Add orchestrator (resource.parent.type and resource.ip) and container (image.hash.all) fields #1889
Conversation
There was a problem hiding this comment.
Changes look good, @daniel-almeida. I just had a few thoughts about the naming.
Thanks for adding the changelog.next entry!
| Note: this field should contain an array of values. | ||
|
|
There was a problem hiding this comment.
should be put a caveat comment for Pods. E.g. "In the case of Kubernetes Pods, there will be one IP address in this array"
There was a problem hiding this comment.
This note was auto-generated. I updated the long description to cover that as well.
|
|
||
|
|
||
| example: `DaemonSet` | ||
|
|
There was a problem hiding this comment.
ideally we would enumerate the values we currently expect along with whether they are case-sensitive etc. This will help sensor writers. Perhaps we could reference a Kube docs page for the list of 'nouns' and standard spelling & capitalization.
| - name: image.hash.sha256 | ||
| level: extended |
There was a problem hiding this comment.
by having a separate field for each hash type (sha256, ....) we will need to update ECS for every new hash alg in use (e.g. "blake3" becomes popular next year). There may be an expectation that all of them are populated (ie we compute them vs just scooping the one from the Kube API).
Pardon the last minute observation on this but this approach seems very maintenance heavy (us) vs just having "<hashalg>:<b64 of hash>" as the value's structure for image.hash field. This approach keeps it to one field to look in and automatically supports new hash algs, and parsing isn't that hard - most folks will be looking for an equality match, I suspect so they could type "sha256:ab1234ace..." for their search.
There was a problem hiding this comment.
I understand that perspective, and I'm fine if we decide on image.hash.
My thinking around container.image.hash.sha256:
- Follow the naming convention used by the
hash.*field set and its reuses, likefile.hash.sha256. - If the
related.*fields are being populated,related.hashhelps simplify searching across the different hash fields. - Avoid establishing
image.hashas a leaf field
There was a problem hiding this comment.
interesting. related.hash as an array of all the hash values doesn't seem to help as there would only be 1 entry in the array and it wouldn't be self-describing (could be sha256, sha512, ?).
I agree we should not overload "hash" to be a the existing field set or this new primitive valued one :head-explode:.
How does this sound: Add a field to the "hash" field set, something like hash.all that holds an array of self-describing hash values like <hash-alg>:<b64-hash-bytes>. Sort of related.hash but co-located with hash field set and self-describing. This would accommodate the current case of 1 hash value read from the kube API, as well as possible future use cases where we populate the different hash algs values too. Allowed values for the hash-alg part would be the existing field names in the hash fieldset? Thankfully they seem to align with Kubernetes use of "sha256" (same as ECS field name).
There was a problem hiding this comment.
Mike, just to clarify: you're suggesting both fields (hash.sha256 and hash.all) should be set by producers, right?
There was a problem hiding this comment.
Just hash.all to start. Rationale: keep our events DRY (no duplicated information in an event) to save on bandwidth and storage.
There was a problem hiding this comment.
I think we meant to say container.image... instead of orchestrator.image.... Just pushed that change; let me know if it's good to go.
There was a problem hiding this comment.
@ebeahan , I noticed that hash values in the TLS field set you referenced are capitalized for consistency. Should we do the same here?
There was a problem hiding this comment.
@daniel-almeida, ECS field names are always lowercase. Is that what you mean?
There was a problem hiding this comment.
No, I meant the [hash] values. If you look at https://www.elastic.co/guide/en/ecs/current/ecs-tls.html#field-tls-client-hash-sha256, you will notice that the example value is capitalized and that there's a note about it.
generated/beats/fields.ecs.yml
Outdated
| type: keyword | ||
| ignore_above: 1024 | ||
| description: 'An array of digests of the image the container was built on. Each | ||
| digest consists of the hash algorithm and value in this format: `algorithm:value`.' |
There was a problem hiding this comment.
I would just add "Algorithm names in this value should align with the field names in the ECS hash field set" if that makes sense.
daniel-almeida
changed the title
daniel-almeida
changed the title
… (image.hash.all) fields (elastic#1889) * Add orchestrator.resource parent_type and ip fields and container.image.hash field. * Add generated artifacts. * Update CHANGELOG. * Update definition of container.image.hash * Address PR comments. * Address PR comments. * Add container.image.hash.all * address PR comment * Update CHANGELOG.next (cherry picked from commit 3846878) # Conflicts: # experimental/generated/csv/fields.csv # generated/csv/fields.csv
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
… (image.hash.all) fields (#1889) (#1896) * Add orchestrator.resource parent_type and ip fields and container.image.hash field. * Add generated artifacts. * Update CHANGELOG. * Update definition of container.image.hash * Address PR comments. * Address PR comments. * Add container.image.hash.all * address PR comment * Update CHANGELOG.next (cherry picked from commit 3846878) Co-authored-by: Daniel Araujo Almeida <[email protected]>
make test? N/Amakeand committed those changes?yes