feat: add EventData field to KubeArmor telemetry #2204

Ishaanj18 · 2025-10-22T20:44:35Z

Add EventData map<string,string> field to Alert and Log protobuf messages
Implement parseDataString() utility for converting Data string to structured format
Update feeder logic to populate EventData for both gRPC and JSON outputs
Maintain backward compatibility with existing Data field

This provides clients with structured key-value access while preserving the original string format for backward compatibility.

Purpose of PR?:

Fixes #2173

Does this PR introduce a breaking change?

If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

Bug fix. Fixes #
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update
PR Title follows the convention of <type>(<scope>): <subject>
Commit has unit tests
Commit has integration tests

Ishaanj18 · 2025-10-22T20:56:11Z

@rksharma95

The JSON logging functionality is working correctly! After rebuilding KubeArmor with our changes, the /tmp/kubearmor.log file now shows both fields:

ishaanj18@ishaanj18:~/kube-armor/KubeArmor/KubeArmor$ cat /tmp/kubearmor.log | head -n 20 | jq .
{
  "timestamp": 1761163957,
  "updatedTime": "2025-10-22T20:12:37.032012Z",
  "hostName": "ishaanj18",
  "hostPPid": 1441,
  "hostPid": 1702,
  "ppid": 0,
  "pid": 1702,
  "uid": 1000,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "node"
  },
  "parentProcessName": "/home/ishaanj18/.cursor-server/bin/b9e5948c1ad20443a5cecba6b84a3c9b99d62580/node",
  "processName": "/home/ishaanj18/.cursor-server/bin/b9e5948c1ad20443a5cecba6b84a3c9b99d62580/node",
  "atags": null,
  "type": "HostLog",
  "source": "/home/ishaanj18/.cursor-server/bin/b9e5948c1ad20443a5cecba6b84a3c9b99d62580/node",
  "operation": "File",
  "resource": "/home/ishaanj18/.cursor-server/data/User/workspaceStorage/c459f2c271a1a7304d7a5ab8b4981e16/vscode.lock",
  "cwd": "/home/ishaanj18/",
  "oid": 1000,
  "data": "syscall=SYS_OPENAT fd=-100 flags=O_RDONLY|O_CLOEXEC",
  "structuredData": {
    "fd": "-100",
    "flags": "O_RDONLY|O_CLOEXEC",
    "syscall": "SYS_OPENAT"
  },
  "result": "Passed"
}
{
  "timestamp": 1761163957,
  "updatedTime": "2025-10-22T20:12:37.339263Z",
  "hostName": "ishaanj18",
  "hostPPid": 1702,
  "hostPid": 53903,
  "ppid": 0,
  "pid": 53903,
  "uid": 1000,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "node"
  },
  "parentProcessName": "/home/ishaanj18/.cursor-server/bin/b9e5948c1ad20443a5cecba6b84a3c9b99d62580/node",
  "processName": "/usr/bin/bash",
  "atags": null,
  "type": "HostLog",
  "source": "/usr/bin/bash",
  "operation": "File",
  "resource": "/dev/null",
  "cwd": "/home/ishaanj18/",
  "oid": 0,
  "data": "syscall=SYS_OPENAT fd=-100 flags=O_RDONLY",
  "structuredData": {
    "fd": "-100",
    "flags": "O_RDONLY",
    "syscall": "SYS_OPENAT"
  },
  "result": "Passed"
}
{
  "timestamp": 1761163957,
  "updatedTime": "2025-10-22T20:12:37.339819Z",
  "hostName": "ishaanj18",
  "hostPPid": 1702,
  "hostPid": 53903,
  "ppid": 0,
  "pi=ed"
}`

For the gRPC streaming output to display the new StructuredData field, I think the karmor client must be updated accordingly, as it currently isn’t aware of this newly added field. Will test it out and update accordingly.

rksharma95 · 2025-10-23T05:37:29Z

@Ishaanj18 thank for the PR, can you provide the json output for process and network events as well? also please sign-off the commits before push. thanks 🙌

