Merge pull request #422 from kubescape/feature/cloud-services

Feature/cloud services

Author: amitschendel

go.mod

@@ -3,10 +3,10 @@ module github.com/kubescape/node-agent
 go 1.23.0
 
 require (
+	github.com/armosec/armoapi-go v0.0.484
 	github.com/DmitriyVTitov/size v1.5.0
 	github.com/anchore/syft v1.13.0
 	github.com/aquilax/truncate v1.0.0
-	github.com/armosec/armoapi-go v0.0.470
 	github.com/armosec/utils-k8s-go v0.0.30
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cilium/ebpf v0.16.0

go.sum

@@ -150,8 +150,8 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/armosec/armoapi-go v0.0.470 h1:fT2J7SruNvOR1Q8RQXjiZ0JvNtJxjVUx68rl0X4leFU=
-github.com/armosec/armoapi-go v0.0.470/go.mod h1:TruqDSAPgfRBXCeM+Cgp6nN4UhJSbe7la+XDKV2pTsY=
+github.com/armosec/armoapi-go v0.0.484 h1:ALW+bND5ZAKeUa/000hcv2XDVVbawPo9hL4NEEliQVM=
+github.com/armosec/armoapi-go v0.0.484/go.mod h1:TruqDSAPgfRBXCeM+Cgp6nN4UhJSbe7la+XDKV2pTsY=
 github.com/armosec/gojay v1.2.17 h1:VSkLBQzD1c2V+FMtlGFKqWXNsdNvIKygTKJI9ysY8eM=
 github.com/armosec/gojay v1.2.17/go.mod h1:vuvX3DlY0nbVrJ0qCklSS733AWMoQboq3cFyuQW9ybc=
 github.com/armosec/utils-go v0.0.57 h1:0RaqexK+t7HeKWfldBv2C1JiLLGuUx9FP0DGWDNRJpg=

main.go

@@ -23,7 +23,7 @@ import (
 	"github.com/kubescape/node-agent/pkg/cloudmetadata"
 	"github.com/kubescape/node-agent/pkg/config"
 	"github.com/kubescape/node-agent/pkg/containerwatcher/v1"
-	"github.com/kubescape/node-agent/pkg/eventreporters/dnsmanager"
+	"github.com/kubescape/node-agent/pkg/dnsmanager"
 	"github.com/kubescape/node-agent/pkg/exporters"
 	"github.com/kubescape/node-agent/pkg/filehandler/v1"
 	"github.com/kubescape/node-agent/pkg/healthmanager"
@@ -247,7 +247,7 @@ func main() {
 		exporter := exporters.InitExporters(cfg.Exporters, clusterData.ClusterName, cfg.NodeName, cloudMetadata)
 
 		// create runtimeDetection managers
-		ruleManager, err = rulemanagerv1.CreateRuleManager(ctx, cfg, k8sClient, ruleBindingCache, objCache, exporter, prometheusExporter, cfg.NodeName, clusterData.ClusterName, processManager)
+		ruleManager, err = rulemanagerv1.CreateRuleManager(ctx, cfg, k8sClient, ruleBindingCache, objCache, exporter, prometheusExporter, cfg.NodeName, clusterData.ClusterName, processManager, dnsResolver)
 		if err != nil {
 			logger.L().Ctx(ctx).Fatal("error creating RuleManager", helpers.Error(err))
 		}

pkg/containerwatcher/v1/container_watcher.go

@@ -28,6 +28,7 @@ import (
 	"github.com/kubescape/node-agent/pkg/applicationprofilemanager"
 	"github.com/kubescape/node-agent/pkg/config"
 	"github.com/kubescape/node-agent/pkg/containerwatcher"
+	"github.com/kubescape/node-agent/pkg/dnsmanager"
 	tracerhardlink "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/tracer"
 	tracerhardlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/types"
 	tracerhttp "github.com/kubescape/node-agent/pkg/ebpf/gadgets/http/tracer"
@@ -40,7 +41,6 @@ import (
 	tracersshtype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/ssh/types"
 	tracersymlink "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/tracer"
 	tracersymlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/types"
-	"github.com/kubescape/node-agent/pkg/eventreporters/dnsmanager"
 	"github.com/kubescape/node-agent/pkg/eventreporters/rulepolicy"
 	"github.com/kubescape/node-agent/pkg/malwaremanager"
 	"github.com/kubescape/node-agent/pkg/metricsmanager"

