rancher-sandbox
diff --git a/‎charts/runtime-enforcer/questions.yaml‎
Lines changed: 3 additions & 17 deletions b/‎charts/runtime-enforcer/questions.yaml‎
Lines changed: 3 additions & 17 deletions
diff --git a/‎charts/runtime-enforcer/templates/agent/daemonset.yaml‎
Lines changed: 1 addition & 6 deletions b/‎charts/runtime-enforcer/templates/agent/daemonset.yaml‎
Lines changed: 1 addition & 6 deletions
diff --git a/‎charts/runtime-enforcer/tests/daemonset_test.yaml‎
Lines changed: 22 additions & 7 deletions b/‎charts/runtime-enforcer/tests/daemonset_test.yaml‎
Lines changed: 22 additions & 7 deletions
diff --git a/‎charts/runtime-enforcer/values.schema.json‎
Lines changed: 17 additions & 6 deletions b/‎charts/runtime-enforcer/values.schema.json‎
Lines changed: 17 additions & 6 deletions
diff --git a/‎charts/runtime-enforcer/values.yaml‎
Lines changed: 8 additions & 14 deletions b/‎charts/runtime-enforcer/values.yaml‎
Lines changed: 8 additions & 14 deletions
diff --git a/‎cmd/agent/main.go‎
Lines changed: 31 additions & 25 deletions b/‎cmd/agent/main.go‎
Lines changed: 31 additions & 25 deletions
diff --git a/‎docs/learning_mode_configuration.adoc‎
Lines changed: 7 additions & 8 deletions b/‎docs/learning_mode_configuration.adoc‎
Lines changed: 7 additions & 8 deletions
diff --git a/‎docs/phases.adoc‎
Lines changed: 1 addition & 1 deletion b/‎docs/phases.adoc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/eventhandler/learning_controller.go‎
Lines changed: 10 additions & 14 deletions b/‎internal/eventhandler/learning_controller.go‎
Lines changed: 10 additions & 14 deletions
@@ -43,23 +43,10 @@ questions:
   ###############################################################################
   # Learning
   ###############################################################################
-  - variable: learning.enabled
-    type: boolean
-    default: true
-    label: Enable Cluster-wide Learning Mode
-    description: |
-      Enable cluster-wide learning mode. If disabled, no process learning occurs.
-      Process enforcer remains unaffected.
-    group: Learning
 
-  - variable: learning.namespaceSelector
-    type: string
-    default: ""
-    label: Namespace Selector
-    description: |
-      Label selector for namespaces to include in learning (empty = all).
-    group: Learning
-    show_if: learning.enabled=true
+  # learning.namespaceSelector is a complex object (Kubernetes LabelSelector) that
+  # cannot be represented as a simple Rancher UI field. Configure it directly in
+  # values.yaml. Set it to {} to disable learning for all namespaces.
 
   ###############################################################################
   # Telemetry
@@ -106,4 +93,3 @@ questions:
       The secret should contain the keys `tls.crt` and `tls.key`.
     group: Telemetry
     show_if: telemetry.collectorStrategy=external
-
@@ -35,13 +35,8 @@ spec:
       {{- end }}
       containers:
       - args:
-        {{- if .Values.learning.enabled }}
-        - --enable-learning
-        {{- end }}
         {{- if .Values.learning.namespaceSelector }}
-        - --learning-namespace-selector={{ .Values.learning.namespaceSelector }}
-        {{- else if .Values.learning.namespaceSelectorObject }}
-        - --learning-namespace-selector={{ .Values.learning.namespaceSelectorObject | toJson }}
+        - --learning-namespace-selector={{ .Values.learning.namespaceSelector | toJson }}
         {{- end }}
         - --grpc-port={{ .Values.agent.grpcExporterPort }}
         - --grpc-mtls-cert-dir={{ include "runtime-enforcer.grpc.certDir" . }}
 
@@ -21,23 +21,38 @@ tests:
           path: "spec.template.spec.priorityClassName"
           value: "runtime-enforcer-priorityclass"
 
