Merge to upstream

.github/.markdownlint.json

@@ -1,6 +1,7 @@
 {
     "MD013": false,
     "MD010": false,
+    "MD033": false,
     "MD024": {
         "siblings_only": true
     }

.github/workflows/release-charts.yaml

@@ -27,7 +27,7 @@ jobs:
         id: install
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.6.0
+        uses: sigstore/cosign-installer@v3.7.0
 
       - name: Log in to registry (Helm for pushing chart, Docker for signing and push signature)
         run: |

.github/workflows/release-images.yaml

@@ -32,7 +32,7 @@ jobs:
       - run: go version
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.6.0
+        uses: sigstore/cosign-installer@v3.7.0
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -78,7 +78,7 @@ jobs:
       - run: go version
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.6.0
+        uses: sigstore/cosign-installer@v3.7.0
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -124,7 +124,7 @@ jobs:
       - run: go version
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.6.0
+        uses: sigstore/cosign-installer@v3.7.0
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -167,7 +167,7 @@ jobs:
         uses: docker/setup-qemu-action@v3
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.6.0
+        uses: sigstore/cosign-installer@v3.7.0
 
       - name: Log in to registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin

.github/workflows/trivy.yaml

@@ -30,7 +30,7 @@ jobs:
           echo "TAG=$(make version)" >> $GITHUB_ENV
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
         with:
           image-ref: "ghcr.io/${{ github.repository }}/${{ matrix.image }}:${{ env.TAG }}"
           format: "template"

.gitignore

@@ -8,6 +8,9 @@
 *.so
 *.dylib
 
+# Avoid checking in keys
+*.pem
+
 # Test binary, built with `go test -c`
 *.test
 

Makefile

@@ -513,7 +513,7 @@ clean-certs:
 .PHONY: docs
 docs: 
 	echo $(PWD)
-	docker run -it -p 3000:3000 -v $(PWD):/retina -w /retina/ node:20-alpine ./site/start-dev.sh
+	docker run -it -p 3000:3000 -v $(PWD):/retina -w /retina/ node:20-alpine sh ./site/start-dev.sh
 
 .PHONY: docs-pod
 docs-prod:

README.md

@@ -1,4 +1,9 @@
-# Retina
+<h1 align="center">
+  <picture>
+    <source media="(prefers-color-scheme: light)" srcset="site/static/img/Retina-logo-horizontal-white.png">
+    <img src="site/static/img/Retina-logo-horizontal-white.png" alt="Retina Logo" width="30%">
+  </picture>
+</h1>
 
 [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://github.com/codespaces/new?hide_repo_select=true&ref=main&repo=746962176)
 

cli/cmd/capture/capture.go

@@ -11,15 +11,16 @@ import (
 
 var name string
 
+const defaultName = "retina-capture"
+
 var capture = &cobra.Command{
 	Use:   "capture",
-	Short: "capture network traffic",
+	Short: "Capture network traffic",
 }
 
 func init() {
 	cmd.Retina.AddCommand(capture)
 	configFlags = genericclioptions.NewConfigFlags(true)
 	configFlags.AddFlags(capture.PersistentFlags())
-	capture.PersistentFlags().StringVar(&name, "name", "", "The name of the Retina Capture")
-	_ = capture.MarkPersistentFlagRequired("name")
+	capture.PersistentFlags().StringVar(&name, "name", defaultName, "The name of the Retina Capture")
 }