Ishaanj18 · 2025-10-25T09:19:53Z

`ishaanj18@ishaanj18:/tmp$ cat kubearmor.log | jq -c '.' | grep '"operation":"Network"' | head -2 | jq '.'
{
  "timestamp": 1761382280,
  "updatedTime": "2025-10-25T08:51:20.968265Z",
  "hostName": "ishaanj18",
  "hostPPid": 1,
  "hostPid": 1315,
  "ppid": 0,
  "pid": 1315,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "k3s-server"
  },
  "parentProcessName": "/usr/lib/systemd/systemd",
  "processName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "atags": null,
  "type": "HostLog",
  "source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "operation": "Network",
  "resource": "domain=AF_INET type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "cwd": "/var/lib/rancher/k3s/server/",
  "oid": 0,
  "data": "syscall=SYS_SOCKET",
  "structuredData": {
    "syscall": "SYS_SOCKET"
  },
  "result": "Passed"
}
{
  "timestamp": 1761382280,
  "updatedTime": "2025-10-25T08:51:20.970156Z",
  "hostName": "ishaanj18",
  "hostPPid": 1,
  "hostPid": 1315,
  "ppid": 0,
  "pid": 1315,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "k3s-server"
  },
  "parentProcessName": "/usr/lib/systemd/systemd",
  "processName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "atags": null,
  "type": "HostLog",
  "source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "operation": "Network",
  "resource": "remoteip=10.42.0.6 port=10250 protocol=TCP",
  "cwd": "/var/lib/rancher/k3s/server/",
  "oid": 0,
  "data": "kprobe=tcp_connect domain=AF_INET",
  "structuredData": {
    "domain": "AF_INET",
    "kprobe": "tcp_connect"
  },
  "result": "Passed"
}`

Ishaanj18 · 2025-10-25T09:20:36Z

`ishaanj18@ishaanj18:/tmp$ cat kubearmor.log | jq -c '.' | grep '"operation":"Process"' | head -2 | jq '.'
{
  "timestamp": 1761382280,
  "updatedTime": "2025-10-25T08:51:20.971764Z",
  "hostName": "ishaanj18",
  "hostPPid": 1360,
  "hostPid": 4338,
  "ppid": 0,
  "pid": 4338,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "ip6tables"
  },
  "parentProcessName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "processName": "/usr/sbin/xtables-nft-multi",
  "atags": null,
  "type": "HostLog",
  "source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "operation": "Process",
  "resource": "/usr/sbin/ip6tables -w 5 -W 100000 -S KUBE-PROXY-CANARY -t mangle",
  "cwd": "/var/lib/rancher/k3s/server/",
  "oid": 0,
  "data": "syscall=SYS_EXECVE",
  "structuredData": {
    "syscall": "SYS_EXECVE"
  },
  "result": "Passed"
}
{
  "timestamp": 1761382280,
  "updatedTime": "2025-10-25T08:51:20.975531Z",
  "hostName": "ishaanj18",
  "hostPPid": 2208,
  "hostPid": 4339,
  "ppid": 0,
  "pid": 4339,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "iptables"
  },
  "parentProcessName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "processName": "/usr/sbin/xtables-nft-multi",
  "atags": null,
  "type": "HostLog",
  "source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "operation": "Process",
  "resource": "/usr/sbin/iptables -w 5 -W 100000 -S KUBE-PROXY-CANARY -t mangle",
  "cwd": "/var/lib/rancher/k3s/server/",
  "oid": 0,
  "data": "syscall=SYS_EXECVE",
  "structuredData": {
    "syscall": "SYS_EXECVE"
  },
  "result": "Passed"
}`

