Proto commits in castai/kvisor

These 67 commits are when the Protocol Buffers files have changed:

2026-04-02

feat: Add GPU metrics pipeline to kvisor (#663) * feat: Add GPU metrics pipeline to kvisor * Remove Chart.lock and dependency chart * fix: Run dcgm-exporter on GKE * Address CR feedback and add more tests * fix: Disable GPU pipeline in kvisor if gpu-metrics-exporters is installed * Fix bad conflict resolution * Remove infinite loop in dcgm-exporter pod

The documentation is generated from this commit.

2026-03-10

feat: k8s reverse tunnel proxy for remote API access (#654) Enables CAST AI backend to query the Kubernetes API of connected clusters without requiring direct network access. The kvisor controller establishes an outbound gRPC connection to CAST AI and forwards incoming HTTP requests to the local k8s API using a dedicated restricted ServiceAccount, streaming responses back through the tunnel. Key points: Read-only access enforced (GET only, blocked exec/attach/portforward/proxy subresources) Dedicated gRPC connection with keepalive, separate from the main castai client Short-lived SA tokens via TokenRequest API instead of mounted credentials Proxy RBAC resources provisioned automatically via Helm when enabled Enabled by setting cluster-proxy-enabled: "true" in controller.extraArgs

2026-03-04

1

2026-02-25

add static CIDR to zone/region mapping via ConfigMap (#646)

2026-02-16

feat: add CloudVolumeID to block device metrics The block device metrics have been extended by the volume ID of the underlying hyperscaler disk it belongs to. It currently supports mapping for AWS (Xen, Nitro) and GCP. AWS Xen and GCP do rely on the controller having `cloud-provider-storage-sync-enabled` set to true, as both need information from the CSP to fully identify cloud volume IDs from local identifiers.

2026-02-03

Collect ephemeral storage usage per pod

2026-01-28

Periodically refresh cluster network ranges (#622)

2026-01-27

Collect cloud volume metrics from AWS (#620)

2026-01-21

Collect cloud volume metrics from AWS

2026-01-20

Collect cloud volume metrics from AWS

Gather Kubernetes data about pod volumes and add K8s context to filesystem metrics (#613) * Gather Kubernetes data about pod volumes and add K8s context to filesystem metrics * Take into account block volumes as well * Filter pod volume metrics to only include PVC-backed volumes and exclude kube-system * Add RBAC permissions for PVCs and PVs in controller ClusterRole * Deduplicate filesystem metrics * Simplify FilesystemMetric and add in-tree volume source support * Add k8s_pod_volume_metrics to E2E test

2026-01-19

Improve netflow zone/region discovery (#614)

2026-01-16

Integrate VPC metadata enrichment for netflow IP addresses (#611) - Added VPCIndex in-memory index for IP metadata lookups across VPCs, subnets, peered networks, and service ranges - Periodic refresh from cloud provider with configurable interval - gRPC endpoint GetIPsInfo enriches IPs with VPC metadata (region, zone, cloud service detection via domain) - Improved zone/region detection with kube nodes info

2025-12-09

add node configs scrapper

add node ID

2025-11-10

Add support for collecting node storage metrics from nodes/proxy endpoint (#592) * Add support for collecting Kubernetes node storage metrics Implement collection of kubelet storage stats (ImageFs, ContainerFs) via stats/summary API. - Add GetNodeStatsSummary gRPC method to KubeAPI - Implement controller endpoint to proxy kubelet stats/summary - Add agent collection pipeline for node storage metrics - Write metrics to storage_node_metrics collection - Add tests and mocks for node stats functionality - Update helm chart configuration

2025-10-24

Keep historical ips index records (#591)

2025-10-01

Send index manifest and digest in image metadata (#556)

2025-09-18

REP-1617: Add storage metrics collection (#580) - Introducing storage monitoring capabilities, enabling collection of disk performance and filesystem utilization metrics for nodes. - Storage metrics collection is enabled via the `agent.extraArgs.storage-stats-enabled` chart flag. - New GetNode RPC endpoint in KubeAPI service in controller for retrieving node information and labels.

2025-09-03

Add image digest to runtime events (#581)

2025-08-28

feat: Add sustainability metrics pipeline

2025-08-22

Revert "Add image digest to runtime events (#573)" (#577) This reverts commit 508bccb67e73017b2b61a5595335af76817ae6f4.

2025-08-13

Add image digest to runtime events (#573)

2025-07-16

Send file access (#568)

2025-07-14

Add netflow pid start time (#567)

2025-07-09

Unify data ingestion (#561)

2025-06-12

Add security file open even tracing (#549)

2025-04-07

Add ingress nightmare exploit detection signature There is a new signature capable of detecting attempts to exploit the ingress nightmare vulnerability (CVE-2025-1974). It works by hooking the `security_inode_follow_link` hook and validates is a `nginx` process is trying to resolve any `FD`s in `/proc/<pid>/fd/`. The signature is far from perfect, as it is pretty specific to the ingress nightmare case, but it works reliable, as the ingress process should not resolve `FD` symlinks.