cli/cmd/capture/create.go

@@ -32,32 +32,45 @@ import (
 var (
 	configFlags *genericclioptions.ConfigFlags
 
+	blobUpload         string
+	debug              bool
 	duration           time.Duration
+	excludeFilter      string
+	hostPath           string
+	includeFilter      string
+	includeMetadata    bool
+	jobNumLimit        int
 	maxSize            int
-	packetSize         int
-	nodeSelectors      string
-	podSelectors       string
+	namespace          string
 	namespaceSelectors string
 	nodeNames          string
-	hostPath           string
+	nodeSelectors      string
+	nowait             bool
+	packetSize         int
+	podSelectors       string
 	pvc                string
-	blobUpload         string
-	s3Region           string
-	s3Endpoint         string
+	s3AccessKeyID      string
 	s3Bucket           string
+	s3Endpoint         string
 	s3Path             string
-	s3AccessKeyID      string
+	s3Region           string
 	s3SecretAccessKey  string
 	tcpdumpFilter      string
-	excludeFilter      string
-	includeFilter      string
-	includeMetadata    bool
-	namespace          string
-	jobNumLimit        int
-
-	nowait bool
+)
 
-	debug bool
+const (
+	DefaultDebug           bool          = false
+	DefaultDuration        time.Duration = 1 * time.Minute
+	DefaultHostPath        string        = "/mnt/retina/captures"
+	DefaultIncludeMetadata bool          = true
+	DefaultJobNumLimit     int           = 0
+	DefaultMaxSize         int           = 100
+	DefaultNodeSelectors   string        = "kubernetes.io/os=linux"
+	DefaultNowait          bool          = true
+	DefaultPacketSize      int           = 0
+	DefaultS3Path          string        = "retina/captures"
+	DefaultWaitPeriod      time.Duration = 1 * time.Minute
+	DefaultWaitTimeout     time.Duration = 5 * time.Minute
 )
 
 var createExample = templates.Examples(i18n.T(`
@@ -91,14 +104,9 @@ var createExample = templates.Examples(i18n.T(`
 			--s3-secret-access-key "your-secret-access-key"
 		`))
 
-const (
-	defaultWaitTimeout time.Duration = 5 * time.Minute
-	defaultWaitPeriod  time.Duration = 1 * time.Minute
-)
-
 var createCapture = &cobra.Command{
 	Use:     "create",
-	Short:   "create a Retina Capture",
+	Short:   "Create a Retina Capture",
 	Example: createExample,
 	RunE: func(*cobra.Command, []string) error {
 		kubeConfig, err := configFlags.ToRESTConfig()
@@ -244,6 +252,14 @@ func createCaptureF(kubeClient kubernetes.Interface) (*retinav1alpha1.Capture, e
 		capture.Spec.CaptureConfiguration.CaptureOption.Duration = &metav1.Duration{Duration: duration}
 	}
 
+	if namespaceSelectors != "" || podSelectors != "" {
+		// if node selector is using the default value (aka hasn't been set by user), set it to nil to prevent clash with namespace and pod selector
+		if nodeSelectors == DefaultNodeSelectors {
+			retinacmd.Logger.Info("Overriding default node selectors value and setting it to nil. Using namespace and pod selectors. To use node selector, please remove namespace and pod selectors.")
+			nodeSelectors = ""
+		}
+	}
+
 	nodeSelectorLabelsMap, err := labels.ConvertSelectorToLabelsMap(nodeSelectors)
 	if err != nil {
 		return nil, err
@@ -375,12 +391,12 @@ func waitUntilJobsComplete(kubeClient kubernetes.Interface, jobs []batchv1.Job)
 	allJobsCompleted := false
 
 	// TODO: let's make the timeout and period to wait for all job to finish configurable.
-	var deadline time.Duration = defaultWaitTimeout
+	var deadline time.Duration = DefaultWaitTimeout
 	if duration != 0 {
 		deadline = duration * 2
 	}
 