pkg/containerwatcher/v1/container_watcher_private.go

@@ -92,6 +92,7 @@ func (ch *IGContainerWatcher) startContainerCollection(ctx context.Context) erro
 		ch.ruleManager.ContainerCallback,
 		ch.sbomManager.ContainerCallback,
 		ch.processManager.ContainerCallback,
+		ch.dnsManager.ContainerCallback,
 	}
 
 	for receiver := range ch.thirdPartyContainerReceivers.Iter() {

pkg/dnsmanager/dns_manager.go

@@ -0,0 +1,160 @@
+package dnsmanager
+
+import (
+	"net"
+	"strings"
+	"time"
+
+	mapset "github.com/deckarep/golang-set/v2"
+	"github.com/goradd/maps"
+	containercollection "github.com/inspektor-gadget/inspektor-gadget/pkg/container-collection"
+	tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types"
+	"istio.io/pkg/cache"
+)
+
+// DNSManager is used to manage DNS events and save IP resolutions.
+type DNSManager struct {
+	addressToDomainMap       maps.SafeMap[string, string]
+	lookupCache              cache.ExpiringCache                      // Cache for DNS lookups
+	failureCache             cache.ExpiringCache                      // Cache for failed lookups
+	containerToCloudServices maps.SafeMap[string, mapset.Set[string]] // key: containerId, value: set of cloud services
+}
+
+type cacheEntry struct {
+	addresses []string
+}
+
+const (
+	defaultPositiveTTL  = 1 * time.Minute // Default TTL for successful lookups
+	defaultNegativeTTL  = 5 * time.Second // Default TTL for failed lookups
+	maxServiceCacheSize = 50              // Maximum number of cloud services to cache per container
+)
+
+var _ DNSManagerClient = (*DNSManager)(nil)
+var _ DNSResolver = (*DNSManager)(nil)
+
+func CreateDNSManager() *DNSManager {
+	return &DNSManager{
+		// Create TTL caches with their respective expiration times
+		lookupCache:  cache.NewTTL(defaultPositiveTTL, defaultPositiveTTL),
+		failureCache: cache.NewTTL(defaultNegativeTTL, defaultNegativeTTL),
+	}
+}
+
+func (dm *DNSManager) ContainerCallback(notif containercollection.PubSubEvent) {
+	switch notif.Type {
+	case containercollection.EventTypeAddContainer:
+		dm.containerToCloudServices.Set(notif.Container.Runtime.ContainerID, mapset.NewSet[string]())
+	case containercollection.EventTypeRemoveContainer:
+		dm.containerToCloudServices.Delete(notif.Container.Runtime.ContainerID)
+	}
+}
+
+func (dm *DNSManager) ReportEvent(dnsEvent tracerdnstype.Event) {
+	if isCloudService(dnsEvent.DNSName) {
+		if dm.containerToCloudServices.Has(dnsEvent.Runtime.ContainerID) {
+			// Guard against cache size getting too large by checking the cardinality per container
+			if dm.containerToCloudServices.Get(dnsEvent.Runtime.ContainerID).Cardinality() < maxServiceCacheSize {
+				dm.containerToCloudServices.Get(dnsEvent.Runtime.ContainerID).Add(dnsEvent.DNSName)
+			}
+		}
+	}
+
+	if len(dnsEvent.Addresses) > 0 {
+		for _, address := range dnsEvent.Addresses {
+			dm.addressToDomainMap.Set(address, dnsEvent.DNSName)
+		}
+
+		// Update the cache with these known good addresses
+		dm.lookupCache.Set(dnsEvent.DNSName, cacheEntry{
+			addresses: dnsEvent.Addresses,
+		})
