The setup script now accepts an optional image tag as the first argument.
If provided, it will use that image instead of building a new one.
This allows CI to build the image once and reuse it in setup.sh.
- Create GitHub Actions workflow for KinD integration tests
- Fix path normalization for relative paths with .. components
- Fix cgroup selection to skip snoop container itself
- Add unique namespaces per test with async cleanup
- Allow IMAGE_TAG environment variable override in test script
Both alpine-basic and busybox-controlled tests now pass with proper
file capture and path normalization.
Signed-off-by: Jason Hall <jason@chainguard.dev>
Create comprehensive Kubernetes deployment resources:
- deployment.yaml: Example deployment with snoop sidecar
- rbac.yaml: ServiceAccount and ClusterRole for required permissions
- example-app.yaml: Complete nginx example showing sidecar integration
- README.md: Extensive documentation with quick start, configuration,
troubleshooting, and best practices
Manifests include:
- Security context with minimal required capabilities
- Init container for cgroup discovery
- Health probes and metrics endpoints
- Resource limits and requests
- Prometheus annotations for scraping
Completes first deliverable of Milestone 4 (Kubernetes Integration).
Signed-off-by: Jason Hall <jason@chainguard.dev>
- Create comprehensive RESOURCE_LIMITS.md with memory, CPU, and disk guidance
- Provide three configuration profiles (conservative, moderate, unbounded)
- Include complete Kubernetes deployment examples with resource limits
- Add Prometheus monitoring queries and recommended alerts
- Document tuning guidelines and troubleshooting procedures
- Update README.md to reference new documentation
- Mark Milestone 3 as complete in plan.md
Milestone 3 (Production Hardening) is now complete. Next: Milestone 4 (Kubernetes Integration)
Signed-off-by: Jason Hall <jason@chainguard.dev>
Implements /healthz endpoint on port 9090 alongside /metrics.
The health checker monitors:
- eBPF program load status
- Event reception (with 5min grace period)
- Report writes (with 2min grace period)
Returns 200 OK when healthy, 503 when unhealthy, with JSON
response containing detailed status including uptime, timestamps,
and diagnostic messages.
Part of Milestone 3: Production Hardening.
Signed-off-by: Jason Hall <jason@chainguard.dev>
Implements configurable memory limits for the file deduplication cache
to prevent unbounded memory growth in long-running production deployments.
- Add LRU cache implementation with configurable max size
- Add -max-unique-files flag (default: 0 = unbounded)
- Add snoop_events_evicted_total metric for monitoring
- Track and log cache evictions with delta warnings
- Add comprehensive tests for bounded and unbounded behavior
When max-unique-files is set, the cache evicts least-recently-used
entries to stay within the limit. Evicted files may be re-recorded
if accessed again, making this suitable for workloads with temporal
locality in file access patterns.
Closes milestone 3 task: Memory-bounded deduplication
Signed-off-by: Jason Hall <jason@chainguard.dev>
Implement comprehensive ring buffer overflow handling:
- Add dropped_events BPF map to track overflow in kernel space
- Create submit_event() helper that checks bpf_ringbuf_output() return
value and atomically increments drop counter on failure
- Add Drops() method to read drop counter from eBPF map
- Add snoop_events_dropped_total Prometheus metric
- Track drop deltas and log warnings when overflow occurs
- Include drop count in JSON reports
Ring buffer overflows can occur under high load when events are
generated faster than userspace can consume them. This implementation
provides full observability into overflow events without data loss
of the drop count itself.
Signed-off-by: Jason Hall <jason@chainguard.dev>
Implement context-aware structured logging throughout the codebase using
chainguard-dev/clog. This provides better observability with configurable
log levels and structured output.
- Add -log-level flag to control verbosity (debug, info, warn, error)
- Replace all log.Println/Printf calls with structured clog logging
- Thread context through NewProbe, NewProcessor, and NewFileReporter
- Add detailed debug logging for eBPF tracepoint attachment
- Add debug logging for file operations in reporter
- Change "new file" messages to debug level to reduce noise
- Update all tests to pass context.Background()
Default log level is "info" which provides operational visibility without
excessive verbosity. Debug level shows detailed event processing.
Signed-off-by: Jason Hall <jason@chainguard.dev>
- Add pkg/metrics package with snoop-specific metrics:
- Event counters (received, processed, excluded, duplicate)
- Unique files gauge
- Report write counters
- Expose /metrics endpoint on port 9090 (configurable via -metrics-addr flag)
- Include process and Go runtime metrics via default collectors
- Add unit tests for metrics package
Signed-off-by: Jason Hall <jason@chainguard.dev>