This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/skywalking-rover.git
The following commit(s) were added to refs/heads/main by this push:
new f800504 Support ztunnel security policy detect (#147)
f800504 is described below
commit f8005045bfb885c381f6a5ed124b4bfe170a1b2f
Author: mrproliu <[email protected]>
AuthorDate: Fri Sep 27 16:13:33 2024 +0800
Support ztunnel security policy detect (#147)
---
bpf/accesslog/ambient/ztunnel.c | 2 +-
bpf/accesslog/ambient/ztunnel.h | 3 +++
go.mod | 2 +-
go.sum | 4 ++--
pkg/accesslog/collector/ztunnel.go | 28 +++++++++++++++++++++++-----
pkg/accesslog/events/ztunnel.go | 13 ++++++++-----
6 files changed, 38 insertions(+), 14 deletions(-)
diff --git a/bpf/accesslog/ambient/ztunnel.c b/bpf/accesslog/ambient/ztunnel.c
index 5d5ffae..e1fc44a 100644
--- a/bpf/accesslog/ambient/ztunnel.c
+++ b/bpf/accesslog/ambient/ztunnel.c
@@ -43,7 +43,7 @@ int connection_manager_track_outbound(struct pt_regs* ctx) {
bool success = true;
success = get_socket_addr_ip_in_ztunnel(success, (void
*)PT_REGS_PARM3(ctx), &event->orginal_src_ip, &event->src_port);
success = get_socket_addr_ip_in_ztunnel(success, (void
*)PT_REGS_PARM4(ctx), &event->original_dst_ip, &event->dst_port);
- success = get_socket_addr_ip_in_ztunnel(success, (void
*)PT_REGS_PARM5(ctx), &event->lb_dst_ip, NULL);
+ success = get_socket_addr_ip_in_ztunnel(success, (void
*)PT_REGS_PARM5(ctx), &event->lb_dst_ip, &event->lb_dst_port);
if (!success) {
return 0;
}
diff --git a/bpf/accesslog/ambient/ztunnel.h b/bpf/accesslog/ambient/ztunnel.h
index 95fc1a0..7bb96b6 100644
--- a/bpf/accesslog/ambient/ztunnel.h
+++ b/bpf/accesslog/ambient/ztunnel.h
@@ -21,6 +21,9 @@ struct ztunnel_socket_mapping_t {
__u16 src_port; // origin local port
__u16 dst_port; // origin remote port
__u32 lb_dst_ip; // load balanced remote ip(should be real pod
ip)
+ __u16 lb_dst_port; // load balanced remote port
+ __u16 pad0;
+ __u32 pad1;
};
struct {
diff --git a/go.mod b/go.mod
index e0240a5..2cfc536 100644
--- a/go.mod
+++ b/go.mod
@@ -26,7 +26,7 @@ require (
k8s.io/apimachinery v0.23.5
k8s.io/client-go v0.23.5
k8s.io/utils v0.0.0-20211116205334-6203023598ed
- skywalking.apache.org/repo/goapi v0.0.0-20240914024804-703f701836e6
+ skywalking.apache.org/repo/goapi v0.0.0-20240920052516-d4a23d9da0e0
)
require (
diff --git a/go.sum b/go.sum
index 80560da..aadfb36 100644
--- a/go.sum
+++ b/go.sum
@@ -1065,5 +1065,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.2.1
h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLz
sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod
h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
-skywalking.apache.org/repo/goapi v0.0.0-20240914024804-703f701836e6
h1:ZGcxRsuAF+Q/IHzNzunHTeYPSCbXcLIjonEFkDlAfPc=
-skywalking.apache.org/repo/goapi v0.0.0-20240914024804-703f701836e6/go.mod
h1:+n8BMuS8eRdzdnGh15ElRGBXPi0eYZSs2TKySBDmRTE=
+skywalking.apache.org/repo/goapi v0.0.0-20240920052516-d4a23d9da0e0
h1:7IW+T+mciD/GJXvgglZho414N30KSWgUTzBmEP867eI=
