doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements

2026-01-19 09:02:59 +02:00
parent 8c4bf54aed
commit 17419ba7c4
809 changed files with 170738 additions and 12244 deletions
--- a/devops/manifests/tetragon/stella-ops-tracing-policy.yaml
+++ b/devops/manifests/tetragon/stella-ops-tracing-policy.yaml
@@ -0,0 +1,125 @@
+# Tetragon TracingPolicy for Stella Ops Runtime Instrumentation
+# Sprint: SPRINT_20260118_019_Infra_tetragon_integration
+# Task: TASK-019-001 - Define Tetragon TracingPolicy for stack capture
+#
+# This policy captures process execution, syscalls, and stack traces for
+# runtime reachability validation. Integrates with existing Signals infrastructure.
+
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: stella-ops-runtime-capture
+  namespace: stella-ops
+  labels:
+    app.kubernetes.io/name: stella-ops
+    app.kubernetes.io/component: runtime-instrumentation
+spec:
+  # Process execution events
+  kprobes:
+    - call: "sys_execve"
+      syscall: true
+      return: false
+      args:
+        - index: 0
+          type: "string"  # filename
+        - index: 1
+          type: "string"  # argv[0]
+      selectors:
+        - matchNamespaces:
+            - namespace: stella-ops-workloads
+              operator: In
+          matchLabels:
+            - key: "stella-ops.io/instrumented"
+              operator: Exists
+      returnArgAction: Post
+
+    # Security-relevant syscalls for reachability validation
+    - call: "sys_openat"
+      syscall: true
+      args:
+        - index: 0
+          type: "int"     # dirfd
+        - index: 1
+          type: "string"  # pathname
+        - index: 2
+          type: "int"     # flags
+      selectors:
+        - matchNamespaces:
+            - namespace: stella-ops-workloads
+              operator: In
+        - matchArgs:
+            - index: 1
+              operator: "Prefix"
+              values:
+                - "/etc/"
+                - "/proc/"
+                - "/sys/"
+      returnArg:
+        index: 0
+        type: "int"
+
+    - call: "sys_connect"
+      syscall: true
+      args:
+        - index: 0
+          type: "int"     # sockfd
+        - index: 1
+          type: "sock"    # addr struct
+      selectors:
+        - matchNamespaces:
+            - namespace: stella-ops-workloads
+              operator: In
+      returnArg:
+        index: 0
+        type: "int"
+
+  # Tracepoints for additional coverage
+  tracepoints:
+    - subsystem: "sched"
+      event: "sched_process_exec"
+      args:
+        - index: 0
+          type: "string"  # filename
+      selectors:
+        - matchNamespaces:
+            - namespace: stella-ops-workloads
+              operator: In
+
+  # Stack trace configuration
+  options:
+    # Enable kernel + userspace stack traces
+    stackTraces: true
+    # Capture both kernel and user stacks
+    stackTraceSize: 16
+    # Symbol resolution for userspace
+    symbols: true
+
+---
+# Companion TracingPolicy for library loading
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: stella-ops-library-capture
+  namespace: stella-ops
+spec:
+  # Capture dynamic library loading
+  uprobes:
+    - path: "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2"
+      symbols:
+        - "_dl_map_object"
+      args:
+        - index: 0
+          type: "string"  # library name
+      selectors:
+        - matchNamespaces:
+            - namespace: stella-ops-workloads
+              operator: In
+
+  # Alternative for musl-based containers
+  - path: "/lib/ld-musl-x86_64.so.1"
+    symbols:
+      - "__dls3"
+    selectors:
+      - matchNamespaces:
+          - namespace: stella-ops-workloads
+            operator: In