protobuf/kubearmor.proto

rksharma95 · 2025-10-30T06:26:53Z

`ishaanj18@ishaanj18:/tmp$ cat kubearmor.log | jq -c '.' | grep '"operation":"Network"' | head -2 | jq '.'
{
  "timestamp": 1761382280,
  "updatedTime": "2025-10-25T08:51:20.968265Z",
  "hostName": "ishaanj18",
  "hostPPid": 1,
  "hostPid": 1315,
  "ppid": 0,
  "pid": 1315,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "k3s-server"
  },
  "parentProcessName": "/usr/lib/systemd/systemd",
  "processName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "atags": null,
  "type": "HostLog",
  "source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "operation": "Network",
  "resource": "domain=AF_INET type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "cwd": "/var/lib/rancher/k3s/server/",
  "oid": 0,
  "data": "syscall=SYS_SOCKET",
  "structuredData": {
    "syscall": "SYS_SOCKET"
  },
  "result": "Passed"
}
{
  "timestamp": 1761382280,
  "updatedTime": "2025-10-25T08:51:20.970156Z",
  "hostName": "ishaanj18",
  "hostPPid": 1,
  "hostPid": 1315,
  "ppid": 0,
  "pid": 1315,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "k3s-server"
  },
  "parentProcessName": "/usr/lib/systemd/systemd",
  "processName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "atags": null,
  "type": "HostLog",
  "source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "operation": "Network",
  "resource": "remoteip=10.42.0.6 port=10250 protocol=TCP",
  "cwd": "/var/lib/rancher/k3s/server/",
  "oid": 0,
  "data": "kprobe=tcp_connect domain=AF_INET",
  "structuredData": {
    "domain": "AF_INET",
    "kprobe": "tcp_connect"
  },
  "result": "Passed"
}`

@Ishaanj18 for network events the resource field data would also need to structured so can we do that as well.

Ishaanj18 · 2025-10-31T06:44:51Z

`ishaanj18@ishaanj18:/tmp$ cat kubearmor.log | jq -c '.' | grep '"operation":"Network"' | head -5 | jq '.'
{
  "timestamp": 1761892942,
  "updatedTime": "2025-10-31T06:42:22.638216Z",
  "hostName": "ishaanj18",
  "hostPPid": 1,
  "hostPid": 634,
  "ppid": 0,
  "pid": 634,
  "uid": 992,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "systemd-resolve"
  },
  "parentProcessName": "/usr/lib/systemd/systemd",
  "processName": "/usr/lib/systemd/systemd-resolved",
  "atags": null,
  "type": "HostLog",
  "source": "/usr/lib/systemd/systemd-resolved",
  "operation": "Network",
  "resource": "domain=AF_UNIX type=SOCK_DGRAM|SOCK_CLOEXEC protocol=HOPOPT",
  "cwd": "/",
  "oid": 0,
  "data": "syscall=SYS_SOCKET",
  "structuredData": {
    "syscall": "SYS_SOCKET"
  },
  "structuredResource": {
    "domain": "AF_UNIX",
    "protocol": "HOPOPT",
    "type": "SOCK_DGRAM|SOCK_CLOEXEC"
  },
  "result": "Passed"
}
{
  "timestamp": 1761892943,
  "updatedTime": "2025-10-31T06:42:23.061965Z",
  "hostName": "ishaanj18",
  "hostPPid": 3796,
  "hostPid": 3797,
  "ppid": 0,
  "pid": 3797,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "kubearmor"
  },
  "parentProcessName": "/usr/bin/sudo",
  "processName": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "atags": null,
  "type": "HostLog",
  "source": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "operation": "Network",