+		return
+	}
+
+	// Check if we've recently failed to look up this domain
+	if _, found := dm.failureCache.Get(dnsEvent.DNSName); found {
+		return
+	}
+
+	// Check if we have a cached result
+	if cached, found := dm.lookupCache.Get(dnsEvent.DNSName); found {
+		entry := cached.(cacheEntry)
+		// Use cached addresses
+		for _, addr := range entry.addresses {
+			dm.addressToDomainMap.Set(addr, dnsEvent.DNSName)
+		}
+		return
+	}
+
+	// Only perform lookup if we don't have cached results
+	addresses, err := net.LookupIP(dnsEvent.DNSName)
+	if err != nil {
+		// Cache the failure - we just need to store something, using empty struct
+		dm.failureCache.Set(dnsEvent.DNSName, struct{}{})
+		return
+	}
+
+	// Convert addresses to strings and store them
+	addrStrings := make([]string, 0, len(addresses))
+	for _, addr := range addresses {
+		addrStr := addr.String()
+		addrStrings = append(addrStrings, addrStr)
+		dm.addressToDomainMap.Set(addrStr, dnsEvent.DNSName)
+	}
+
+	// Cache the successful lookup
+	dm.lookupCache.Set(dnsEvent.DNSName, cacheEntry{
+		addresses: addrStrings,
+	})
+}
+
+func (dm *DNSManager) ResolveIPAddress(ipAddr string) (string, bool) {
+	domain := dm.addressToDomainMap.Get(ipAddr)
+	return domain, domain != ""
+}
+
+func (dm *DNSManager) ResolveContainerToCloudServices(containerId string) mapset.Set[string] {
+	if services, found := dm.containerToCloudServices.Load(containerId); found {
+		return services
+	}
+	return nil
+}
+
+func isCloudService(domain string) bool {
+	domain = strings.ToLower(domain)
+	// Common cloud service domains
+	awsDomains := []string{
+		"amazonaws.com.",
+		"cloudfront.net.",
+		"aws.amazon.com.",
+		"elasticbeanstalk.com.",
+	}
+
+	azureDomains := []string{
+		"azure.com.",
+		"azurewebsites.net.",
+		"cloudapp.net.",
+		"azure-api.net.",
+	}
+
+	gcpDomains := []string{
+		"googleapis.com.",
+		"appspot.com.",
+		"cloudfunctions.net.",
+		"run.app.",
+	}
+
+	// Combine all cloud domains
+	allCloudDomains := append(awsDomains, azureDomains...)
+	allCloudDomains = append(allCloudDomains, gcpDomains...)
+
+	// Check if the input domain ends with any of the cloud domains
+	for _, cloudDomain := range allCloudDomains {
+		if strings.HasSuffix(domain, cloudDomain) {
+			return true
+		}
+	}
+
+	return false
+}

pkg/eventreporters/dnsmanager/dns_manager_interface.go renamed to pkg/dnsmanager/dns_manager_interface.go

@@ -1,13 +1,17 @@
 package dnsmanager
 
 import (
+	mapset "github.com/deckarep/golang-set/v2"
+	containercollection "github.com/inspektor-gadget/inspektor-gadget/pkg/container-collection"
 	tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types"
 )
 
 type DNSManagerClient interface {
 	ReportEvent(networkEvent tracerdnstype.Event)
+	ContainerCallback(notif containercollection.PubSubEvent)
 }
 
 type DNSResolver interface {
 	ResolveIPAddress(ipAddr string) (string, bool)
+	ResolveContainerToCloudServices(containerId string) mapset.Set[string]
 }

pkg/eventreporters/dnsmanager/dns_manager_mock.go renamed to pkg/dnsmanager/dns_manager_mock.go

