Skip to content

feat(enforcer): Add tld & subdomain enforcement#2618

Merged
Aryan-sharma11 merged 4 commits into
mainfrom
dns-fix
Jun 15, 2026
Merged

feat(enforcer): Add tld & subdomain enforcement#2618
Aryan-sharma11 merged 4 commits into
mainfrom
dns-fix

Conversation

@achrefbensaad

@achrefbensaad achrefbensaad commented May 21, 2026

Copy link
Copy Markdown
Member

Purpose of PR?:

Fixes #

Does this PR introduce a breaking change?

If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

  • Bug fix. Fixes #
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

@achrefbensaad achrefbensaad changed the title Dns fix feat(enforcer): Add tld & subdomain enforcement May 21, 2026
@achrefbensaad achrefbensaad force-pushed the dns-fix branch 2 times, most recently from ede79d6 to 5d5e46d Compare May 21, 2026 13:14
@achrefbensaad achrefbensaad added bug Something isn't working improvement Updates in existing features labels May 21, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends DNS query enforcement to support matching subdomains and higher-level suffixes (e.g., allowing a policy for google.com to match www.google.com, and enabling TLD-style matching), primarily for the BPFLSM enforcer path, and adds an e2e test case covering subdomain blocking.

Changes:

  • Add suffix-based DNS domain matching in the Go-side policy matcher to treat subdomains/TLDs as matches.
  • Update the BPF enforcer’s DNS rule matching to search for matching parent-domain suffixes using a scratch buffer.
  • Add a new Kubernetes policy YAML + network test to validate blocking DNS queries for subdomains.

Reviewed changes

Copilot reviewed 6 out of 22 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
tests/k8s_env/networktests/res/ksp-ubuntu-1-block-dns-subdomain.yaml Adds a KubeArmorPolicy used to validate subdomain DNS blocking behavior.
tests/k8s_env/networktests/network_test.go Adds an e2e test asserting DNS blocking for www.google.com when the policy targets google.com.
KubeArmor/feeder/policyMatcher.go Extends DNS matching logic to consider suffixes (subdomains/TLD-like matches) when correlating logs to policies.
KubeArmor/enforcer/bpflsm/rulesHandling.go Normalizes DNS domains by trimming leading/trailing dots before mapping rules.
KubeArmor/BPF/shared.h Adds MAX_NESTED_DNS_LABELS and increases bufk capacity for new scratch usage.
KubeArmor/BPF/enforcer.bpf.c Implements iterative parent-domain matching for DNS lookups and introduces a scratch pad buffer.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/k8s_env/networktests/network_test.go
Comment thread KubeArmor/feeder/policyMatcher.go
Comment thread KubeArmor/enforcer/bpflsm/rulesHandling.go
Comment thread tests/k8s_env/networktests/network_test.go Outdated
achrefbensaad and others added 4 commits June 10, 2026 12:47
@Aryan-sharma11 Aryan-sharma11 merged commit eec5c63 into main Jun 15, 2026
22 checks passed
@Aryan-sharma11 Aryan-sharma11 mentioned this pull request Jun 18, 2026
Aryan-sharma11 added a commit to Aryan-sharma11/KubeArmor that referenced this pull request Jun 18, 2026
Signed-off-by: Aryan-sharma11 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working improvement Updates in existing features

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants