use ring buffers, UprobeMulti, remove perf_event_open dependency.

.github/workflows/main.yml

@@ -57,8 +57,8 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version: '^1.16.1' # The Go version to download (if necessary) and use.
       - name: install required packages
@@ -70,15 +70,15 @@ jobs:
 
       - name: Configure AWS credentials
         if: ${{ github.event.inputs.Environment == 'prod' }}
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
       - name: Login to Amazon ECR
         if: ${{ github.event.inputs.Environment == 'prod'}}
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v1
+        uses: aws-actions/amazon-ecr-login@v2
         with:
           mask-password: 'true'
           registry-type: public
@@ -104,7 +104,7 @@ jobs:
           fi
           echo "Building and Pushing image to ECR with platform: $PLATFORM"
           docker buildx build --platform $PLATFORM -t $ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG . --push
-          echo "::set-output name=image::$ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG"
+          echo "image=$ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG" >> $GITHUB_OUTPUT
 
       - name: Build, tag, and push the image to Amazon ECR -ebpf
         if: ${{ github.event.inputs.Environment == 'prod' && github.event.inputs.Module == 'ebpf'}}
@@ -127,7 +127,7 @@ jobs:
           fi
           echo "Building and Pushing image to ECR with platform: $PLATFORM"
           docker buildx build --platform $PLATFORM -t $ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG -f Dockerfile.eBPF . --push
-          echo "::set-output name=image::$ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG"
+          echo "image=$ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG" >> $GITHUB_OUTPUT
 
   build-docker:
     # The type of runner that the job will run on
@@ -136,8 +136,8 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version: '^1.16.1' # The Go version to download (if necessary) and use.
       - name: install required packages
@@ -174,8 +174,8 @@ jobs:
           fi
           echo "Building and Pushing image to DockerHub with platform: $PLATFORM"
           docker buildx build --platform $PLATFORM -t $ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG . --push
-          echo "::set-output name=image::$ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG"
-       
+          echo "image=$ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
       - name: Build, tag, and push the image to DockerHub - ebpf
         if: ${{ github.event.inputs.Environment == 'prod' && github.event.inputs.Module == 'ebpf' }}
         id: build-image-dockerhub-ebpf
@@ -195,4 +195,4 @@ jobs:
           fi
           echo "Building and Pushing image to DockerHub with platform: $PLATFORM"
           docker buildx build --platform $PLATFORM -t $ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG -f Dockerfile.eBPF . --push
-          echo "::set-output name=image::$ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG"
+          echo "image=$ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG" >> $GITHUB_OUTPUT

Dockerfile.eBPF

@@ -17,7 +17,7 @@ RUN apk add --no-cache \
 # Using --platform=$BUILDPLATFORM lets Docker run this stage natively
 # (no QEMU emulation). Go's built-in cross-compilation produces the binary
 # for the TARGET arch via GOARCH / GOOS env vars.
-FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
 
