Merge pull request #294 from kyledong-suse/learn-for-namespace

feat: implement learn configuration

Author: kyledong-suse

.gitignore

@@ -39,3 +39,6 @@ internal/bpf/bpf_*bpfeb.o
 internal/bpf/bpf_*bpfel.o
 internal/bpf/bpf_*bpfeb.go
 internal/bpf/bpf_*bpfel.go
+
+# Known API violations reports (generated by codegen)
+sample_apiserver_violation_exceptions.list

charts/runtime-enforcer/questions.yaml

@@ -52,6 +52,15 @@ questions:
       Process enforcer remains unaffected.
     group: Learning
 
+  - variable: learning.namespaceSelector
+    type: string
+    default: ""
+    label: Namespace Selector
+    description: |
+      Label selector for namespaces to include in learning (empty = all).
+    group: Learning
+    show_if: learning.enabled=true
+
   ###############################################################################
   # OpenTelemetry
   ###############################################################################

charts/runtime-enforcer/templates/agent/daemonset.yaml

@@ -35,6 +35,13 @@ spec:
         {{- if .Values.learning.enabled }}
         - --enable-learning
         {{- end }}
+        {{- if .Values.learning.namespaceSelector }}
+        {{- if kindIs "string" .Values.learning.namespaceSelector }}
+        - --learning-namespace-selector={{ .Values.learning.namespaceSelector }}
+        {{- else }}
+        - --learning-namespace-selector={{ .Values.learning.namespaceSelector | toJson }}
+        {{- end }}
+        {{- end }}
         - --grpc-port={{ .Values.agent.agent.grpcExporterPort }}
         - --grpc-mtls-cert-dir={{ include "runtime-enforcer.grpc.certDir" . }}
         - --log-level={{ .Values.agent.agent.logLevel }}

charts/runtime-enforcer/templates/agent/role.yaml

@@ -4,6 +4,14 @@ kind: ClusterRole
 metadata:
   name: {{ include "runtime-enforcer.fullname" . }}-agent
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - security.rancher.io
   resources:

charts/runtime-enforcer/values.yaml

@@ -100,6 +100,18 @@ learning:
   # learning.enabled controls whether learning mode is enabled for the entire cluster.
   # When disabled, no process learning occurs. Process enforcer remains unaffected.
   enabled: true
+  # Label selector for namespaces to include in learning (empty = all).
+  # You can set either a string or a YAML/JSON object.
+  #
+  # String format:
+  #   namespaceSelector: ""         # learn from all namespaces
+  #   namespaceSelector: "env=prod" # namespaces with label env=prod
+  #
+  # YAML/JSON object format:
+  #   namespaceSelector:
+  #     matchLabels:
+  #       env: prod
+  namespaceSelector: ""
 
 telemetry:
   # runtime-enforcer telemetry configuration allow one OpenTelemetry

cmd/agent/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
@@ -16,6 +17,8 @@ import (
 	"github.com/rancher-sandbox/runtime-enforcer/internal/grpcexporter"
 	"github.com/rancher-sandbox/runtime-enforcer/internal/nri"
 	"github.com/rancher-sandbox/runtime-enforcer/internal/resolver"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -30,14 +33,15 @@ import (
 )
 
 type Config struct {
-	enableTracing     bool
-	enableOtelSidecar bool
-	enableLearning    bool
-	nriSocketPath     string
-	nriPluginIdx      string
-	probeAddr         string
-	grpcConf          grpcexporter.Config
-	logLevel          string
+	enableTracing             bool
+	enableOtelSidecar         bool
+	enableLearning            bool
+	learningNamespaceSelector string
+	nriSocketPath             string
+	nriPluginIdx              string
+	probeAddr                 string
+	grpcConf                  grpcexporter.Config
+	logLevel                  string
 }
 
 // +kubebuilder:rbac:groups=security.rancher.io,resources=workloadpolicies,verbs=get;list;watch
@@ -87,11 +91,22 @@ func setupLearningReconciler(
 		}, nil
 	}
 
-	learningReconciler := eventhandler.NewLearningReconciler(ctrlMgr.GetClient())
+	var nsSelector labels.Selector
+	// If the learning namespace selector is empty, the learning will apply to all namespaces.
+	// Otherwise, we parse the learning namespace selector.
+	if config.learningNamespaceSelector != "" {
+		selector, err := parseLearningNamespaceSelector(config.learningNamespaceSelector)
+		if err != nil {
+			return nil, fmt.Errorf("invalid learning-namespace-selector %q: %w", config.learningNamespaceSelector, err)
+		}
+		nsSelector = selector
+	}
+
+	learningReconciler := eventhandler.NewLearningReconciler(ctrlMgr.GetClient(), nsSelector)
 	if err := learningReconciler.SetupWithManager(ctrlMgr); err != nil {
 		return nil, fmt.Errorf("unable to create learning reconciler: %w", err)
 	}
-	logger.InfoContext(ctx, "learning mode is enabled")
+	logger.InfoContext(ctx, "learning mode is enabled", "namespaceSelector", config.learningNamespaceSelector)
 	return learningReconciler.EnqueueEvent, nil
 }
 
@@ -242,6 +257,21 @@ func parseLogLevel(level string) slog.Level {
 	}
 }
 
+// parseLearningNamespaceSelector parses the learning namespace selector from either:
+// - A JSON object (e.g. {"matchLabels":{"env":"prod"}}.
+// - A string in Kubernetes label selector format (e.g. "env=prod").
+func parseLearningNamespaceSelector(s string) (labels.Selector, error) {
+	s = strings.TrimSpace(s)
+	if strings.HasPrefix(s, "{") {
+		var ls metav1.LabelSelector
+		if err := json.Unmarshal([]byte(s), &ls); err != nil {
+			return nil, fmt.Errorf("invalid JSON label selector %q: %w", s, err)
+		}
+		return metav1.LabelSelectorAsSelector(&ls)
+	}
+	return labels.Parse(s)
+}
+
 func main() {
 	var err error
 	var config Config
@@ -253,6 +283,12 @@ func main() {
 	flag.BoolVar(&config.enableTracing, "enable-tracing", false, "Enable tracing collection")
 	flag.BoolVar(&config.enableOtelSidecar, "enable-otel-sidecar", false, "Enable OpenTelemetry sidecar")
 	flag.BoolVar(&config.enableLearning, "enable-learning", false, "Enable learning mode")
+	flag.StringVar(
+		&config.learningNamespaceSelector,
+		"learning-namespace-selector",
+		"",
+		"Label selector for namespaces to include in learning (empty = all)",
+	)
 	flag.StringVar(&config.nriSocketPath, "nri-socket-path", "/var/run/nri/nri.sock", "NRI socket path")
 	flag.StringVar(&config.nriPluginIdx, "nri-plugin-index", "00", "NRI plugin index")
 	flag.StringVar(&config.probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")

internal/eventhandler/learning_controller.go

@@ -10,8 +10,12 @@ import (
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -62,18 +66,28 @@ func GetWorkloadPolicyProposalName(kind string, resourceName string) (string, er
 type LearningReconciler struct {
 	client.Client
 
-	Scheme    *runtime.Scheme
-	eventChan chan event.TypedGenericEvent[eventscraper.KubeProcessInfo]
-	tracer    trace.Tracer
+	Scheme            *runtime.Scheme
+	eventChan         chan event.TypedGenericEvent[eventscraper.KubeProcessInfo]
+	tracer            trace.Tracer
+	namespaceSelector labels.Selector
 	// OwnerRefEnricher can be overridden during testing
 	OwnerRefEnricher func(wp *securityv1alpha1.WorkloadPolicyProposal, workloadKind string, workload string)
 }
 
-func NewLearningReconciler(client client.Client) *LearningReconciler {
+func NewLearningReconciler(
+	client client.Client,
+	selector labels.Selector,
+) *LearningReconciler {
 	return &LearningReconciler{
-		Client:    client,
-		eventChan: make(chan event.TypedGenericEvent[eventscraper.KubeProcessInfo], DefaultEventChannelBufferSize),
-		tracer:    otel.Tracer("runtime-enforcer-learner"),
+		Client: client,
+		eventChan: make(
+			chan event.TypedGenericEvent[eventscraper.KubeProcessInfo],
+			DefaultEventChannelBufferSize,
+		),
+		tracer: otel.Tracer(
+			"runtime-enforcer-learner",
+		),
+		namespaceSelector: selector,
 		OwnerRefEnricher: func(wp *securityv1alpha1.WorkloadPolicyProposal, workloadKind string, workload string) {
 			wp.OwnerReferences = []metav1.OwnerReference{
 				{
@@ -85,7 +99,8 @@ func NewLearningReconciler(client client.Client) *LearningReconciler {
 	}
 }
 
-// kubebuilder annotations for accessing policy proposals.
+// kubebuilder annotations for accessing policy proposals and namespaces.
+// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups=security.rancher.io,resources=workloadpolicyproposals,verbs=create;get;list;watch;update;patch
 
 // Reconcile receives learning events and creates/updates WorkloadPolicyProposal resources accordingly.
@@ -113,6 +128,25 @@ func (r *LearningReconciler) Reconcile(
 		return ctrl.Result{}, nil
 	}
 
+	if r.namespaceSelector != nil {
+		var ns corev1.Namespace
+		if err = r.Client.Get(ctx, types.NamespacedName{Name: req.Namespace}, &ns); err != nil {
+			if apierrors.IsNotFound(err) {
+				log.V(3).Info( //nolint:mnd // 3 is the verbosity level for detailed debug info
+					"Namespace not found while evaluating learning namespace selector",
+					"namespace", req.Namespace,
+				)
+				return ctrl.Result{}, nil
+			}
+			return ctrl.Result{}, fmt.Errorf("failed to get namespace %s: %w", req.Namespace, err)
+		}
+		if !r.namespaceSelector.Matches(labels.Set(ns.GetLabels())) {
+			log.V(1).
+				Info("Namespace does not match learning namespace selector; skipping event", "namespace", req.Namespace)
+			return ctrl.Result{}, nil
+		}
+	}
+
 	proposalName, err = GetWorkloadPolicyProposalName(req.WorkloadKind, req.Workload)
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to get proposal name: %w", err)