fix workload enrichment for events

Signed-off-by: Matthias Bertschy <[email protected]>
kubescape · May 27, 2024 · 2cd2def · 2cd2def
1 parent d0c71f2
commit 2cd2def
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/pkg/malwaremanager/v1/malware_manager.go b/pkg/malwaremanager/v1/malware_manager.go
@@ -30,7 +30,7 @@ const ScannedFilesMaxBufferLength = 10000
 type MalwareManager struct {
 	scannedFiles         maps.SafeMap[string, mapset.Set[string]]
 	containerIdToPid     maps.SafeMap[string, uint32]
-	podToWlid            maps.SafeMap[string, string]
+	podToWlid            maps.SafeMap[string, string] // key is namespace/podName
 	exporter             exporters.Exporter
 	metrics              metricsmanager.MetricsManager
 	k8sClient            k8sclient.K8sClientInterface
@@ -74,12 +74,13 @@ func (mm *MalwareManager) ContainerCallback(notif containercollection.PubSubEven
 	switch notif.Type {
 	case containercollection.EventTypeAddContainer:
 		mm.containerIdToPid.Set(notif.Container.Runtime.ContainerID, notif.Container.Pid)
-		if !mm.podToWlid.Has(notif.Container.K8s.PodName) {
+		podID := utils.CreateK8sPodID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName)
+		if !mm.podToWlid.Has(podID) {
 			w, err := mm.getWorkloadIdentifier(notif.Container.K8s.Namespace, notif.Container.K8s.PodName)
 			if err != nil {
 				logger.L().Debug("MalwareManager - failed to get workload identifier", helpers.Error(err), helpers.String("k8s workload", notif.Container.K8s.PodName))
 			} else {
-				mm.podToWlid.Set(notif.Container.K8s.PodName, w)
+				mm.podToWlid.Set(podID, w)
 			}
 		}
 		shim, err := utils.GetProcessStat(int(notif.Container.Pid))
@@ -92,7 +93,7 @@ func (mm *MalwareManager) ContainerCallback(notif containercollection.PubSubEven
 		mm.containerIdToPid.Delete(notif.Container.Runtime.ContainerID)
 		t.Stop()
 		mm.scannedFiles.Delete(notif.Container.Runtime.ContainerID)
-		mm.podToWlid.Delete(notif.Container.K8s.PodName)
+		mm.podToWlid.Delete(utils.CreateK8sPodID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName))
 		mm.containerIdToShimPid.Delete(notif.Container.Runtime.ContainerID)
 	}
 
@@ -136,7 +137,8 @@ func (mm *MalwareManager) getWorkloadIdentifier(podNamespace, podName string) (s
 func (mm *MalwareManager) ReportFileExec(_ string, event tracerexectype.Event) {
 	for _, scanner := range mm.malwareScanners {
 		if result := scanner.Scan(utils.ExecveEventType, &event, mm.containerIdToPid.Get(event.Runtime.ContainerID)); result != nil {
-			result.SetWorkloadDetails(mm.podToWlid.Get(event.GetPod()))
+			result = mm.enrichMalwareResult(result)
+			result.SetWorkloadDetails(mm.podToWlid.Get(utils.CreateK8sPodID(event.GetNamespace(), event.GetPod())))
 			mm.exporter.SendMalwareAlert(result)
 		}
 	}
@@ -179,8 +181,8 @@ func (mm *MalwareManager) ReportFileOpen(_ string, event traceropentype.Event) {
 
 	for _, scanner := range mm.malwareScanners {
 		if result := scanner.Scan(utils.OpenEventType, &event, mm.containerIdToPid.Get(event.Runtime.ContainerID)); result != nil {
-			result.SetWorkloadDetails(mm.podToWlid.Get(event.GetPod()))
 			result = mm.enrichMalwareResult(result)
+			result.SetWorkloadDetails(mm.podToWlid.Get(utils.CreateK8sPodID(event.GetNamespace(), event.GetPod())))
 			mm.exporter.SendMalwareAlert(result)
 			mm.metrics.ReportRuleAlert(result.GetBasicRuntimeAlert().AlertName)
 		}

diff --git a/pkg/rulemanager/v1/rule_manager.go b/pkg/rulemanager/v1/rule_manager.go
@@ -399,8 +399,8 @@ func (rm *RuleManager) processEvent(eventType utils.EventType, event interface{}
 
 		res := rule.ProcessEvent(eventType, event, rm.objectCache)
 		if res != nil {
-			res.SetWorkloadDetails(rm.podToWlid.Get(utils.CreateK8sPodID(res.GetRuntimeAlertK8sDetails().Namespace, res.GetRuntimeAlertK8sDetails().PodName)))
 			res = rm.enrichRuleFailure(res)
+			res.SetWorkloadDetails(rm.podToWlid.Get(utils.CreateK8sPodID(res.GetRuntimeAlertK8sDetails().Namespace, res.GetRuntimeAlertK8sDetails().PodName)))
 			rm.exporter.SendRuleAlert(res)
 			rm.metrics.ReportRuleAlert(rule.Name())
 		}