  "resource": "domain=AF_INET type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "cwd": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/",
  "tty": "pts3",
  "oid": 0,
  "data": "syscall=SYS_SOCKET",
  "structuredData": {
    "syscall": "SYS_SOCKET"
  },
  "structuredResource": {
    "domain": "AF_INET",
    "protocol": "HOPOPT",
    "type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },
  "result": "Passed"
}
{
  "timestamp": 1761892943,
  "updatedTime": "2025-10-31T06:42:23.062234Z",
  "hostName": "ishaanj18",
  "hostPPid": 3796,
  "hostPid": 3797,
  "ppid": 0,
  "pid": 3797,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "kubearmor"
  },
  "parentProcessName": "/usr/bin/sudo",
  "processName": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "atags": null,
  "type": "HostLog",
  "source": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "operation": "Network",
  "resource": "remoteip=127.0.0.1 port=6443 protocol=TCP",
  "cwd": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/",
  "tty": "pts3",
  "oid": 0,
  "data": "kprobe=tcp_connect domain=AF_INET",
  "structuredData": {
    "domain": "AF_INET",
    "kprobe": "tcp_connect"
  },
  "structuredResource": {
    "port": "6443",
    "protocol": "TCP",
    "remoteip": "127.0.0.1"
  },
  "result": "Passed"
}
{
  "timestamp": 1761892944,
  "updatedTime": "2025-10-31T06:42:24.504048Z",
  "hostName": "ishaanj18",
  "hostPPid": 3796,
  "hostPid": 3797,
  "ppid": 0,
  "pid": 3797,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "kubearmor"
  },
  "parentProcessName": "/usr/bin/sudo",
  "processName": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "atags": null,
  "type": "HostLog",
  "source": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "operation": "Network",
  "resource": "sa_family=AF_UNIX sun_path=/var/run/nri/nri.sock",
  "cwd": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/",
  "tty": "pts3",
  "oid": 0,
  "data": "syscall=SYS_CONNECT fd=339",
  "structuredData": {
    "fd": "339",
    "syscall": "SYS_CONNECT"
  },
  "structuredResource": {
    "sa_family": "AF_UNIX",
    "sun_path": "/var/run/nri/nri.sock"
  },
  "result": "Connection refused"
}
{
  "timestamp": 1761892944,
  "updatedTime": "2025-10-31T06:42:24.504019Z",
  "hostName": "ishaanj18",
  "hostPPid": 3796,
  "hostPid": 3797,
  "ppid": 0,
  "pid": 3797,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "kubearmor"
  },
  "parentProcessName": "/usr/bin/sudo",
  "processName": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "atags": null,
  "type": "HostLog",
  "source": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "operation": "Network",
  "resource": "domain=AF_UNIX type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "cwd": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/",
  "tty": "pts3",
  "oid": 0,
  "data": "syscall=SYS_SOCKET",
  "structuredData": {
    "syscall": "SYS_SOCKET"
  },
  "structuredResource": {
    "domain": "AF_UNIX",
    "protocol": "HOPOPT",
    "type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },
  "result": "Passed"
}
ishaanj18@ishaanj18:/tmp$`

rksharma95 · 2025-10-31T07:50:24Z

`ishaanj18@ishaanj18:/tmp$ cat kubearmor.log | jq -c '.' | grep '"operation":"Network"' | head -5 | jq '.'
{
  "timestamp": 1761892942,
  "updatedTime": "2025-10-31T06:42:22.638216Z",
  "hostName": "ishaanj18",
  "hostPPid": 1,
  "hostPid": 634,
  "ppid": 0,
  "pid": 634,
  "uid": 992,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "systemd-resolve"
  },
  "parentProcessName": "/usr/lib/systemd/systemd",
  "processName": "/usr/lib/systemd/systemd-resolved",
  "atags": null,
  "type": "HostLog",
  "source": "/usr/lib/systemd/systemd-resolved",
  "operation": "Network",
  "resource": "domain=AF_UNIX type=SOCK_DGRAM|SOCK_CLOEXEC protocol=HOPOPT",
  "cwd": "/",
  "oid": 0,
  "data": "syscall=SYS_SOCKET",
  "structuredData": {
    "syscall": "SYS_SOCKET"
  },
  "structuredResource": {
    "domain": "AF_UNIX",
    "protocol": "HOPOPT",
    "type": "SOCK_DGRAM|SOCK_CLOEXEC"
  },
  "result": "Passed"
}
{
  "timestamp": 1761892943,
  "updatedTime": "2025-10-31T06:42:23.061965Z",
  "hostName": "ishaanj18",
  "hostPPid": 3796,
  "hostPid": 3797,
  "ppid": 0,
  "pid": 3797,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "kubearmor"
  },
  "parentProcessName": "/usr/bin/sudo",
  "processName": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "atags": null,
  "type": "HostLog",
  "source": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "operation": "Network",
  "resource": "domain=AF_INET type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "cwd": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/",
  "tty": "pts3",
  "oid": 0,
  "data": "syscall=SYS_SOCKET",
  "structuredData": {
    "syscall": "SYS_SOCKET"
  },
  "structuredResource": {
    "domain": "AF_INET",
    "protocol": "HOPOPT",
    "type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },
  "result": "Passed"
}
{
  "timestamp": 1761892943,
  "updatedTime": "2025-10-31T06:42:23.062234Z",
  "hostName": "ishaanj18",
  "hostPPid": 3796,
  "hostPid": 3797,
  "ppid": 0,
  "pid": 3797,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "kubearmor"
  },
  "parentProcessName": "/usr/bin/sudo",
  "processName": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "atags": null,
  "type": "HostLog",
  "source": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "operation": "Network",
  "resource": "remoteip=127.0.0.1 port=6443 protocol=TCP",
  "cwd": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/",
  "tty": "pts3",
  "oid": 0,
  "data": "kprobe=tcp_connect domain=AF_INET",
  "structuredData": {
    "domain": "AF_INET",
    "kprobe": "tcp_connect"
  },
  "structuredResource": {
    "port": "6443",
    "protocol": "TCP",
    "remoteip": "127.0.0.1"
  },
  "result": "Passed"
}
{
  "timestamp": 1761892944,
  "updatedTime": "2025-10-31T06:42:24.504048Z",
  "hostName": "ishaanj18",
  "hostPPid": 3796,
  "hostPid": 3797,
  "ppid": 0,
  "pid": 3797,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "kubearmor"
  },
  "parentProcessName": "/usr/bin/sudo",
  "processName": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "atags": null,
  "type": "HostLog",
  "source": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "operation": "Network",
  "resource": "sa_family=AF_UNIX sun_path=/var/run/nri/nri.sock",
  "cwd": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/",
  "tty": "pts3",
  "oid": 0,
  "data": "syscall=SYS_CONNECT fd=339",
  "structuredData": {
    "fd": "339",
    "syscall": "SYS_CONNECT"
  },
  "structuredResource": {
    "sa_family": "AF_UNIX",
    "sun_path": "/var/run/nri/nri.sock"
  },
  "result": "Connection refused"
}
{
  "timestamp": 1761892944,
  "updatedTime": "2025-10-31T06:42:24.504019Z",
  "hostName": "ishaanj18",
  "hostPPid": 3796,
  "hostPid": 3797,
  "ppid": 0,
  "pid": 3797,
  "uid": 0,
  "execEvent": {
    "ExecID": "0",
    "ExecutableName": "kubearmor"
  },
  "parentProcessName": "/usr/bin/sudo",
  "processName": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "atags": null,
  "type": "HostLog",
  "source": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/kubearmor",
  "operation": "Network",
  "resource": "domain=AF_UNIX type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "cwd": "/home/ishaanj18/kube-armor/KubeArmor/KubeArmor/",
  "tty": "pts3",
  "oid": 0,
  "data": "syscall=SYS_SOCKET",
  "structuredData": {
    "syscall": "SYS_SOCKET"
  },
  "structuredResource": {
    "domain": "AF_UNIX",
    "protocol": "HOPOPT",
    "type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },
  "result": "Passed"
}
ishaanj18@ishaanj18:/tmp$`

@Ishaanj18 wdyt if we just combine the structure data for both data and resource field in one field only structuredData. also what if we rename it to something more meaningful i.e. eventData or eventDetails

Ishaanj18 · 2025-10-31T08:15:47Z

I think naming correctly itself can make the objective more clearer even if we keep 2 separate field.