-  - it: "should include --enable-learning flag when learning is enabled"
+  - it: "should not include learning flag when there is no selector"
     set:
       learning:
-        enabled: true
+        # this `null` overwrites the default in our values.yaml while with {}
+        # we will have a merge
+        namespaceSelector: null
+    asserts:
+      - notContains:
+          path: "spec.template.spec.containers[0].args"
+          content: '--learning-namespace-selector={"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"Exists"}]}'
+
+  - it: "should include default selector"
+    set:
+      learning:
+        # with {} we have a merge with the default in our values.yaml
+        namespaceSelector: {}
     asserts:
       - contains:
           path: "spec.template.spec.containers[0].args"
-          content: "--enable-learning"
+          content: '--learning-namespace-selector={"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"Exists"}]}'
 
-  - it: "should not include --enable-learning flag when learning is disabled"
+  - it: "should render a custom learning namespace selector"
     set:
       learning:
-        enabled: false
+        namespaceSelector:
+          matchExpressions: null
+          matchLabels:
+            env: prod
     asserts:
-      - notContains:
+      - contains:
           path: "spec.template.spec.containers[0].args"
-          content: "--enable-learning"
+          content: '--learning-namespace-selector={"matchLabels":{"env":"prod"}}'
 
   - it: "should include grpc port argument"
     set:
 
@@ -412,14 +412,25 @@
         "learning": {
             "type": "object",
             "properties": {
-                "enabled": {
-                    "type": "boolean"
-                },
                 "namespaceSelector": {
-                    "type": "string"
-                },
-                "namespaceSelectorObject": {
                     "type": "object",
+                    "properties": {
+                        "matchExpressions": {
+                            "type": "array",
+                            "items": {
+                                "type": "object",
+                                "properties": {
+                                    "key": {
+                                        "type": "string"
+                                    },
+                                    "operator": {
+                                        "type": "string"
+                                    }
+                                },
+                                "additionalProperties": false
+                            }
+                        }
+                    },
                     "additionalProperties": true
                 }
             },
 
@@ -161,20 +161,14 @@ debugger:
 
 # Learning mode configuration
 learning:
-  # learning.enabled controls whether learning mode is enabled for the entire cluster.
-  # When disabled, no process learning occurs. Process enforcer remains unaffected.
-  enabled: true
-  # Label selector for namespaces to include in learning.
-  #   namespaceSelector: ""         # learn from all namespaces
-  #   namespaceSelector: "env=prod" # namespaces with label env=prod
-  namespaceSelector: ""
-  # Label selector for namespaces to include in learning.
-  #   namespaceSelectorObject: {}   # learn from all namespaces
-  #   namespaceSelectorObject:      # namespaces with label env=prod
-  #     matchLabels:
-  #       env: prod
-  # @schema additionalProperties:true
-  namespaceSelectorObject: {}
+  # The default value enables learning inside all namespaces of the cluster.
+  # Override namespaceSelector to limit the learning scope.
+  # Set namespaceSelector to {} to disable learning for all namespaces.
+  # @schema additionalProperties:true
+  namespaceSelector:
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: Exists
 
 telemetry:
   collectorStrategy: "default" # @schema enum: [none, default, external]
 
@@ -40,7 +40,6 @@ import (
 )
 
 type Config struct {
-	enableLearning            bool
 	learningNamespaceSelector string
 	nriSocketPath             string
 	nriPluginIdx              string
@@ -56,6 +55,10 @@ type Config struct {
 	violationLogger           otellog.Logger
 }
 
