profile-compaction: CollapseConfig CRD + projection overlay + user-maged lifecycle

artifacts/collapseconfiguration-default-sample.yaml

@@ -0,0 +1,29 @@
+# Sample CollapseConfiguration. Apply to a cluster running storage to
+# replace the compiled-in defaults at deflate time.
+#
+# The resource is cluster-scoped; the singleton "default" is the only
+# name the deflate path consults.
+#
+#   kubectl apply -f artifacts/collapseconfiguration-default-sample.yaml
+#
+apiVersion: spdx.softwarecomposition.kubescape.io/v1beta1
+kind: CollapseConfiguration
+metadata:
+  name: default
+spec:
+  # Fallback threshold for AnalyzeOpens when no per-prefix entry matches.
+  openDynamicThreshold: 50
+  # Fallback threshold for AnalyzeEndpoints.
+  endpointDynamicThreshold: 100
+  # Per-prefix overrides, evaluated longest-prefix-wins.
+  collapseConfigs:
+    - prefix: /etc
+      threshold: 100
+    - prefix: /etc/apache2
+      threshold: 50
+    - prefix: /opt
+      threshold: 50
+    - prefix: /var/run
+      threshold: 50
+    - prefix: /app
+      threshold: 50

pkg/apis/softwarecomposition/collapse_types.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2024 The Kubescape Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package softwarecomposition
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CollapseConfiguration is a cluster-scoped resource carrying per-prefix
+// thresholds for the dynamic-path-detector's open/endpoint collapse step.
+//
+// At runtime the storage server's deflate path reads the singleton
+// CollapseConfiguration (name "default") and feeds its entries into
+// NewPathAnalyzerWithConfigs(...). When the resource is absent the deflate
+// path falls back to the package-level defaultCollapseConfigs slice.
+//
+// Tooling (e.g. bobctl autotune) can write the singleton to push tuned
+// thresholds back into a running cluster without restarting the storage
+// server.
+type CollapseConfiguration struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec CollapseConfigurationSpec
+}
+
+// CollapseConfigurationSpec carries the cluster-wide collapse thresholds.
+type CollapseConfigurationSpec struct {
+	// OpenDynamicThreshold is the fallback threshold for AnalyzeOpens when
+	// no per-prefix entry matches the walked path.
+	OpenDynamicThreshold int32
+	// EndpointDynamicThreshold is the counterpart for AnalyzeEndpoints.
+	EndpointDynamicThreshold int32
+	// CollapseConfigs is the per-prefix threshold override list, evaluated
+	// longest-prefix-wins.
+	CollapseConfigs []CollapseConfigEntry
+}
+
+// CollapseConfigEntry is one per-prefix threshold override.
+type CollapseConfigEntry struct {
+	// Prefix is the path prefix to match (e.g. "/etc", "/opt").
+	Prefix string
+	// Threshold is the maximum number of unique children allowed at any
+	// trie node under Prefix before that node collapses to a single
+	// dynamic identifier.
+	Threshold int32
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CollapseConfigurationList is a list of CollapseConfiguration objects.
+type CollapseConfigurationList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	Items []CollapseConfiguration
+}

pkg/apis/softwarecomposition/network_types.go

@@ -65,7 +65,11 @@ type NetworkNeighbor struct {
 	Ports             []NetworkPort
 	PodSelector       *metav1.LabelSelector
 	NamespaceSelector *metav1.LabelSelector
-	IPAddress         string
+	IPAddress         string // DEPRECATED - use IPAddresses instead.
+	// IPAddresses is the v0.0.2 list-form replacement for IPAddress.
+	// Each entry MAY be a literal IP, a CIDR (a.b.c.d/n), or the "*" sentinel.
+	// See pkg/registry/file/networkmatch for matcher semantics.
+	IPAddresses []string
 }
 
 type NetworkPort struct {

pkg/apis/softwarecomposition/register.go

@@ -83,6 +83,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&SBOMSyftFilteredList{},
 		&SeccompProfile{},
 		&SeccompProfileList{},
+		&CollapseConfiguration{},
+		&CollapseConfigurationList{},
 	)
 	return nil
 }

pkg/apis/softwarecomposition/v1beta1/collapse_types.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2024 The Kubescape Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CollapseConfiguration is a cluster-scoped resource carrying per-prefix
+// thresholds for the dynamic-path-detector's open/endpoint collapse step.
+// The storage server's deflate path reads the singleton (name "default")
+// and feeds its entries into NewPathAnalyzerWithConfigs at runtime.
+type CollapseConfiguration struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Spec CollapseConfigurationSpec `json:"spec" protobuf:"bytes,2,req,name=spec"`
+}
+
+// CollapseConfigurationSpec carries the cluster-wide collapse thresholds.
+type CollapseConfigurationSpec struct {
+	// OpenDynamicThreshold is the fallback threshold for AnalyzeOpens when
+	// no per-prefix entry matches the walked path.
+	OpenDynamicThreshold int32 `json:"openDynamicThreshold" protobuf:"varint,1,req,name=openDynamicThreshold"`
+	// EndpointDynamicThreshold is the counterpart for AnalyzeEndpoints.
+	EndpointDynamicThreshold int32 `json:"endpointDynamicThreshold" protobuf:"varint,2,req,name=endpointDynamicThreshold"`
+	// CollapseConfigs is the per-prefix threshold override list, evaluated
+	// longest-prefix-wins. Each entry is keyed by Prefix so server-side
+	// apply patches one entry at a time instead of replacing the slice.
+	// +listType=map
+	// +listMapKey=prefix
+	CollapseConfigs []CollapseConfigEntry `json:"collapseConfigs,omitempty" protobuf:"bytes,3,rep,name=collapseConfigs"`
+}
+
+// CollapseConfigEntry is one per-prefix threshold override.
+type CollapseConfigEntry struct {
+	// Prefix is the path prefix to match (e.g. "/etc", "/opt").
+	Prefix string `json:"prefix" protobuf:"bytes,1,req,name=prefix"`
+	// Threshold is the maximum number of unique children allowed at any
+	// trie node under Prefix before that node collapses to a single
+	// dynamic identifier.
+	Threshold int32 `json:"threshold" protobuf:"varint,2,req,name=threshold"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CollapseConfigurationList is a list of CollapseConfiguration objects.
+type CollapseConfigurationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Items []CollapseConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"`
+}