Ishaanj18 · 2025-10-31T15:43:27Z

Using grpc:

ishaanj18@ishaanj18:~/kube-armor/kubearmor-client$ ./karmor logs --gRPC=:32767 --logFilter all --json | jq 'select(.Operation == "Network")' | jq .
Created a gRPC client (:32767)
Checked the liveness of the gRPC server
Started to watch alerts
Started to watch logs
{
  "Timestamp": 1761925257,
  "UpdatedTime": "2025-10-31T15:40:57.735738Z",
  "ClusterName": "default",
  "HostName": "ishaanj18",
  "ParentProcessName": "/usr/bin/dash",
  "ProcessName": "/usr/bin/ps",
  "HostPPID": 151270,
  "HostPID": 151271,
  "PPID": 0,
  "PID": 151271,
  "UID": 1000,
  "Type": "HostLog",
  "Source": "/usr/bin/ps -F -A -l",
  "Operation": "Network",
  "Resource": "domain=AF_UNIX type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "Data": "syscall=SYS_SOCKET",
  "EventData": {
    "domain": "AF_UNIX",
    "protocol": "HOPOPT",
    "syscall": "SYS_SOCKET",
    "type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },
  "Result": "Passed",
  "Cwd": "/home/ishaanj18/",
  "ExecEvent": {
    "ExecID": "0",
    "ExecutableName": "ps"
  }
}
{
  "Timestamp": 1761925257,
  "UpdatedTime": "2025-10-31T15:40:57.735771Z",
  "ClusterName": "default",
  "HostName": "ishaanj18",
  "ParentProcessName": "/usr/bin/dash",
  "ProcessName": "/usr/bin/ps",
  "HostPPID": 151270,
  "HostPID": 151271,
  "PPID": 0,
  "PID": 151271,
  "UID": 1000,
  "Type": "HostLog",
  "Source": "/usr/bin/ps -F -A -l",
  "Operation": "Network",
  "Resource": "domain=AF_UNIX type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "Data": "syscall=SYS_SOCKET",
  "EventData": {
    "domain": "AF_UNIX",
    "protocol": "HOPOPT",
    "syscall": "SYS_SOCKET",
    "type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },
  "Result": "Passed",
  "Cwd": "/home/ishaanj18/",
  "ExecEvent": {
    "ExecID": "0",
    "ExecutableName": "ps"
  }
}
{
  "Timestamp": 1761925257,
  "UpdatedTime": "2025-10-31T15:40:57.742066Z",
  "ClusterName": "default",
  "HostName": "ishaanj18",
  "ParentProcessName": "/usr/bin/dash",
  "ProcessName": "/usr/bin/ps",
  "HostPPID": 151270,
  "HostPID": 151271,
  "PPID": 0,
  "PID": 151271,
  "UID": 1000,
  "Type": "HostLog",
  "Source": "/usr/bin/ps -F -A -l",
  "Operation": "Network",
  "Resource": "domain=AF_UNIX type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "Data": "syscall=SYS_SOCKET",
  "EventData": {
    "domain": "AF_UNIX",
    "protocol": "HOPOPT",
    "syscall": "SYS_SOCKET",
    "type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },
  "Result": "Passed",
  "Cwd": "/home/ishaanj18/",
  "ExecEvent": {
    "ExecID": "0",
    "ExecutableName": "ps"
  }
}

AryanBakliwal

LGTM, please rebase and squash the commits @Ishaanj18

rksharma95 · 2025-11-04T06:57:33Z

"EventData": {
    "domain": "AF_UNIX",
    "protocol": "HOPOPT",
    "syscall": "SYS_SOCKET",
    "type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },

@Ishaanj18 let's use consistent formatting:

"EventData": {
    "Domain": "AF_UNIX",
    "Protocol": "HOPOPT",
    "Syscall": "SYS_SOCKET",
    "Type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },

Signed-off-by: ishaanj18 <[email protected]>

Ishaanj18 · 2025-11-05T04:06:22Z

`ishaanj18@ishaanj18:~/kube-armor/kubearmor-client$ ./karmor logs --gRPC=:32767 --logFilter all --json | jq 'select(.Operation == "Network")' | jq .
Created a gRPC client (:32767)
Checked the liveness of the gRPC server
Started to watch alerts
Started to watch logs
{
  "Timestamp": 1762315537,
  "UpdatedTime": "2025-11-05T04:05:37.676486Z",
  "ClusterName": "default",
  "HostName": "ishaanj18",
  "ParentProcessName": "/usr/lib/systemd/systemd",
  "ProcessName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "HostPPID": 1,
  "HostPID": 1281,
  "PPID": 0,
  "PID": 1281,
  "UID": 0,
  "Type": "HostLog",
  "Source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "Operation": "Network",
  "Resource": "domain=AF_INET type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "Data": "syscall=SYS_SOCKET",
  "EventData": {
    "Domain": "AF_INET",
    "Protocol": "HOPOPT",
    "Syscall": "SYS_SOCKET",
    "Type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },
  "Result": "Passed",
  "Cwd": "/var/lib/rancher/k3s/server/",
  "ExecEvent": {
    "ExecID": "0",
    "ExecutableName": "k3s-server"
  },
  "NodeID": "a357c062dffe578e493c933575a58d021e95a4fcf832debf554d43d8b69ec7b1"
}
{
  "Timestamp": 1762315537,
  "UpdatedTime": "2025-11-05T04:05:37.676782Z",
  "ClusterName": "default",
  "HostName": "ishaanj18",
  "ParentProcessName": "/usr/lib/systemd/systemd",
  "ProcessName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "HostPPID": 1,
  "HostPID": 1281,
  "PPID": 0,
  "PID": 1281,
  "UID": 0,
  "Type": "HostLog",
  "Source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "Operation": "Network",
  "Resource": "remoteip=10.42.0.22 port=8181 protocol=TCP",
  "Data": "kprobe=tcp_connect domain=AF_INET",
  "EventData": {
    "Domain": "AF_INET",
    "Kprobe": "tcp_connect",
    "Port": "8181",
    "Protocol": "TCP",
    "Remoteip": "10.42.0.22"
  },
  "Result": "Passed",
  "Cwd": "/var/lib/rancher/k3s/server/",
  "ExecEvent": {
    "ExecID": "0",
    "ExecutableName": "k3s-server"
  },
  "NodeID": "a357c062dffe578e493c933575a58d021e95a4fcf832debf554d43d8b69ec7b1"
}
{
  "Timestamp": 1762315537,
  "UpdatedTime": "2025-11-05T04:05:37.691867Z",
  "ClusterName": "default",
  "HostName": "ishaanj18",
  "ParentProcessName": "/usr/lib/systemd/systemd",
  "ProcessName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "HostPPID": 1,
  "HostPID": 1281,
  "PPID": 0,
  "PID": 1281,
  "UID": 0,
  "Type": "HostLog",
  "Source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "Operation": "Network",
  "Resource": "domain=AF_INET type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=HOPOPT",
  "Data": "syscall=SYS_SOCKET",
  "EventData": {
    "Domain": "AF_INET",
    "Protocol": "HOPOPT",
    "Syscall": "SYS_SOCKET",
    "Type": "SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC"
  },
  "Result": "Passed",
  "Cwd": "/var/lib/rancher/k3s/server/",
  "ExecEvent": {
    "ExecID": "0",
    "ExecutableName": "k3s-server"
  },
  "NodeID": "a357c062dffe578e493c933575a58d021e95a4fcf832debf554d43d8b69ec7b1"
}
{
  "Timestamp": 1762315537,
  "UpdatedTime": "2025-11-05T04:05:37.691980Z",
  "ClusterName": "default",
  "HostName": "ishaanj18",
  "ParentProcessName": "/usr/lib/systemd/systemd",
  "ProcessName": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "HostPPID": 1,
  "HostPID": 1281,
  "PPID": 0,
  "PID": 1281,
  "UID": 0,
  "Type": "HostLog",
  "Source": "/var/lib/rancher/k3s/data/2d4ca2a3c814dfba0168e2818dfbd81859974b1381420eccd4d9e7ed39c11be3/bin/k3s",
  "Operation": "Network",
  "Resource": "remoteip=10.42.0.23 port=10250 protocol=TCP",
  "Data": "kprobe=tcp_connect domain=AF_INET",
  "EventData": {
    "Domain": "AF_INET",
    "Kprobe": "tcp_connect",
    "Port": "10250",
    "Protocol": "TCP",
    "Remoteip": "10.42.0.23"
  },
  "Result": "Passed",
  "Cwd": "/var/lib/rancher/k3s/server/",
  "ExecEvent": {
    "ExecID": "0",
    "ExecutableName": "k3s-server"
  },
  "NodeID": "a357c062dffe578e493c933575a58d021e95a4fcf832debf554d43d8b69ec7b1"
}`