2025-03-10

Calculate sha256 hash for MAGIC_WRITE events In order to have a more robust identicator for matching dropped files, files in the MAGIC_WRITE event are now enriched with the file hash.

2025-03-06

Implement basic git clone detection signature Git clones are a surprisingly good indicator of some sort of mischievous behavior (besides in CI infrastructure of course). There is now a dedicated signature for detecting `git clone` commands. It works by consuming `SchedProcessExec` event, figuring out if the executed command was `git` and try to parse the passed arguments to detect a potential clone + the used repository.

2025-02-17

Events batching (#479)

2025-02-12

Try single goroutine for events batching

Debug invalid data

2025-02-11

Aggregate eBPF events

Aggregate eBPF events

2025-01-27

Add dual-stack support to netflows (#452)

2025-01-17

Container stats collections (#448)

2024-12-10

Send labels and annotations (#421) * collect selected labels and annotations from CRI API and send them with runtime events --------- Co-authored-by: Patrick Pichler <patrick@cast.ai>

2024-10-28

Add process_pid and process_start_time to ebpf events (#381) * Add process_pid and process_start_time to ebpf events These two fields are needed to correlate data between events and process_tree_events tables. We can uniquely identify events in process_tree_events by using (container_id, process_pid, process_start_time) tuple.

2024-10-08

Drop netflow ports info (#355)

2024-09-11

Add network details to DNS and SSH events Since we anyway get the source an destination addresses and ports from the underlying network packet, they are now also forwarded to the backend as part of the events.

2024-08-28

Add basic SSH detection The SSH protocol does not give a lot to detect it by. A new kernel check has been added to detect the initial SSH hello messages.

2024-08-20

Kernel stdio via sock (#329)

2024-07-31

Expose simple eBPF metrics through prometheus There are now a set of simple metrics from eBPF, exposed via a prometheus metrics. eBPF communicates those counters through a newly added `metrics` map, that is a simple array of `u64`. We then take those and expose them to the world through prometheus metrics. This allows to detect potential issues, such as scratch buffer misses.

2024-07-22

Disable signature engine by default (#317)

2024-07-19

Add initial process tree support The process tree gives you context about running processes at a given time. They are used by the cast backend to provide more context to the user.

2024-07-10

Remove deprecation of ImageMetadata architecture protobuf field

2024-06-17

Send deltas in batches (#290)

2024-06-08

Detect exec from overlayfs upper layer (#287)

2024-06-04

Take image architecture from the manifest instead of kvisor config

2024-05-30

Fix event workload uid mapping (#282)

2024-05-27

Fill missing netflow source zone (#280)

2024-05-23

Redact sensitive values in process exec args (#272)

2024-05-22

Send netflows (#271)

2024-05-15

Report agent enabled/disabled state in controller config (#270) Co-authored-by: Mantas Norvaisa <mantas.norvaisa@cast.ai>

Initial netflow events export (#269)

2024-05-07

Netflows ebpf tracing (#267)

2024-04-23

Add workload uid (#258)

Add SOCKS5 proxy detection There exists now a new signature that detects the use of SOCKS5 proxy servers/clients and reports it.

2024-04-19

Add flow direction to DNS events In order to distinguish between incoming and outgoing DNS events, we now also record the flow direction. Additionally, the mock server now pretty prints the protobuf using the protojson library, instead of just the golang fmt library.

2024-04-17

Send ctrl and agent configs (#254)

2024-04-15

Fix socket state tracepoint task context (#252)

2024-04-09

Extend signature event types with more data In order to better understand what is happening, the signature events reported to the backend now hold more info, such as fd of the tty opened, or the ip used for the stdio over socket detection.

2024-03-29

Add logic to detect TTYs in containers Opening TTYs is in most cases something that one might want to investigate. There is now new logic in place, that hooks the `tty_open` function of the `tty` device drivers and reports an event to userspace, that is handled by a newly added signature called `tty_detected`. As of right now we always alert on any `tty_open` events, but this might change in the future.

2024-03-20

Add sha256 sum of executed binaries Exec events now feature a sha256 hash field, of the executed binary. File access is done via the `/proc` filesystem. In order to also catch short living processes, kvisor also tries accessing the file via other processes in the same mount namespace. For this to work in virtualised environments, such as kind, kvisor now also translates PIDs from the origin PID namespace, to the namespace it is running in.

2024-03-11

Deltas fixes (#222)

2024-03-06

Add runtime (#213)