+func (c Config) learningEnabled() bool {
+	return strings.TrimSpace(c.learningNamespaceSelector) != ""
+}
+
 func newControllerManager(config Config) (manager.Manager, error) {
 	scheme := runtime.NewScheme()
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
@@ -165,31 +168,27 @@ func setupLearningReconciler(
 	config Config,
 	ctrlMgr manager.Manager,
 ) (func(eventscraper.KubeProcessInfo), error) {
-	if !config.enableLearning {
+	if !config.learningEnabled() {
 		logger.InfoContext(ctx, "learning mode is disabled")
 		return func(_ eventscraper.KubeProcessInfo) {
 			panic("enqueue function should be never called when learning is disabled")
 		}, nil
 	}
 
 	var nsSelector labels.Selector
-	// If the learning namespace selector is empty, the learning will apply to all namespaces.
-	// Otherwise, we parse the learning namespace selector.
-	if config.learningNamespaceSelector != "" {
-		selector, err := parseLearningNamespaceSelector(config.learningNamespaceSelector)
-		if err != nil {
-			return nil, fmt.Errorf("invalid learning-namespace-selector %q: %w", config.learningNamespaceSelector, err)
-		}
-		nsSelector = selector
+	selector, err := parseLearningNamespaceSelector(config.learningNamespaceSelector)
+	if err != nil {
+		return nil, fmt.Errorf("invalid learning-namespace-selector %q: %w", config.learningNamespaceSelector, err)
 	}
+	nsSelector = selector
 
 	// Wait until mutating admission webhook is ready.
-	if err := waitForMutatingAdmissionWebhook(ctx); err != nil {
+	if err = waitForMutatingAdmissionWebhook(ctx); err != nil {
 		return nil, err
 	}
 
 	learningReconciler := eventhandler.NewLearningReconciler(ctrlMgr.GetClient(), nsSelector)
-	if err := learningReconciler.SetupWithManager(ctrlMgr); err != nil {
+	if err = learningReconciler.SetupWithManager(ctrlMgr); err != nil {
 		return nil, fmt.Errorf("unable to create learning reconciler: %w", err)
 	}
 	logger.InfoContext(ctx, "learning mode is enabled", "namespaceSelector", config.learningNamespaceSelector)
@@ -210,7 +209,7 @@ func startAgent(ctx context.Context, logger *slog.Logger, config Config) error {
 	//////////////////////
 	// Create BPF manager
 	//////////////////////
-	bpfManager, err := bpf.NewManager(logger, config.enableLearning)
+	bpfManager, err := bpf.NewManager(logger, config.learningEnabled())
 	if err != nil {
 		return fmt.Errorf("cannot create BPF manager: %w", err)
 	}
@@ -320,29 +319,36 @@ func parseLogLevel(level string) slog.Level {
 	}
 }
 
-// parseLearningNamespaceSelector parses the learning namespace selector from either:
-// - A JSON object (e.g. {"matchLabels":{"env":"prod"}}.
-// - A string in Kubernetes label selector format (e.g. "env=prod").
+// parseLearningNamespaceSelector parses the learning namespace selector from a JSON object (e.g. {"matchLabels":{"env":"prod"}}).
 func parseLearningNamespaceSelector(s string) (labels.Selector, error) {
 	s = strings.TrimSpace(s)
-	if strings.HasPrefix(s, "{") {
-		var ls metav1.LabelSelector
-		if err := json.Unmarshal([]byte(s), &ls); err != nil {
-			return nil, fmt.Errorf("invalid JSON label selector %q: %w", s, err)
-		}
-		return metav1.LabelSelectorAsSelector(&ls)
+	if !strings.HasPrefix(s, "{") {
+		return nil, fmt.Errorf("invalid JSON label selector %q: must be a JSON object", s)
+	}
+
+	var ls metav1.LabelSelector
+	if err := json.Unmarshal([]byte(s), &ls); err != nil {
+		return nil, fmt.Errorf("invalid JSON label selector %q: %w", s, err)
+	}
+	selector, err := metav1.LabelSelectorAsSelector(&ls)
+	if err != nil {
+		return nil, err
+	}
+
+	if selector.Empty() {
+		return nil, fmt.Errorf("invalid JSON label selector %q: must not be empty if learning is enabled", s)
 	}
-	return labels.Parse(s)
+	return selector, nil
 }
 
 func parseFlags() Config {
 	var config Config
-	flag.BoolVar(&config.enableLearning, "enable-learning", false, "Enable learning mode")
+	// If we receive something different from "", it should be a valid json
 	flag.StringVar(
 		&config.learningNamespaceSelector,
 		"learning-namespace-selector",
 		"",
-		"Label selector for namespaces to include in learning (empty = all)",
+		"Namespace selector for learning. Accepts a JSON LabelSelector",
 	)
 	flag.StringVar(&config.nriSocketPath, "nri-socket-path", "/var/run/nri/nri.sock", "NRI socket path")
 	flag.StringVar(&config.nriPluginIdx, "nri-plugin-index", "00", "NRI plugin index")
 