-	var period time.Duration = defaultWaitPeriod
+	var period time.Duration = DefaultWaitPeriod
 	// To print less noisy messages, we rely on duration to decide the wait period.
 	if period < duration/10 {
 		period = duration / 10
@@ -443,32 +459,32 @@ func deleteJobs(kubeClient kubernetes.Interface, jobs []batchv1.Job) []string {
 
 func init() {
 	capture.AddCommand(createCapture)
-	createCapture.Flags().DurationVar(&duration, "duration", time.Minute, "Duration of capturing packets")
-	createCapture.Flags().IntVar(&maxSize, "max-size", 100, "Limit the capture file to MB in size which works only for Linux") //nolint:gomnd // default
-	createCapture.Flags().IntVar(&packetSize, "packet-size", 0, "Limits the each packet to bytes in size which works only for Linux")
+	createCapture.Flags().DurationVar(&duration, "duration", DefaultDuration, "Duration of capturing packets")
+	createCapture.Flags().IntVar(&maxSize, "max-size", DefaultMaxSize, "Limit the capture file to MB in size which works only for Linux") //nolint:gomnd // default
+	createCapture.Flags().IntVar(&packetSize, "packet-size", DefaultPacketSize, "Limits the each packet to bytes in size which works only for Linux")
 	createCapture.Flags().StringVar(&nodeNames, "node-names", "", "A comma-separated list of node names to select nodes on which the network capture will be performed")
-	createCapture.Flags().StringVar(&nodeSelectors, "node-selectors", "", "A comma-separated list of node labels to select nodes on which the network capture will be performed")
+	createCapture.Flags().StringVar(&nodeSelectors, "node-selectors", DefaultNodeSelectors, "A comma-separated list of node labels to select nodes on which the network capture will be performed")
 	createCapture.Flags().StringVar(&podSelectors, "pod-selectors", "",
 		"A comma-separated list of pod labels to select pods on which the network capture will be performed")
 	createCapture.Flags().StringVar(&namespaceSelectors, "namespace-selectors", "",
 		"A comma-separated list of namespace labels in which to apply the pod-selectors. By default, the pod namespace is specified by the flag namespace")
-	createCapture.Flags().StringVar(&hostPath, "host-path", "", "HostPath of the node to store the capture files")
+	createCapture.Flags().StringVar(&hostPath, "host-path", DefaultHostPath, "HostPath of the node to store the capture files")
 	createCapture.Flags().StringVar(&pvc, "pvc", "", "PersistentVolumeClaim under the specified or default namespace to store capture files")
 	createCapture.Flags().StringVar(&blobUpload, "blob-upload", "", "Blob SAS URL with write permission to upload capture files")
 	createCapture.Flags().StringVar(&s3Region, "s3-region", "", "Region where the S3 compatible bucket is located")
 	createCapture.Flags().StringVar(&s3Endpoint, "s3-endpoint", "",
 		"Endpoint for an S3 compatible storage service. Use this if you are using a custom or private S3 service that requires a specific endpoint")
 	createCapture.Flags().StringVar(&s3Bucket, "s3-bucket", "", "Bucket in which to store capture files")
-	createCapture.Flags().StringVar(&s3Path, "s3-path", "retina/captures", "Prefix path within the S3 bucket where captures will be stored")
+	createCapture.Flags().StringVar(&s3Path, "s3-path", DefaultS3Path, "Prefix path within the S3 bucket where captures will be stored")
 	createCapture.Flags().StringVar(&s3AccessKeyID, "s3-access-key-id", "", "S3 access key id to upload capture files")
 	createCapture.Flags().StringVar(&s3SecretAccessKey, "s3-secret-access-key", "", "S3 access secret key to upload capture files")
 	createCapture.Flags().StringVar(&tcpdumpFilter, "tcpdump-filter", "", "Raw tcpdump flags which works only for Linux")
 	createCapture.Flags().StringVar(&excludeFilter, "exclude-filter", "", "A comma-separated list of IP:Port pairs that are "+
 		"excluded from capturing network packets. Supported formats are IP:Port, IP, Port, *:Port, IP:*")
 	createCapture.Flags().StringVar(&includeFilter, "include-filter", "", "A comma-separated list of IP:Port pairs that are "+
 		"used to filter capture network packets. Supported formats are IP:Port, IP, Port, *:Port, IP:*")
-	createCapture.Flags().BoolVar(&includeMetadata, "include-metadata", true, "If true, collect static network metadata into capture file")
-	createCapture.Flags().IntVar(&jobNumLimit, "job-num-limit", 0, "The maximum number of jobs can be created for each capture. 0 means no limit")
-	createCapture.Flags().BoolVar(&nowait, "no-wait", true, "Do not wait for the long-running capture job to finish")
-	createCapture.Flags().BoolVar(&debug, "debug", false, "When debug is true, a customized retina-agent image, determined by the environment variable RETINA_AGENT_IMAGE, is set")
+	createCapture.Flags().BoolVar(&includeMetadata, "include-metadata", DefaultIncludeMetadata, "If true, collect static network metadata into capture file")
+	createCapture.Flags().IntVar(&jobNumLimit, "job-num-limit", DefaultJobNumLimit, "The maximum number of jobs can be created for each capture. 0 means no limit")
+	createCapture.Flags().BoolVar(&nowait, "no-wait", DefaultNowait, "Do not wait for the long-running capture job to finish")
+	createCapture.Flags().BoolVar(&debug, "debug", DefaultDebug, "When debug is true, a customized retina-agent image, determined by the environment variable RETINA_AGENT_IMAGE, is set")
 }

