filters: implement container_id filter

Implement a container_id filter, primarily to support its use in docker-based unit
testing.

Signed-off-by: William Findlay <[email protected]>

api/v1/tetragon/events.proto

@@ -66,6 +66,9 @@ message Filter {
     // Filter by process.parent.arguments field using RE2 regular expression syntax:
     // https://github.com/google/re2/wiki/Syntax
     repeated string parent_arguments_regex = 14;
+    // Filter by the container ID in the process.docker field. Matches a string
+    // prefix to emulate the behaviour of docker CLI.
+    repeated string container_id = 15;
 }
 
 // Filter over a set of Linux process capabilities. See `message Capabilities`

pkg/filters/docker.go

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Cilium
+
+package filters
+
+import (
+	"context"
+	"strings"
+
+	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
+	hubbleFilters "github.com/cilium/cilium/pkg/hubble/filters"
+	"github.com/cilium/tetragon/api/v1/tetragon"
+)
+
+func filterByContainerID(ids []string) (hubbleFilters.FilterFunc, error) {
+	return func(ev *v1.Event) bool {
+		process := GetProcess(ev)
+		if process == nil {
+			return false
+		}
+		for _, id := range ids {
+			if strings.HasPrefix(process.Docker, id) {
+				return true
+			}
+		}
+		return false
+	}, nil
+}
+
+type ContainerIDFilter struct{}
+
+func (f *ContainerIDFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
+	var fs []hubbleFilters.FilterFunc
+	if ff.ContainerId != nil {
+		filters, err := filterByContainerID(ff.ContainerId)
+		if err != nil {
+			return nil, err
+		}
+		fs = append(fs, filters)
+	}
+	return fs, nil
+}

pkg/filters/filters.go

@@ -96,6 +96,7 @@ var Filters = []OnBuildFilter{
 	&PodRegexFilter{},
 	&PolicyNamesFilter{},
 	&CapsFilter{},
+	&ContainerIDFilter{},
 }
 
 func GetProcess(event *v1.Event) *tetragon.Process {