profile-compaction: CollapseConfig CRD + projection overlay + user-ma…

[entlein]

here things got confusing during the rebase, this is the sister PR to storage and need the signature PR (from matthyx)

Summary by CodeRabbit

• New Features

  • Added tamper detection for signed user-defined overlays with R1016 tamper alerts
  • Added overlay identity tracking for intelligent cache invalidation
  • Added NetworkNeighborhood resource support via pod labels
  • Added execution arguments tracking for enhanced wildcard pattern matching

• Bug Fixes

  • Fixed cache notification blocking when subscribers are slow or unresponsive
  • Improved context propagation for Kubernetes list operations

• Tests

  • Added tamper detection and alert deduplication tests
  • Added user overlay projection end-to-end tests
  • Added non-blocking notification fan-out tests

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR extends container profile caching with tamper detection for user-supplied overlays, refactors projection to classify dynamic/wildcard patterns and support exec-arguments matching, adds overlay-identity stamping into cache checksums, and refactors rule-binding cache to dispatch notifications without holding locks.

Changes

Container Profile Cache: Tamper Detection, Overlay Identity, and Projection

Layer / File(s)	Summary
Tamper detection state and verification entry points pkg/objectcache/containerprofilecache/containerprofilecache.go	Adds tamperAlertExporter and tamperEmitted dedup map to ContainerProfileCacheImpl; imports exporter package; wires calls to verifyUserApplicationProfile and verifyUserNetworkNeighborhood after fetching overlays.
Verification methods and tamper-alert logic pkg/objectcache/containerprofilecache/tamper_alert.go	Implements signature re-verification for ApplicationProfile and NetworkNeighborhood with per-tamper-key deduplication; emits R1016 alerts only on ErrSignatureMismatch; clears dedup state on successful re-verification; wires optional exporter via SetTamperAlertExporter.
Overlay identity stamping into SyncChecksum pkg/objectcache/containerprofilecache/projection.go	Updates projectUserProfiles to stamp overlay namespace/name/resourceVersion into SyncChecksumMetadataKey; preserves baseline checksum prefix and ensures idempotent suffixes via stampOverlayIdentity helper.
Projection refactoring for dynamic/wildcard classification pkg/objectcache/containerprofilecache/projection_apply.go	Refactors projectField to accept isDynamic callback; introduces isNetworkIPWildcard and isNetworkDNSWildcard for network pattern classification; adds extractExecsByPath for path→argv mapping; updates address extraction to use plural IPAddresses fields.
Data model extensions for ExecsByPath and UserDefinedNetwork pkg/objectcache/projection_types.go, pkg/objectcache/shared_container_data.go	Adds ExecsByPath map[string][]string to ProjectedContainerProfile for exec-args matching; introduces UserDefinedNetworkMetadataKey constant and field to WatchedContainerData; extends SetContainerInfo to read and persist network label.
Tamper verification and alert dedup tests pkg/objectcache/containerprofilecache/tamper_alert_test.go	Tests tamper-key deduplication, distinguishes tamper from operational errors, validates ErrSignatureMismatch sentinel, exercises end-to-end verification with exporter wiring and R1016 alert emission.
End-to-end projection and SyncChecksum contract tests pkg/objectcache/containerprofilecache/test32_projection_test.go	Validates user overlay execs reach projected values; asserts idempotent overlay-identity stamping; tests multi-stage SyncChecksum reflection across overlay add/update/remove scenarios; includes baseline preservation check.
Mock implementation updates for new projection logic pkg/objectcache/v1/mock.go	Updates mock projection to classify exec paths (dynamic vs literal) and populate ExecsByPath; refactors network projection to split wildcard/pattern vs exact-value entries; introduces helpers for lazy Values allocation and wildcard classification.

Rule Binding Cache: Non-Blocking Notification Dispatch

Layer / File(s)	Summary
Non-blocking notifier dispatch and context propagation pkg/rulebindingmanager/cache/cache.go	Refactors handlers to compute notifications under lock, snapshot notifiers, unlock, then dispatch non-blockingly; updates RefreshRuleBindingsRules for single coalesced refresh; changes Kubernetes List calls to use provided context instead of Background; adds snapshotNotifiersLocked, dispatchNonBlocking, and indexOfNotifier helpers.
Non-blocking dispatch and context contract tests pkg/rulebindingmanager/cache/cache_test.go	Validates dispatchNonBlocking drops notifications on full channel; asserts RefreshRuleBindingsRules remains non-blocking when subscriber saturated; enforces via reflection that helper methods accept context.Context as first parameter; adjusts existing tests to pass explicit context.

Safety Fixes

Layer / File(s)	Summary
Function cache ObjectCache nil check pkg/rulemanager/cel/libraries/cache/function_cache.go	Adds explicit oc == nil guard in HashForContainerProfile early-return condition to prevent use of nil ObjectCache.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• kubescape/node-agent#799: Overlapping projection refactoring work on container profile model with dynamic/pattern handling introduced in that PR.
• kubescape/node-agent#788: Both PRs extend pkg/objectcache/containerprofilecache CP-cache codepath; main PR builds on the CP-cache replacement foundation.

Suggested labels

release

Suggested reviewers

• matthyx
• slashben

Poem

🐰 A rabbit hops through overlay code,
Stamping checksums down the road,
Tampering checked, projections clean,
Patterns sorted, cache pristine—
Non-blocking notes now pass and flow! 🚀

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 78.95% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title is truncated/incomplete ('...') and too vague to clearly convey the main change; it mentions multiple unrelated concepts (CollapseConfig, projection overlay, user-ma) without clarity.	Complete the title and clarify the primary change; consider 'Add tamper detection for user-defined overlay profiles' or similar once the full intent is clear.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/objectcache/containerprofilecache/containerprofilecache.go`:
- Around line 412-414: The verification calls to
c.verifyUserApplicationProfile(userAP, sharedData.Wlid) currently ignore its
boolean result; update both call sites (the one using userAP at lines ~412 and
the similar one around ~428-430) to check the returned bool and, when it is
false and the cache is running in strict verification mode (e.g., the instance
flag controlling strict verification such as c.strictVerify or equivalent),
avoid projecting/merging the overlay (skip the merge/projectOverlay path), log
the verification failure with context (Wlid and which overlay), and return or
surface an error instead of continuing; if not in strict mode, continue but log
a warning. Ensure you reference and use c.verifyUserApplicationProfile(...) and
the strict-mode flag when implementing the conditional.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: acff329b-9e89-4538-a272-7877e0ad1e70

📥 Commits

Reviewing files that changed from the base of the PR and between cc59fa0 and 16a52f4.

📒 Files selected for processing (12)

• pkg/objectcache/containerprofilecache/containerprofilecache.go
• pkg/objectcache/containerprofilecache/projection.go
• pkg/objectcache/containerprofilecache/projection_apply.go
• pkg/objectcache/containerprofilecache/tamper_alert.go
• pkg/objectcache/containerprofilecache/tamper_alert_test.go
• pkg/objectcache/containerprofilecache/test32_projection_test.go
• pkg/objectcache/projection_types.go
• pkg/objectcache/shared_container_data.go
• pkg/objectcache/v1/mock.go
• pkg/rulebindingmanager/cache/cache.go
• pkg/rulebindingmanager/cache/cache_test.go
• pkg/rulemanager/cel/libraries/cache/function_cache.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Honor verification result before merging user overlays.

Line 413 and Line 429 call verification but ignore the boolean outcome. In strict mode, failed verification should prevent projecting that overlay; otherwise tampered/failed overlays are still merged.

Suggested fix

 		if userAP != nil {
-			c.verifyUserApplicationProfile(userAP, sharedData.Wlid)
+			if !c.verifyUserApplicationProfile(userAP, sharedData.Wlid) {
+				userAP = nil
+			}
 		}
@@
 		if userNN != nil {
-			c.verifyUserNetworkNeighborhood(userNN, sharedData.Wlid)
+			if !c.verifyUserNetworkNeighborhood(userNN, sharedData.Wlid) {
+				userNN = nil
+			}
 		}

Also applies to: 428-430

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/objectcache/containerprofilecache/containerprofilecache.go` around lines
412 - 414, The verification calls to c.verifyUserApplicationProfile(userAP,
sharedData.Wlid) currently ignore its boolean result; update both call sites
(the one using userAP at lines ~412 and the similar one around ~428-430) to
check the returned bool and, when it is false and the cache is running in strict
verification mode (e.g., the instance flag controlling strict verification such
as c.strictVerify or equivalent), avoid projecting/merging the overlay (skip the
merge/projectOverlay path), log the verification failure with context (Wlid and
which overlay), and return or surface an error instead of continuing; if not in
strict mode, continue but log a warning. Ensure you reference and use
c.verifyUserApplicationProfile(...) and the strict-mode flag when implementing
the conditional.