	// GetContainerSharedMetricFilters retrieves the container shared metric FilterBundle
-	GetContainerSharedMetricFilters() FilterBundle
 	// GetContainerPausedFilters retrieves the container paused FilterBundle
 	GetContainerPausedFilters() FilterBundle
+	// GetContainerSharedMetricFilters retrieves the container shared metric FilterBundle
+	GetContainerSharedMetricFilters() FilterBundle
 	// GetPodSharedMetricFilters retrieves the pod shared metric FilterBundle
 	GetPodSharedMetricFilters() FilterBundle
 
 	// GetContainerSBOMFilters retrieves the container SBOM FilterBundle
 	GetContainerSBOMFilters() FilterBundle
+	// GetContainerRuntimeSecurityFilters retrieves the container RuntimeSecurity FilterBundle
+	GetContainerRuntimeSecurityFilters() FilterBundle
+	// GetContainerComplianceFilters retrieves the container Compliance FilterBundle
+	GetContainerComplianceFilters() FilterBundle
 
 	// String returns a string representation of the workloadfilter configuration
 	// If useColor is true, the output will include ANSI color codes.

comp/core/workloadfilter/def/types.go

@@ -276,16 +276,18 @@ func (f ContainerFilter) GetFilterName() string {
 
 // Defined Container filter kinds
 const (
-	ContainerLegacyMetrics        ContainerFilter = "container-legacy-metrics"
-	ContainerLegacyLogs           ContainerFilter = "container-legacy-logs"
-	ContainerLegacyGlobal         ContainerFilter = "container-legacy-global"
-	ContainerLegacyACInclude      ContainerFilter = "container-legacy-ac-include"
-	ContainerLegacyACExclude      ContainerFilter = "container-legacy-ac-exclude"
-	ContainerLegacySBOM           ContainerFilter = "container-legacy-sbom"
-	ContainerADAnnotationsMetrics ContainerFilter = "container-ad-annotations-metrics"
-	ContainerADAnnotationsLogs    ContainerFilter = "container-ad-annotations-logs"
-	ContainerADAnnotations        ContainerFilter = "container-ad-annotations"
-	ContainerPaused               ContainerFilter = "container-paused"
+	ContainerLegacyMetrics         ContainerFilter = "container-legacy-metrics"
+	ContainerLegacyLogs            ContainerFilter = "container-legacy-logs"
+	ContainerLegacyGlobal          ContainerFilter = "container-legacy-global"
+	ContainerLegacyACInclude       ContainerFilter = "container-legacy-ac-include"
+	ContainerLegacyACExclude       ContainerFilter = "container-legacy-ac-exclude"
+	ContainerLegacySBOM            ContainerFilter = "container-legacy-sbom"
+	ContainerLegacyRuntimeSecurity ContainerFilter = "container-legacy-runtime-security"
+	ContainerLegacyCompliance      ContainerFilter = "container-legacy-compliance"
+	ContainerADAnnotationsMetrics  ContainerFilter = "container-ad-annotations-metrics"
+	ContainerADAnnotationsLogs     ContainerFilter = "container-ad-annotations-logs"
+	ContainerADAnnotations         ContainerFilter = "container-ad-annotations"
+	ContainerPaused                ContainerFilter = "container-paused"
 	// CEL-based filters
 	ContainerCELMetrics ContainerFilter = "container-cel-metrics"
 	ContainerCELLogs    ContainerFilter = "container-cel-logs"

comp/core/workloadfilter/impl/filter_test.go

@@ -1337,3 +1337,45 @@ cel_workload_exclude:
 		assert.Equal(t, workloadfilter.Excluded, filterBundle.GetResult(process))
 	})
 }
+
+func TestContainerRuntimeSecurityAndComplianceFilters(t *testing.T) {
+	mockConfig := configmock.New(t)
+	mockSystemProbe := configmock.NewSystemProbe(t)
+
+	// Setup Compliance Config
+	mockConfig.SetWithoutSource("compliance_config.container_include", []string{"image:compliance-agent"})
+	mockConfig.SetWithoutSource("compliance_config.container_exclude", []string{"image:malicious"})
+
+	// Setup Runtime Security Config
+	mockSystemProbe.SetWithoutSource("runtime_security_config.container_include", []string{"image:security-agent"})
+	mockSystemProbe.SetWithoutSource("runtime_security_config.container_exclude", []string{"image:suspicious"})
+
+	filterStore := newFilterStoreObject(t, mockConfig)
+
+	// Test Compliance Filter
+	t.Run("Compliance Filter", func(t *testing.T) {
+		includedContainer := workloadfilter.CreateContainerImage("compliance-agent")
+		excludedContainer := workloadfilter.CreateContainerImage("malicious")
+		unknownContainer := workloadfilter.CreateContainerImage("security-agent")
+
+		filterBundle := filterStore.GetContainerComplianceFilters()
+
+		assert.Equal(t, workloadfilter.Included, filterBundle.GetResult(includedContainer))
+		assert.Equal(t, workloadfilter.Excluded, filterBundle.GetResult(excludedContainer))
+		assert.Equal(t, workloadfilter.Unknown, filterBundle.GetResult(unknownContainer))
+	})
+
+	// Test Runtime Security Filter
+	t.Run("Runtime Security Filter", func(t *testing.T) {
+		includedContainer := workloadfilter.CreateContainerImage("security-agent")
+		excludedContainer := workloadfilter.CreateContainerImage("suspicious")
+		unknownContainer := workloadfilter.CreateContainerImage("malicious")
+
+		filterBundle := filterStore.GetContainerRuntimeSecurityFilters()
+
+		assert.Equal(t, workloadfilter.Included, filterBundle.GetResult(includedContainer))
+		assert.Equal(t, workloadfilter.Excluded, filterBundle.GetResult(excludedContainer))
+		assert.Equal(t, workloadfilter.Unknown, filterBundle.GetResult(unknownContainer))
+	})
+
+}