filters: add container=started filter with eBPF support #5011
+206
−30
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add filtering for containers by started state (post-entrypoint execution). - Add ContStartedFilter to Policy and eBPF config - Check CONTAINER_STARTED_FLAG in eBPF filtering - Parse 'container=started' scope filter - Update tests (removed container=init, now only container=started) Note: container!=started not supported due to race conditions with early container event recognition.
github-actions
bot
added
area/ebpf
area/testing
area/UX
area/filtering
area/flags
labels
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for filtering containers by their started state using a new container=started filter. The feature enables filtering for containers that have completed their initialization phase and begun executing their main entrypoint.
- Add ContStartedFilter to Policy struct with corresponding eBPF configuration
- Implement parsing logic for
container=startedscope filter syntax - Add eBPF filtering logic that checks the CONTAINER_STARTED_FLAG
- Update tests to cover the new container state filtering functionality
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/policy/policy.go | Adds ContStartedFilter field to Policy struct and updates related methods |
| pkg/policy/ebpf.go | Adds eBPF configuration fields for container started filter |
| pkg/filters/scope_test.go | Adds comprehensive tests for container=started filtering logic |
| pkg/filters/scope.go | Implements parsing and filtering logic for container=started syntax |
| pkg/ebpf/c/types.h | Adds eBPF data structure fields for container started filter |
| pkg/ebpf/c/common/filtering.h | Implements eBPF filtering logic using CONTAINER_STARTED_FLAG |
| pkg/cmd/flags/policy.go | Adds command-line parsing support for container=started flag |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5011 +/- ##
=======================================
Coverage ? 29.89%
=======================================
Files ? 234
Lines ? 26213
Branches ? 0
=======================================
Hits ? 7836
Misses ? 17839
Partials ? 538
🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add filtering for containers by started state (post-entrypoint execution).
Note: container!=started not supported due to race conditions with early container event recognition.