Ishaanj18 · 2025-11-05T04:07:02Z

Updated formatting @rksharma95

rootxrishabh reviewed Oct 27, 2025

View reviewed changes

protobuf/kubearmor.proto Outdated Show resolved Hide resolved

rootxrishabh reviewed Oct 27, 2025

View reviewed changes

protobuf/kubearmor.proto Outdated Show resolved Hide resolved

soorya-knox added this to Release v1.6 Oct 31, 2025

soorya-knox moved this to In Progress in Release v1.6 Oct 31, 2025

Ishaanj18 force-pushed the feat/structured-data-field branch from c57216d to 12783bf Compare October 31, 2025 08:10

Ishaanj18 marked this pull request as ready for review October 31, 2025 08:11

AryanBakliwal requested review from Aryan-sharma11 and rksharma95 October 31, 2025 15:45

Ishaanj18 changed the title ~~feat: add StructuredData field to KubeArmor telemetry~~ feat: add EventData field to KubeArmor telemetry Oct 31, 2025

rksharma95 requested a review from AryanBakliwal November 3, 2025 06:04

AryanBakliwal previously approved these changes Nov 3, 2025

View reviewed changes

Ishaanj18 dismissed AryanBakliwal’s stale review via 8cad69b November 3, 2025 10:10

Ishaanj18 force-pushed the feat/structured-data-field branch 2 times, most recently from 8cad69b to 276a999 Compare November 3, 2025 10:15

AryanBakliwal force-pushed the feat/structured-data-field branch from 276a999 to 88ba27e Compare November 3, 2025 10:19

AryanBakliwal previously approved these changes Nov 3, 2025

View reviewed changes

feat: add eventData field to KubeArmor telemetry

aa076a4

Signed-off-by: ishaanj18 <[email protected]>

Ishaanj18 dismissed AryanBakliwal’s stale review via aa076a4 November 5, 2025 04:00

Ishaanj18 force-pushed the feat/structured-data-field branch from 88ba27e to aa076a4 Compare November 5, 2025 04:00

Merge branch 'main' into feat/structured-data-field

51a17c5

rksharma95 approved these changes Nov 5, 2025

View reviewed changes

AryanBakliwal approved these changes Nov 5, 2025

View reviewed changes

rksharma95 merged commit 40e616a into kubearmor:main Nov 5, 2025
21 of 23 checks passed

github-project-automation bot moved this from In Progress to Done in Release v1.6 Nov 5, 2025

feat: add EventData field to KubeArmor telemetry #2204

feat: add EventData field to KubeArmor telemetry #2204

Uh oh!

Conversation

Ishaanj18 commented Oct 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Ishaanj18 commented Oct 22, 2025

Uh oh!

rksharma95 commented Oct 23, 2025

Uh oh!

Ishaanj18 commented Oct 25, 2025

Uh oh!

Ishaanj18 commented Oct 25, 2025

Uh oh!

Uh oh!

Uh oh!

rksharma95 commented Oct 30, 2025

Uh oh!

Ishaanj18 commented Oct 31, 2025

Uh oh!

rksharma95 commented Oct 31, 2025

Uh oh!

Ishaanj18 commented Oct 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Ishaanj18 commented Oct 31, 2025

Uh oh!

AryanBakliwal left a comment

Choose a reason for hiding this comment

Uh oh!

rksharma95 commented Nov 4, 2025

Uh oh!

Ishaanj18 commented Nov 5, 2025

Uh oh!

Ishaanj18 commented Nov 5, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Ishaanj18 commented Oct 22, 2025 •

edited

Loading

Ishaanj18 commented Oct 31, 2025 •

edited

Loading