Add support for matchWorkloads selector

bpf/process/pfilter.h

@@ -2,6 +2,7 @@
 #define __PFILTER_H__
 
 #include "bpf_process_event.h"
+#include "policy_filter.h"
 
 /**
  * Process filters (see generic_process_filter)
@@ -427,7 +428,10 @@ selector_process_filter(__u32 *f, __u32 index, struct execve_map_value *enter,
 	__u32 len;
 	__u64 i;
 
-	/* Do binary and parent filter first for selector index */
+	/* Do workload filter first for selector index */
+	if (!match_workloads(index))
+		return 0;
+
 	if (!match_binaries(index, enter, &enter->bin))
 		return 0;
 

bpf/process/policy_filter.h

@@ -93,4 +93,22 @@ FUNC_INLINE bool policy_filter_check(u32 policy_id)
 	return !map_lookup_elem(policy_map, &cgroupid);
 }
 
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, MAX_SELECTORS);
+	__type(key, __u32); /* selector id */
+	__type(value, __u32); /* policy_id */
+} workloads_map SEC(".maps");
+
+FUNC_INLINE int match_workloads(__u32 selector_id)
+{
+	__u32 *pol_id = 0;
+
+	pol_id = map_lookup_elem(&workloads_map, &selector_id);
+	if (!pol_id)
+		return 1; // no matchWorkload in this selector so match
+
+	return policy_filter_check(*pol_id);
+}
+
 #endif /* POLICY_FILTER_MAPS_H__ */

docs/content/en/docs/concepts/tracing-policy/selectors.md

@@ -21,6 +21,7 @@ Each selector comprises a set of filters:
 - [`matchCapabilities`](#capabilities-filter): filter on Linux capabilities.
 - [`matchNamespaceChanges`](#namespace-changes-filter): filter on Linux namespaces changes.
 - [`matchCapabilityChanges`](#capability-changes-filter): filter on Linux capabilities changes.
+- [`matchWorkloads`](#workloads-filter): filter on Kubernetes workloads.
 
 And a set of actions that will be performed if the specified filters match:
 - [`matchActions`](#actions-filter): apply an action on selector matching.
@@ -716,6 +717,32 @@ matchCapabilityChanges:
 See a [demonstration example](https://github.com/cilium/tetragon/blob/main/examples/tracingpolicy/fd_install_cap_changes.yaml)
 of this feature.
 
+## Workloads filter
+
+Workloads filter can be specified under the `matchWorkloads` field and provides
+filtering based on Kubernetes workloads. Inside `matchWorkloads` the user can
+define a `hostSelector`, a `podSelector`, and a `containerSelector`.
+
+This works in a similar way to global workload selectors such as `spec.hostSelector`,
+`spec.podSelector`, and `spec.containerSelector`. More details on these
+can be found in [Filtering semantics]({{< ref "/docs/concepts/tracing-policy/k8s-filtering/#filtering-semantics" >}}).
+
+Loading a tracing policy with `matchWorkloads` outside of Kubernetes will fail
+in a similar way to global workload selectors.
+
+The following match host workloads and pods inside `kube-system` namespace:
+
+```yaml
+matchWorkloads:
+- hostSelector: {}
+  podSelector:
+    matchExpressions:
+    - key: "k8s:io.kubernetes.pod.namespace"
+      operator: In
+      values:
+      - "kube-system"
+```
+
 ## Actions filter
 
 Actions filters are a list of actions that execute when an appropriate selector