@@ -1,6 +1,8 @@
 package dnsmanager
 
 import (
+	mapset "github.com/deckarep/golang-set/v2"
+	containercollection "github.com/inspektor-gadget/inspektor-gadget/pkg/container-collection"
 	tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types"
 )
 
@@ -17,6 +19,13 @@ func CreateDNSManagerMock() *DNSManagerMock {
 func (n *DNSManagerMock) ReportEvent(_ tracerdnstype.Event) {
 }
 
+func (n *DNSManagerMock) ContainerCallback(notif containercollection.PubSubEvent) {
+}
+
 func (n *DNSManagerMock) ResolveIPAddress(_ string) (string, bool) {
 	return "", false
 }
+
+func (n *DNSManagerMock) ResolveContainerToCloudServices(_ string) mapset.Set[string] {
+	return nil
+}

pkg/eventreporters/dnsmanager/dns_manager_test.go renamed to pkg/dnsmanager/dns_manager_test.go

@@ -2,6 +2,7 @@ package dnsmanager
 
 import (
 	"net"
+	"strings"
 	"sync"
 	"testing"
 
@@ -233,3 +234,72 @@ func TestConcurrentAccess(t *testing.T) {
 		}
 	}
 }
+
+func TestIsCloudService(t *testing.T) {
+	tests := []struct {
+		name     string
+		domain   string
+		expected bool
+	}{
+		// AWS tests
+		{"AWS EC2", "ec2.amazonaws.com.", true},
+		{"AWS S3", "mybucket.s3.amazonaws.com.", true},
+		{"AWS CloudFront", "d1234.cloudfront.net.", true},
+		{"AWS Console", "console.aws.amazon.com.", true},
+		{"AWS Elastic Beanstalk", "myapp.elasticbeanstalk.com.", true},
+
+		// Azure tests
+		{"Azure Web App", "myapp.azurewebsites.net.", true},
+		{"Azure Cloud App", "myservice.cloudapp.net.", true},
+		{"Azure API", "api.azure-api.net.", true},
+		{"Azure Portal", "portal.azure.com.", true},
+
+		// GCP tests
+		{"Google APIs", "storage.googleapis.com.", true},
+		{"App Engine", "myapp.appspot.com.", true},
+		{"Cloud Functions", "function.cloudfunctions.net.", true},
+		{"Cloud Run", "myservice.run.app.", true},
+
+		// Negative tests
+		{"Regular Domain", "example.com.", false},
+		{"Subdomain", "sub.example.com.", false},
+		{"Empty String", "", false},
+		{"Single Dot", ".", false},
+		{"Similar But Not Cloud", "notamazonsaws.com.", false},
+		// {"Non Cloud With Azure In Name", "fake-azure.com.", false}, // Because of cpu usage we keep the check "simple".
+
+		// Edge cases
+		{"Domain Without Final Dot", "example.amazonaws.com", false},
+		{"Multiple Dots", "my.app.amazonaws.com.", true},
+		{"Uppercase Domain", "MYAPP.AMAZONAWS.COM.", true},
+		{"Mixed Case Domain", "MyApp.AmAzOnAwS.cOm.", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := isCloudService(strings.ToLower(tt.domain)) // Convert input to lowercase
+			if result != tt.expected {
+				t.Errorf("isCloudService(%q) = %v; want %v",
+					tt.domain, result, tt.expected)
+			}
+		})
+	}
+}
+
+// Benchmark function remains the same
+func BenchmarkIsCloudService(b *testing.B) {
+	testDomains := []string{
+		"ec2.amazonaws.com.",
+		"example.com.",
+		"myapp.azurewebsites.net.",
+		"storage.googleapis.com.",
+		"notacloud.com.",
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		for _, domain := range testDomains {
+			isCloudService(domain)
+		}
+	}
+}