+skywalking.apache.org/repo/goapi v0.0.0-20240920052516-d4a23d9da0e0/go.mod
h1:+n8BMuS8eRdzdnGh15ElRGBXPi0eYZSs2TKySBDmRTE=
diff --git a/pkg/accesslog/collector/ztunnel.go
b/pkg/accesslog/collector/ztunnel.go
index 35465a2..6b7eeeb 100644
--- a/pkg/accesslog/collector/ztunnel.go
+++ b/pkg/accesslog/collector/ztunnel.go
@@ -84,7 +84,10 @@ func (z *ZTunnelCollector) Start(mgr *module.Manager, ctx
*common.AccessLogConte
log.Debugf("received ztunnel lb socket mapping event: %s:%d ->
%s:%d, lb: %s", localIP, localPort, remoteIP, remotePort, lbIP)
key := z.buildIPMappingCacheKey(localIP, int(localPort),
remoteIP, int(remotePort))
- z.ipMappingCache.Set(key, lbIP, z.ipMappingExpireDuration)
+ z.ipMappingCache.Set(key, &ZTunnelLoadBalanceAddress{
+ IP: lbIP,
+ Port: event.LoadBalancedDestPort,
+ }, z.ipMappingExpireDuration)
}, func() interface{} {
return &events.ZTunnelSocketMappingEvent{}
})
@@ -118,14 +121,20 @@ func (z *ZTunnelCollector)
ReadyToFlushConnection(connection *common.ConnectionI
connection.ConnectionID, connection.RandomID)
return
}
- lbIP := lbIPObj.(string)
- log.Debugf("found the ztunnel load balanced IP for the connection: %s,
connectionID: %d, randomID: %d", lbIP,
- connection.ConnectionID, connection.RandomID)
+ address := lbIPObj.(*ZTunnelLoadBalanceAddress)
+ log.Debugf("found the ztunnel load balanced IP for the connection: %s,
connectionID: %d, randomID: %d",
+ address.String(), connection.ConnectionID, connection.RandomID)
+ securityPolicy := v3.ZTunnelAttachmentSecurityPolicy_NONE
+ // if the target port is 15008, this mean ztunnel have use mTLS
+ if address.Port == 15008 {
+ securityPolicy = v3.ZTunnelAttachmentSecurityPolicy_MTLS
+ }
connection.RPCConnection.Attachment = &v3.ConnectionAttachment{
Environment: &v3.ConnectionAttachment_ZTunnel{
ZTunnel: &v3.ZTunnelAttachmentEnvironment{
- RealDestinationIp: lbIP,
+ RealDestinationIp: address.IP,
By:
v3.ZTunnelAttachmentEnvironmentDetectBy_ZTUNNEL_OUTBOUND_FUNC,
+ SecurityPolicy: securityPolicy,
},
},
}
@@ -198,3 +207,12 @@ func (z *ZTunnelCollector) collectZTunnelProcess(p
*process.Process) error {
uprobeFile.AddLink(trackBoundSymbol[0].Name,
z.alc.BPF.ConnectionManagerTrackOutbound, nil)
return nil
}
+
+type ZTunnelLoadBalanceAddress struct {
+ IP string
+ Port uint16
+}
+
+func (z *ZTunnelLoadBalanceAddress) String() string {
+ return fmt.Sprintf("%s:%d", z.IP, z.Port)
+}
diff --git a/pkg/accesslog/events/ztunnel.go b/pkg/accesslog/events/ztunnel.go
index 33c6d35..ffdf793 100644
--- a/pkg/accesslog/events/ztunnel.go
+++ b/pkg/accesslog/events/ztunnel.go
@@ -18,9 +18,12 @@
package events
type ZTunnelSocketMappingEvent struct {
- OriginalSrcIP uint32
- OriginalDestIP uint32
- OriginalSrcPort uint16
- OriginalDestPort uint16
- LoadBalancedDestIP uint32
+ OriginalSrcIP uint32
+ OriginalDestIP uint32
+ OriginalSrcPort uint16
+ OriginalDestPort uint16
+ LoadBalancedDestIP uint32
+ LoadBalancedDestPort uint16
+ Pad0 uint16
+ Pad1 uint32
}
