Implement ClusterUID enrichment for runtime alerts

[slashben]

Summary

Implement ClusterUID enrichment for runtime alerts by fetching the kube-system namespace UID and populating it in all RuntimeAlert structures.

Changes

Dependencies

• Updated armoapi-go to v0.0.672 (includes new ClusterUID field)

New Files

• pkg/utils/clusteruid.go - Utility function to fetch kube-system namespace UID

Modified Files

• cmd/main.go - Fetch ClusterUID at startup and pass to exporters
• pkg/exporters/exporters_bus.go - Update InitExporters to accept clusterUID parameter
• pkg/exporters/http_exporter.go - Store and populate ClusterUID in alerts

Implementation Details

1. Startup Phase: After creating the Kubernetes client, the agent fetches the UID of the kube-system namespace using the new GetClusterUID utility function.

2. Error Handling: If the namespace cannot be accessed (e.g., due to RBAC restrictions), a warning is logged and an empty string is returned. The agent continues operating normally with an empty ClusterUID field.

3. Alert Enrichment: The ClusterUID is passed through the exporter chain and populated in:

   • RuntimeAlertK8sDetails.ClusterUID for all K8s alerts
   • HttpRuleAlert.SourcePodInfo.ClusterUID for HTTP rule alerts

4. Backward Compatibility: The field uses omitempty and existing functionality is not affected if ClusterUID is empty.

Testing

• ✅ Code compiles successfully
• ✅ Unit tests pass
• Manual testing needed: Deploy to test cluster and verify ClusterUID is populated

Related PRs

• Add ClusterUID field to RuntimeAlertK8sDetails armosec/armoapi-go#602 - Add ClusterUID field to RuntimeAlertK8sDetails

Next Steps

After this PR is merged and a new version is released:

1. Update private-node-agent with new dependencies
2. Update Helm charts with RBAC permissions (namespaces get/list)

RBAC Requirements

Note: For ClusterUID to be populated, the agent's ServiceAccount needs permissions to read namespaces:

- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]

This will be added to Helm charts in a separate PR.

Summary by CodeRabbit

• New Features

  • Alerts (runtime and malware) now include a stable cluster UID so cluster context is preserved across emitted alerts.
  • Agent obtains the cluster UID at startup and attaches it to exporter payloads before initialization.

• Tests

  • Unit tests updated to validate the cluster UID is populated in exporter instances.

• Chores

  • Dependency version bumped.

[coderabbitai]

📝 Walkthrough

Walkthrough

Retrieves a stable cluster UID from the Kubernetes kube-system namespace and threads that UID into exporter initialization and HTTP exporter alert payloads so emitted alerts include cluster identity.

Changes

Cohort / File(s)	Summary
CLI / bootstrap cmd/main.go	Fetch clusterUID via new util before initializing exporters; pass clusterUID into InitExporters.
ClusterUID util pkg/utils/clusteruid.go	New GetClusterUID(k8sClient kubernetes.Interface) string — reads kube-system namespace UID with a 5s timeout; logs and returns empty string on error.
Exporters bus API pkg/exporters/exporters_bus.go	InitExporters signature extended to accept clusterUID and forwards it to exporter constructors (notably HTTP exporter).
HTTP exporter pkg/exporters/http_exporter.go, pkg/exporters/http_exporter_test.go	HTTPExporter gains clusterUID field; NewHTTPExporter(..., clusterUID) added; alert builders set k8sDetails.ClusterUID and httpDetails.SourcePodInfo.ClusterUID; tests updated for new param/field.
Dependencies go.mod	Bump github.com/armosec/armoapi-go from v0.0.671 → v0.0.672.

Sequence Diagram(s)

sequenceDiagram
    participant Main as Main
    participant K8s as Kubernetes API
    participant Utils as ClusterUID Utils
    participant Exporters as Exporters Bus
    participant HTTPExp as HTTP Exporter
    participant Alerts as Alert Payloads

    Main->>Utils: GetClusterUID(k8sClient)
    Utils->>K8s: GET namespace/kube-system
    K8s-->>Utils: namespace UID
    Utils-->>Main: clusterUID
    Main->>Exporters: InitExporters(..., clusterUID)
    Exporters->>HTTPExp: NewHTTPExporter(..., clusterUID)
    HTTPExp->>HTTPExp: store clusterUID

    rect rgba(200,150,100,0.5)
    Note over HTTPExp,Alerts: When building alerts
    HTTPExp->>Alerts: set k8sDetails.ClusterUID = clusterUID
    HTTPExp->>Alerts: set httpDetails.SourcePodInfo.ClusterUID = clusterUID
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped to kube-system, quiet and spry,
I plucked the UID beneath the sky,
Brought it back through exporters' gate,
So every alert can find its state,
Little UID, snug and wry. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Implement ClusterUID enrichment for runtime alerts' accurately summarizes the main change - adding ClusterUID to runtime alerts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/implement-cluster-uid-enrichment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 10: The dependency was bumped to github.com/armosec/armoapi-go v0.0.672
without published release notes—before merging, run a vulnerability scan and
review the upstream changes: execute `govulncheck ./...` in the repo to detect
transitive vulnerabilities and inspect the upstream diff between tags
v0.0.671..v0.0.672 in the armosec/armoapi-go repository to confirm there are no
breaking or insecure changes; if issues are found, either revert the go.mod line
for github.com/armosec/armoapi-go to v0.0.671 or open a follow-up PR that pins a
safe version and documents the risk.

In `@pkg/utils/clusteruid.go`:
- Around line 15-23: The namespace lookup uses a background context with no
timeout; wrap the request in a cancellable context with a small timeout (e.g.,
3–5s) so k8sClient.CoreV1().Namespaces().Get uses that timed context and cannot
block startup indefinitely — create ctx, cancel :=
context.WithTimeout(context.Background(), timeout), defer cancel() and pass ctx
into Get; ensure the necessary time import is added and keep the existing error
handling and logging (helpers.Error, helpers.String) unchanged.

🧹 Nitpick comments (1)

pkg/exporters/http_exporter.go (1)

316-325: ClusterUID propagation on rule alerts looks good.

Optional: consider also setting ClusterUID on the “Alert limit reached” alert so all runtime alert types carry it consistently.

[matthyx]

let's add the timeout

[matthyx]

I'll merge once the CI/CD is fixed by @bvolovat