Support ztunnel security policy detect (#147)

apache · Sep 27, 2024 · f800504 · f800504
1 parent 782bcd5
commit f800504
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 14 deletions.
diff --git a/bpf/accesslog/ambient/ztunnel.c b/bpf/accesslog/ambient/ztunnel.c
@@ -43,7 +43,7 @@ int connection_manager_track_outbound(struct pt_regs* ctx) {
     bool success = true;
     success = get_socket_addr_ip_in_ztunnel(success, (void *)PT_REGS_PARM3(ctx), &event->orginal_src_ip, &event->src_port);
     success = get_socket_addr_ip_in_ztunnel(success, (void *)PT_REGS_PARM4(ctx), &event->original_dst_ip, &event->dst_port);
-    success = get_socket_addr_ip_in_ztunnel(success, (void *)PT_REGS_PARM5(ctx), &event->lb_dst_ip, NULL);
+    success = get_socket_addr_ip_in_ztunnel(success, (void *)PT_REGS_PARM5(ctx), &event->lb_dst_ip, &event->lb_dst_port);
     if (!success) {
         return 0;
     }

diff --git a/bpf/accesslog/ambient/ztunnel.h b/bpf/accesslog/ambient/ztunnel.h
@@ -21,6 +21,9 @@ struct ztunnel_socket_mapping_t {
     __u16 src_port;             // origin local port
     __u16 dst_port;             // origin remote port
     __u32 lb_dst_ip;            // load balanced remote ip(should be real pod ip)
+    __u16 lb_dst_port;          // load balanced remote port
+    __u16 pad0;
+    __u32 pad1;
 };
 
 struct {

diff --git a/go.mod b/go.mod
@@ -26,7 +26,7 @@ require (
 	k8s.io/apimachinery v0.23.5
 	k8s.io/client-go v0.23.5
 	k8s.io/utils v0.0.0-20211116205334-6203023598ed
-	skywalking.apache.org/repo/goapi v0.0.0-20240914024804-703f701836e6
+	skywalking.apache.org/repo/goapi v0.0.0-20240920052516-d4a23d9da0e0
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -1065,5 +1065,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLz
 sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
-skywalking.apache.org/repo/goapi v0.0.0-20240914024804-703f701836e6 h1:ZGcxRsuAF+Q/IHzNzunHTeYPSCbXcLIjonEFkDlAfPc=
-skywalking.apache.org/repo/goapi v0.0.0-20240914024804-703f701836e6/go.mod h1:+n8BMuS8eRdzdnGh15ElRGBXPi0eYZSs2TKySBDmRTE=
+skywalking.apache.org/repo/goapi v0.0.0-20240920052516-d4a23d9da0e0 h1:7IW+T+mciD/GJXvgglZho414N30KSWgUTzBmEP867eI=
+skywalking.apache.org/repo/goapi v0.0.0-20240920052516-d4a23d9da0e0/go.mod h1:+n8BMuS8eRdzdnGh15ElRGBXPi0eYZSs2TKySBDmRTE=
diff --git a/pkg/accesslog/collector/ztunnel.go b/pkg/accesslog/collector/ztunnel.go
@@ -84,7 +84,10 @@ func (z *ZTunnelCollector) Start(mgr *module.Manager, ctx *common.AccessLogConte
 		log.Debugf("received ztunnel lb socket mapping event: %s:%d -> %s:%d, lb: %s", localIP, localPort, remoteIP, remotePort, lbIP)
 
 		key := z.buildIPMappingCacheKey(localIP, int(localPort), remoteIP, int(remotePort))
-		z.ipMappingCache.Set(key, lbIP, z.ipMappingExpireDuration)
+		z.ipMappingCache.Set(key, &ZTunnelLoadBalanceAddress{
+			IP:   lbIP,
+			Port: event.LoadBalancedDestPort,
+		}, z.ipMappingExpireDuration)
 	}, func() interface{} {
 		return &events.ZTunnelSocketMappingEvent{}
 	})
@@ -118,14 +121,20 @@ func (z *ZTunnelCollector) ReadyToFlushConnection(connection *common.ConnectionI
 			connection.ConnectionID, connection.RandomID)
 		return
 	}
-	lbIP := lbIPObj.(string)
-	log.Debugf("found the ztunnel load balanced IP for the connection: %s, connectionID: %d, randomID: %d", lbIP,
-		connection.ConnectionID, connection.RandomID)
+	address := lbIPObj.(*ZTunnelLoadBalanceAddress)
+	log.Debugf("found the ztunnel load balanced IP for the connection: %s, connectionID: %d, randomID: %d",
+		address.String(), connection.ConnectionID, connection.RandomID)
+	securityPolicy := v3.ZTunnelAttachmentSecurityPolicy_NONE
+	// if the target port is 15008, this mean ztunnel have use mTLS
+	if address.Port == 15008 {
+		securityPolicy = v3.ZTunnelAttachmentSecurityPolicy_MTLS
+	}
 	connection.RPCConnection.Attachment = &v3.ConnectionAttachment{
 		Environment: &v3.ConnectionAttachment_ZTunnel{
 			ZTunnel: &v3.ZTunnelAttachmentEnvironment{
-				RealDestinationIp: lbIP,
+				RealDestinationIp: address.IP,
 				By:                v3.ZTunnelAttachmentEnvironmentDetectBy_ZTUNNEL_OUTBOUND_FUNC,
+				SecurityPolicy:    securityPolicy,
 			},
 		},
 	}
@@ -198,3 +207,12 @@ func (z *ZTunnelCollector) collectZTunnelProcess(p *process.Process) error {
 	uprobeFile.AddLink(trackBoundSymbol[0].Name, z.alc.BPF.ConnectionManagerTrackOutbound, nil)
 	return nil
 }
+
+type ZTunnelLoadBalanceAddress struct {
+	IP   string
+	Port uint16
+}
+
+func (z *ZTunnelLoadBalanceAddress) String() string {
+	return fmt.Sprintf("%s:%d", z.IP, z.Port)
+}
diff --git a/pkg/accesslog/events/ztunnel.go b/pkg/accesslog/events/ztunnel.go
@@ -18,9 +18,12 @@
 package events
 
 type ZTunnelSocketMappingEvent struct {
-	OriginalSrcIP      uint32
-	OriginalDestIP     uint32
-	OriginalSrcPort    uint16
-	OriginalDestPort   uint16
-	LoadBalancedDestIP uint32
+	OriginalSrcIP        uint32
+	OriginalDestIP       uint32
+	OriginalSrcPort      uint16
+	OriginalDestPort     uint16
+	LoadBalancedDestIP   uint32
+	LoadBalancedDestPort uint16
+	Pad0                 uint16
+	Pad1                 uint32
 }