@@ -9,8 +9,10 @@ By default, Runtime-Enforcer starts in *learning* mode for **all namespaces**:
 
 ```yaml
 learning:
-  enabled: true
-  namespaceSelector: ""
+  namespaceSelector:
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: Exists
 ```
 
 You can adjust this behaviour at install/upgrade time:
@@ -20,16 +22,13 @@ You can adjust this behaviour at install/upgrade time:
 ```bash
 helm upgrade --install runtime-enforcer runtime-enforcer/runtime-enforcer \
   --namespace runtime-enforcer \
-  --set learning.enabled=false
+  --set-json 'learning.namespaceSelector={}'
 ```
 
-- Restrict learning to specific namespaces using a label selector:
+- Restrict learning to specific namespaces using a namespaceSelector:
 +
 ```bash
 helm upgrade --install runtime-enforcer runtime-enforcer/runtime-enforcer \
   --namespace runtime-enforcer \
-  --set learning.namespaceSelector="env=prod"
+  --set-json 'learning.namespaceSelector={"matchLabels":{"env":"prod"}}'
 ```
-
-When `learning.enabled=true`, Runtime-Enforcer will create or update `WorkloadPolicyProposal`
-objects only for workloads in namespaces matching `learning.namespaceSelector`.
@@ -23,7 +23,7 @@ Operationally, if you want complete proposals, enable learning first and then *(
 === How to enter and leave the `Learn` phase
 
 * *Enter*
-** Ensure learning is enabled on inside of the helm chart values: `values.learning.enabled: true`
+** Ensure learning is enabled on some namespaces: `values.learning.namespaceSelector`
 ** No per-workload configuration is required to start generating proposals (proposals are created as exec events are observed).
 * *Leave*
 ** Mark the corresponding proposal as ready by setting the label: `security.rancher.io/policy-ready=true`
 
@@ -248,22 +248,18 @@ func (r *LearningReconciler) reconcile(
 		return ctrl.Result{}, nil
 	}
 
-	if r.namespaceSelector != nil {
-		var ns corev1.Namespace
-		if err = r.Client.Get(ctx, types.NamespacedName{Name: req.Namespace}, &ns); err != nil {
-			if apierrors.IsNotFound(err) {
-				logger.V(loglevel.VerbosityDebug).Info(
-					"Namespace not found while evaluating learning namespace selector",
-				)
-				return ctrl.Result{}, nil
-			}
-			return ctrl.Result{}, fmt.Errorf("failed to get namespace %s: %w", req.Namespace, err)
-		}
-		if !r.namespaceSelector.Matches(labels.Set(ns.GetLabels())) {
-			logger.V(loglevel.VerbosityDebug).
-				Info("Namespace does not match learning namespace selector; skipping event", "namespace", req.Namespace)
+	var ns corev1.Namespace
+	if err = r.Client.Get(ctx, types.NamespacedName{Name: req.Namespace}, &ns); err != nil {
+		if apierrors.IsNotFound(err) {
+			logger.V(loglevel.VerbosityDebug).Info(
+				"Namespace not found while evaluating learning namespace selector",
+			)
 			return ctrl.Result{}, nil
 		}
+		return ctrl.Result{}, fmt.Errorf("failed to get namespace %s: %w", req.Namespace, err)
+	}
+	if !r.namespaceSelector.Matches(labels.Set(ns.GetLabels())) {
+		return ctrl.Result{}, nil
 	}
 
 	proposalName, err = proposalutils.GetWorkloadPolicyProposalName(req.WorkloadKind, req.Workload)