 ARG TARGETARCH
 ARG TARGETOS=linux

daemonset-ebpf.yml

@@ -1,8 +1,7 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: akto-ebpf-connector
-  namespace: bookinfo
+  name: akto-k8s-ebpf
   labels:
     app: akto-collector
 spec:
@@ -14,15 +13,11 @@ spec:
       labels:
         app: akto-collector
     spec:
-    # optional
-      nodeSelector: 
-        mirror: "true"
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
-      hostPID: true
       containers:
-      - name: akto-ebpf
-        image: coastaldemigod/ebpf:v84
+      - name: mirror-api-logging
+        image: public.ecr.aws/aktosecurity/mirror-api-logging:k8s_ebpf_core
         imagePullPolicy: Always
         resources:
           limits:
@@ -31,71 +26,50 @@ spec:
           requests:
             cpu: 50m
             memory: 50Mi
-        env: 
-          # - name: AKTO_MODULE_DISCOVERY_CONFIG
-            # value: '[{"key":{"eq":"x-forwarded-client-cert","ifAbsent":"reject"},"value":{"regex":".*bookinfo.*"}}]'
+        env:
           - name: AKTO_TRAFFIC_BATCH_TIME_SECS
             value: "10"
           - name: AKTO_TRAFFIC_BATCH_SIZE
             value: "100"
           - name: AKTO_KAFKA_BROKER_MAL
-            value: "172.20.80.9:9092"
-          # - name: LOG_LEVEL
-            # value: "0"
-          - name: AKTO_MONGO_CONN
-            value: "mongodb://10.0.134.212:27017/admini"
-          - name: TRAFFIC_INACTIVITY_THRESHOLD
-            value: "30"
-          - name: INGEST_LOGS
-            value: "true"
-          # - name: TRAFFIC_COMPLETE_THRESHOLD
-          #   value: "0"
-          # - name: TRAFFIC_MAX_ACTIVE_CONN
-          #   value: "8192"
-          - name: PRINT_BPF_LOGS
-            value: "true"
-          # - name: TRAFFIC_MAX_BUFFER_PER_TRACKER
-          #   value: "20"
-          # - name: KAFKA_POLL_INTERVAL
-          #   value: "1"
-          - name: AKTO_MEM_THRESH_RESTART
-            value: "900"
-          # - name: TRAFFIC_SAMPLE_BUFFER_PER_MINUTE
-            # value: "100"
-          - name: DEBUG_MODE
-            value: "true"
-          # - name: AKTO_DISABLE_ON_DB
-            # value: "true"
-          # - name: SAMPLE_LIMIT_PER_MIN
-            # value:
-          - name: CAPTURE_SSL
-            value: "true"
+            value: "akto-mini-runtime-mini-runtime.default.svc.cluster.local:9092"
+          - name: AKTO_LOG_LEVEL
+            value: "DEBUG"
+          - name: UPROBE_POLL_INTERVAL
+            value: "5"
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: HOST_PROC
+            value: "/host/proc"
         securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
           capabilities:
+            drop:
+              - ALL
             add:
-            - SYS_PTRACE
-            - SYS_ADMIN
-          privileged: true
+              - BPF
+              - PERFMON
+              - SYS_PTRACE
         volumeMounts:
-          # needed to load kernel headers
-          - name: lib-modules
-            mountPath: /lib/modules
+          - name: sys-kernel-btf
+            mountPath: /sys/kernel/btf
             readOnly: true
-          # needed to trace kernel events
-          - name: sys-kernel
-            mountPath: /sys/kernel
-            readOnly: true
-          - name: host
-            mountPath: /host
+          - name: host-proc
+            mountPath: /host/proc
             readOnly: true
       volumes:
-        - name: sys-kernel
-          hostPath:
-            path: /sys/kernel
-        - name: lib-modules
+        - name: sys-kernel-btf
           hostPath:
-            path: /lib/modules
-        - name: host
+            path: /sys/kernel/btf
+            type: Directory
+        - name: host-proc
           hostPath:
-            path : /
-
+            path: /proc
+            type: Directory

ebpf/bpfwrapper/eventCallbacks.go

@@ -22,7 +22,7 @@ func SocketOpenEventCallback(inputChan chan []byte, connectionFactory *connectio
 		}
 
 		if !connectionFactory.CanBeFilled() {
-			metaUtils.LogIngest("Connections filled")
+			slog.Warn("Connections filled")
 			continue
 		}
 
@@ -114,7 +114,7 @@ func SocketDataEventCallback(inputChan chan []byte, connectionFactory *connectio
 		}
 
 		if !(connectionFactory.CanBeFilled() && connections.BufferCheck()) {
-			metaUtils.LogIngest("Connections filled")
+			slog.Warn("Connections filled")
 			continue
 		}
 
@@ -158,9 +158,6 @@ func SocketDataEventCallback(inputChan chan []byte, connectionFactory *connectio
 			continue
 		}
 
-		event.Attr.ReadEventsCount = event.Attr.ReadEventsCount
-		event.Attr.WriteEventsCount = event.Attr.WriteEventsCount
-
 		connectionFactory.CreateIfNotExists(connId)
 
 		dataStr := string(event.Msg[:min(32, utils.Abs(bytesSent))])

ebpf/bpfwrapper/kprobes.go

@@ -4,15 +4,10 @@ import (
 	"log/slog"
 	"runtime"
 
-	"github.com/akto-api-security/mirroring-api-logging/trafficUtil/utils"
 	"github.com/cilium/ebpf"
 	"github.com/cilium/ebpf/link"
 )
 
-const (
-	maxActiveConnections = 1024
-)
-
 // ProbeType represents whether the probe is an entry or a return.
 type ProbeType int
 
@@ -93,7 +88,7 @@ func AttachKprobes(coll *ebpf.Collection, kprobeList []Kprobe) ([]link.Link, err
 
 		switch probe.Type {
 		case EntryType:
-			utils.PrintLog("Attaching kprobe", "hook", probe.HookName, "function", functionToHook)
+			slog.Debug("Attaching kprobe", "hook", probe.HookName, "function", functionToHook)
 			l, err := link.Kprobe(functionToHook, prog, nil)
 			if err != nil {
 				slog.Error("failed to attach kprobe", "hook", probe.HookName, "function", functionToHook, "error", err)
@@ -102,7 +97,7 @@ func AttachKprobes(coll *ebpf.Collection, kprobeList []Kprobe) ([]link.Link, err
 			links = append(links, l)
 
 		case ReturnType:
-			utils.PrintLog("Attaching kretprobe", "hook", probe.HookName, "function", functionToHook)
+			slog.Debug("Attaching kretprobe", "hook", probe.HookName, "function", functionToHook)
 			l, err := link.Kretprobe(functionToHook, prog, nil)
 			if err != nil {
 				slog.Error("failed to attach kretprobe", "hook", probe.HookName, "function", functionToHook, "error", err)