Release v0.3.54

Summary by CodeRabbit

• Bug Fixes

  • Improved event handling to ensure consistent and reliable data retrieval across different event types, preventing potential inconsistencies.

• Chores

  • Enhanced logging capabilities for improved system observability and troubleshooting.

Release v0.3.53

Truncate HTTP body to Content-Length in ParseHttpRequest and ParseHttpResponse to avoid BPF buffer garbage in parsed bodies.

Note: this only fixes the case where Content-Length is present. The proper fix is adding a buf_len field to the HTTP BPF gadget (syscall return value) so we can truncate at the source.

Summary by CodeRabbit

• Bug Fixes

  • Request and response bodies now honor Content-Length and properly decode chunked Transfer-Encoding, trimming excess buffer data so payloads no longer include stray bytes.

• Tests

  • Added comprehensive parsing tests that simulate fixed-size buffer garbage and cover requests/responses across Content-Length scenarios (zero, absent, truncated, oversized) and chunked decoding.

Release v0.3.48

Summary by CodeRabbit

• New Features

  • Added support for extracting Elastic Container Service (ECS) metadata from events.

• Bug Fixes

  • Improved stability by gracefully handling missing event fields; system now returns safe defaults instead of crashing.

• Refactor

  • Streamlined event field access logic for improved consistency and maintainability across event types.

Release v0.3.47

Summary by CodeRabbit

• Chores
  • Updated project dependencies to latest stable versions for improved compatibility and long-term maintenance.

Release v0.3.42

Summary by CodeRabbit

Release Notes

• New Features

  • Added tracer management system with coordinated initialization, staggered sequencing, and improved error handling during startup.

• Chores

  • Host sensor is now disabled by default.

Release v0.3.38

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Improved rule evaluation error handling. When a rule fails to compile, evaluation now stops immediately instead of continuing to process remaining expressions, reducing unnecessary computation and preventing inconsistent results.

Release v0.3.36

Summary by CodeRabbit

• Updates

  • Gadget toolset renamed and bumped to v0.48.1; images moved to a new registry path.

• Performance

  • Event data flow simplified to use direct deep-copies, removing pooling and clarifying ownership.

• Features

  • ECS runtime alert support and ECS metadata accessors added to events.

• Tests

  • Tests enhanced to detect unexpected/extra fields in data sources.

• Chores

  • Broad dependency version updates across modules.

Release v0.3.33

Summary by CodeRabbit

• Bug Fixes
  • Improved robustness of expression evaluation by caching failed compilations to avoid repeated work and noisy errors.
  • Added safeguards so failed or missing expressions are skipped safely and return empty results instead of causing failures.
  • Improved logging for compilation/evaluation issues to aid diagnosis without affecting runtime behavior.

Release v0.3.32

Summary

Implement ClusterUID enrichment for runtime alerts by fetching the kube-system namespace UID and populating it in all RuntimeAlert structures.

Changes

Dependencies

• Updated armoapi-go to v0.0.672 (includes new ClusterUID field)

New Files

• pkg/utils/clusteruid.go - Utility function to fetch kube-system namespace UID

Modified Files

• cmd/main.go - Fetch ClusterUID at startup and pass to exporters
• pkg/exporters/exporters_bus.go - Update InitExporters to accept clusterUID parameter
• pkg/exporters/http_exporter.go - Store and populate ClusterUID in alerts

Implementation Details

1. Startup Phase: After creating the Kubernetes client, the agent fetches the UID of the kube-system namespace using the new GetClusterUID utility function.

2. Error Handling: If the namespace cannot be accessed (e.g., due to RBAC restrictions), a warning is logged and an empty string is returned. The agent continues operating normally with an empty ClusterUID field.

3. Alert Enrichment: The ClusterUID is passed through the exporter chain and populated in:

   • RuntimeAlertK8sDetails.ClusterUID for all K8s alerts
   • HttpRuleAlert.SourcePodInfo.ClusterUID for HTTP rule alerts

4. Backward Compatibility: The field uses omitempty and existing functionality is not affected if ClusterUID is empty.

Testing

• ✅ Code compiles successfully
• ✅ Unit tests pass
• Manual testing needed: Deploy to test cluster and verify ClusterUID is populated

Related PRs

• armosec/armoapi-go#602 - Add ClusterUID field to RuntimeAlertK8sDetails

Next Steps

After this PR is merged and a new version is released:

1. Update private-node-agent with new dependencies
2. Update Helm charts with RBAC permissions (namespaces get/list)

RBAC Requirements

Note: For ClusterUID to be populated, the agent's ServiceAccount needs permissions to read namespaces:

- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]

This will be added to Helm charts in a separate PR.

Summary by CodeRabbit

• New Features

  • Alerts (runtime and malware) now include a stable cluster UID so cluster context is preserved across emitted alerts.
  • Agent obtains the cluster UID at startup and attaches it to exporter payloads before initialization.

• Tests

  • Unit tests updated to validate the cluster UID is populated in exporter instances.

• Chores

  • Dependency version bumped.

Release v0.3.31

Merge pull request #706 from kubescape/bump

bump: update cel-go dependency to v0.26.1