diff --git a/pkg/malwaremanager/v1/malware_manager.go b/pkg/malwaremanager/v1/malware_manager.go index e15300b3..02096afb 100644 --- a/pkg/malwaremanager/v1/malware_manager.go +++ b/pkg/malwaremanager/v1/malware_manager.go @@ -30,7 +30,7 @@ const ScannedFilesMaxBufferLength = 10000 type MalwareManager struct { scannedFiles maps.SafeMap[string, mapset.Set[string]] containerIdToPid maps.SafeMap[string, uint32] - podToWlid maps.SafeMap[string, string] + podToWlid maps.SafeMap[string, string] // key is namespace/podName exporter exporters.Exporter metrics metricsmanager.MetricsManager k8sClient k8sclient.K8sClientInterface @@ -74,12 +74,13 @@ func (mm *MalwareManager) ContainerCallback(notif containercollection.PubSubEven switch notif.Type { case containercollection.EventTypeAddContainer: mm.containerIdToPid.Set(notif.Container.Runtime.ContainerID, notif.Container.Pid) - if !mm.podToWlid.Has(notif.Container.K8s.PodName) { + podID := utils.CreateK8sPodID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName) + if !mm.podToWlid.Has(podID) { w, err := mm.getWorkloadIdentifier(notif.Container.K8s.Namespace, notif.Container.K8s.PodName) if err != nil { logger.L().Debug("MalwareManager - failed to get workload identifier", helpers.Error(err), helpers.String("k8s workload", notif.Container.K8s.PodName)) } else { - mm.podToWlid.Set(notif.Container.K8s.PodName, w) + mm.podToWlid.Set(podID, w) } } shim, err := utils.GetProcessStat(int(notif.Container.Pid)) @@ -92,7 +93,7 @@ func (mm *MalwareManager) ContainerCallback(notif containercollection.PubSubEven mm.containerIdToPid.Delete(notif.Container.Runtime.ContainerID) t.Stop() mm.scannedFiles.Delete(notif.Container.Runtime.ContainerID) - mm.podToWlid.Delete(notif.Container.K8s.PodName) + mm.podToWlid.Delete(utils.CreateK8sPodID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName)) mm.containerIdToShimPid.Delete(notif.Container.Runtime.ContainerID) } @@ -136,7 +137,8 @@ func (mm *MalwareManager) getWorkloadIdentifier(podNamespace, podName string) (s func (mm *MalwareManager) ReportFileExec(_ string, event tracerexectype.Event) { for _, scanner := range mm.malwareScanners { if result := scanner.Scan(utils.ExecveEventType, &event, mm.containerIdToPid.Get(event.Runtime.ContainerID)); result != nil { - result.SetWorkloadDetails(mm.podToWlid.Get(event.GetPod())) + result = mm.enrichMalwareResult(result) + result.SetWorkloadDetails(mm.podToWlid.Get(utils.CreateK8sPodID(event.GetNamespace(), event.GetPod()))) mm.exporter.SendMalwareAlert(result) } } @@ -179,8 +181,8 @@ func (mm *MalwareManager) ReportFileOpen(_ string, event traceropentype.Event) { for _, scanner := range mm.malwareScanners { if result := scanner.Scan(utils.OpenEventType, &event, mm.containerIdToPid.Get(event.Runtime.ContainerID)); result != nil { - result.SetWorkloadDetails(mm.podToWlid.Get(event.GetPod())) result = mm.enrichMalwareResult(result) + result.SetWorkloadDetails(mm.podToWlid.Get(utils.CreateK8sPodID(event.GetNamespace(), event.GetPod()))) mm.exporter.SendMalwareAlert(result) mm.metrics.ReportRuleAlert(result.GetBasicRuntimeAlert().AlertName) } diff --git a/pkg/rulemanager/v1/rule_manager.go b/pkg/rulemanager/v1/rule_manager.go index 404cd399..2e840430 100644 --- a/pkg/rulemanager/v1/rule_manager.go +++ b/pkg/rulemanager/v1/rule_manager.go @@ -399,8 +399,8 @@ func (rm *RuleManager) processEvent(eventType utils.EventType, event interface{} res := rule.ProcessEvent(eventType, event, rm.objectCache) if res != nil { - res.SetWorkloadDetails(rm.podToWlid.Get(utils.CreateK8sPodID(res.GetRuntimeAlertK8sDetails().Namespace, res.GetRuntimeAlertK8sDetails().PodName))) res = rm.enrichRuleFailure(res) + res.SetWorkloadDetails(rm.podToWlid.Get(utils.CreateK8sPodID(res.GetRuntimeAlertK8sDetails().Namespace, res.GetRuntimeAlertK8sDetails().PodName))) rm.exporter.SendRuleAlert(res) rm.metrics.ReportRuleAlert(rule.Name()) }