NETOBSERV-1704 Add kTLS tracker

[jpinsonneau]

Description

Based on #222 PoC:

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist.
• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
  • If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
  • If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
  • If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign oliviercazade for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jotak]

Oh, I didn't know/remember @msherif1234 had done a PoC
I've also done something on my side :-) jotak@ca2e463
It's a different approach, not using a new hook but instead reusing the TC hook. It gives as an output, the version of TLS used.

In your PoC, what's does mean the "verdict" output that you get ?

[jpinsonneau]

Oh, I didn't know/remember @msherif1234 had done a PoC I've also done something on my side :-) jotak@ca2e463 It's a different approach, not using a new hook but instead reusing the TC hook. It gives as an output, the version of TLS used.

Thanks for sharing, I'll take a look 👀

In your PoC, what's does mean the "verdict" output that you get ?

The verdict is just a status telling if the message PASS or DROP. https://docs.ebpf.io/linux/program-type/BPF_PROG_TYPE_SK_MSG/
That's not the final output as we need to read and append the message data then. I'm just checking if that load and it's not the case on kind

time="2025-10-14T08:56:08Z" level=fatal msg="can't instantiate NetObserv eBPF Agent" error="failed to attach cgroup: can't open cgroup: open : no such file or directory"

I'm going to give a try on a real cluster 😸

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:51dc3ce
quay.io/netobserv/netobserv-ebpf-agent:51dc3ce

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=51dc3ce make set-agent-image

[codecov]

Codecov Report

❌ Patch coverage is 0% with 53 lines in your changes missing coverage. Please review.
✅ Project coverage is 29.45%. Comparing base (0549bb5) to head (78ca593).

Files with missing lines	Patch %	Lines
pkg/tracer/tracer.go	0.00%	49 Missing ⚠️
pkg/ebpf/bpf_x86_bpfel.go	0.00%	3 Missing ⚠️
pkg/agent/agent.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #814      +/-   ##
==========================================
- Coverage   29.74%   29.45%   -0.30%     
==========================================
  Files          49       49              
  Lines        5355     5408      +53     
==========================================
  Hits         1593     1593              
- Misses       3645     3698      +53     
  Partials      117      117              

Flag	Coverage Δ
unittests	29.45% <0.00%> (-0.30%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
pkg/config/config.go	8.33% <ø> (ø)
pkg/agent/agent.go	33.87% <0.00%> (-0.11%)	⬇️
pkg/ebpf/bpf_x86_bpfel.go	0.00% <0.00%> (ø)
pkg/tracer/tracer.go	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jpinsonneau]

@msherif1234 was the goal of your initial PoC to get the content of msg->data here ?

I'm trying to see how we could read some parts of the packet payload, especially when the traffic is encrypted 👼

[msherif1234]

The idea behind this PoC was triggered by this talk in KubeCon https://youtu.be/-2FykHaqvlg?si=ArqarppDqd33YH15
this approach avoid using userspace probes

https://elixir.bootlin.com/linux/v6.17.1/source/include/uapi/linux/bpf.h#L6553 sk_msg_md has the same layout like tc or tcp hook look like u can collect all L2/L3/L4 headers info from there

[msherif1234]

the key thing here is this whole approach relies on using kTLS and more advanced openssl libraries if that is a GO I would like to help with project if there is interest, pls lmk

[msherif1234]

if we are looking for user-space approach for SSL/TLS we can do something like https://github.com/gojue/ecapture/tree/master which I can help PoC it in separate PR if there is interest

[jpinsonneau]

Thanks for your feedback @msherif1234

Let's discuss this on the upstream slack 😸