Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for namespace suffixes #2291

Merged
merged 4 commits into from
Jul 1, 2024
Merged

Add support for namespace suffixes #2291

merged 4 commits into from
Jul 1, 2024

Conversation

kubasobon
Copy link
Member

@kubasobon kubasobon commented Jun 25, 2024
edited
Loading

Summary of your changes

This pull request allows Cloudbeat to publish events to non-default namespaces. For example, findings are sent to the logs-cloud_security_posture.findings-{namespace} Data Stream. Until now, the {namespace} always defaulted to default, regardless of Agent Policy. After merging this change, Cloudbeat will respect the Agent Policy and set publish events to the appropriate stream.

Screenshot/Data

CSPM using non-default namespace Screenshot 2024-06-25 at 13 26 35 Screenshot 2024-06-25 at 13 25 40
Non-default Data Streams present when running modified cloudbeat Screenshot 2024-06-25 at 13 07 23
Findings published to the new Data Stream successfully Screenshot 2024-06-25 at 13 08 39

EDIT:

Vulnerabilities published to the new Data Stream successfully Screenshot 2024-06-25 at 16 57 24

Related Issues

Closes #2289

Checklist

  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary README/documentation (if appropriate)

@mergify Mergify
Copy link

mergify bot commented Jun 25, 2024

This pull request does not have a backport label. Could you fix it @kubasobon? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
    NOTE: backport-skip has been added to this pull request.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 25, 2024
edited
Loading

📊 Allure Report - 💚 No failures were reported.

Result Count
🟥 Failed 0
🟩 Passed 359
⬜ Skipped 33

@kubasobon kubasobon marked this pull request as ready for review June 27, 2024 08:00
@kubasobon kubasobon requested a review from a team as a code owner June 27, 2024 08:00
@kubasobon kubasobon requested a review from kfirpeled June 27, 2024 08:00
kubasobon
kubasobon commented Jun 27, 2024
View reviewed changes
internal/config/config.go
@@ -55,6 +56,7 @@ type Config struct {
BundlePath string `config:"bundle_path"`
PackagePolicyId string `config:"package_policy_id"`
PackagePolicyRevision int `config:"revision"`
Index string `config:"index"`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our integration has the correct ECS data_stream fields defined, and we could use those to build the index, like so {data_stream.type}-{data_stream.dataset}-{data_stream.namespace}.
However, the namespace field is empty for current release of the integration. The Policy/Config also comes with the index field, which contains a ready-to-use index name in the correct format.

@kfirpeled Do you know where does index field come from and is it reliable enough for us to use?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How I understand is that a integration has the permissions to to publish to a specific index. See the policy template once you install it. So essentially the integration already knows where you can publish to. The index template is decided by the integration

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that I know :) I wanted to know if there is anything preventing us from relying on the index field.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with index in the agent config. I'm only familiar with agent's policy.

Here's a snippet:

inputs:
  - id: logfile-system-1c2284c7-c5ae-481d-a7bc-d9e3ce61545a
    name: system-3
    revision: 1
    type: logfile
    use_output: default
    meta:
      package:
        name: system
        version: 1.58.1
    data_stream:
      namespace: default
    package_policy_id: 1c2284c7-c5ae-481d-a7bc-d9e3ce61545a
    streams:
      - id: logfile-system.auth-1c2284c7-c5ae-481d-a7bc-d9e3ce61545a
        data_stream:
          dataset: system.auth
          type: logs

So I can only guess from here how it is being done on the beats side

romulets
romulets approved these changes Jun 27, 2024
View reviewed changes
internal/config/config.go
DefaultNamespace = "default"
VulnerabilityType = "vuln_mgmt"
AssetInventoryType = "asset_inventory"
defaultFindingsIndexPrefix = "logs-cloud_security_posture.findings"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this called default it doesn't mention any namespace?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is why it's a prefix. The whole index is constructed as {prefix}-{namespace}. The prefix can vary - see the prefix for Vulnerability events.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's an example what is being sent for CNVM

  - id: cloudbeat/vuln_mgmt_aws-vuln_mgmt-6921c0f7-ae37-4a1b-910b-f158a7c1af64
    name: cnvm
    revision: 1
    type: cloudbeat/vuln_mgmt_aws
    use_output: default
    meta:
      package:
        name: cloud_security_posture
        version: 1.9.0
    data_stream:
      namespace: default
    package_policy_id: 6921c0f7-ae37-4a1b-910b-f158a7c1af64
    streams:
      - id: >-
          cloudbeat/vuln_mgmt_aws-cloud_security_posture.vulnerabilities-6921c0f7-ae37-4a1b-910b-f158a7c1af64
        data_stream:
          dataset: cloud_security_posture.vulnerabilities
          type: logs
        period: 24h

So the datastream is built by <type>-<dataset>-<namespace>

internal/config/config.go
@@ -55,6 +56,7 @@ type Config struct {
BundlePath string `config:"bundle_path"`
PackagePolicyId string `config:"package_policy_id"`
PackagePolicyRevision int `config:"revision"`
Index string `config:"index"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How I understand is that a integration has the permissions to to publish to a specific index. See the policy template once you install it. So essentially the integration already knows where you can publish to. The index template is decided by the integration

@kfirpeled
Copy link
Contributor

It would be best to approach #fleet or find some documentation regardless beats and how send events to datastreams and reading the agent policy. I'm not familiar with the best practices

@kubasobon kubasobon enabled auto-merge (squash) July 1, 2024 15:42
@kubasobon kubasobon merged commit 20eb7f2 into elastic:main Jul 1, 2024
23 checks passed
@kubasobon kubasobon deleted the namespaces branch July 1, 2024 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@romulets romulets romulets approved these changes

@kfirpeled kfirpeled Awaiting requested review from kfirpeled

Assignees

@kubasobon kubasobon

Labels
backport-skip
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Supporting integration namespaces suffix
3 participants
@kubasobon @kfirpeled @romulets