cli/cmd/trace.go

@@ -9,7 +9,7 @@ import (
 
 var trace = &cobra.Command{
 	Use:   "trace",
-	Short: "retrieve status or results from Retina",
+	Short: "Retrieve status or results from Retina",
 }
 
 var getTrace = &cobra.Command{

cmd/legacy/daemon.go

@@ -25,7 +25,6 @@ import (
 	crmgr "sigs.k8s.io/controller-runtime/pkg/manager"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
-	"github.com/cilium/ebpf/rlimit"
 	"github.com/go-logr/zapr"
 	retinav1alpha1 "github.com/microsoft/retina/crd/api/v1alpha1"
 	"github.com/microsoft/retina/internal/buildinfo"
@@ -134,7 +133,9 @@ func (d *Daemon) Start() error {
 	mainLogger := zl.Named("main").Sugar()
 
 	// Allow the current process to lock memory for eBPF resources.
-	if err = rlimit.RemoveMemlock(); err != nil {
+	// OS specific implementation.
+	// This is a no-op on Windows.
+	if err = d.RemoveMemlock(); err != nil {
 		mainLogger.Fatal("failed to remove memlock", zap.Error(err))
 	}
 

cmd/legacy/daemon_linux.go

@@ -0,0 +1,7 @@
+package legacy
+
+import "github.com/cilium/ebpf/rlimit"
+
+func (d *Daemon) RemoveMemlock() error {
+	return rlimit.RemoveMemlock()
+}

cmd/legacy/daemon_windows.go

@@ -0,0 +1,6 @@
+package legacy
+
+func (d *Daemon) RemoveMemlock() error {
+	// This function is a no-op on Windows.
+	return nil
+}

deploy/hubble/manifests/controller/helm/retina/templates/hubble/tls-cronjob/clusterrolebinding.yaml → deploy/hubble/manifests/controller/helm/retina/templates/hubble/tls-cronjob/rolebinding.yaml

@@ -1,8 +1,9 @@
 {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: hubble-generate-certs
+  namespace: {{ .Release.Namespace }}
   {{- with .Values.hubble.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

deploy/hubble/manifests/controller/helm/retina/templates/operator/clusterrole.yaml

@@ -5,12 +5,20 @@ metadata:
   creationTimestamp: null
   name: retina-operator-role
 rules:
-  - apiGroups: 
+  - apiGroups:
       - "apiextensions.k8s.io"
-    resources: 
+    resources:
       - "customresourcedefinitions"
-    verbs: 
+    verbs:
       - "create"
+  - apiGroups:
+      - "apiextensions.k8s.io"
+    resources:
+      - "customresourcedefinitions"
+    resourceNames:
+      - ciliumidentities.cilium.io
+      - ciliumendpoints.cilium.io
+    verbs:
       - "get"
       - "update"
       - "delete"