ROX-33361: Per-namespace persistence for process indicators by erthalion · Pull Request #19957 · stackrox/stackrox

erthalion · 2026-04-13T12:56:21Z

Description

NOTE: It's been split from #19455, for the purposes of simplifying the review. The PR contains only the first commit, introducing the actual machinery. The implementation is exactly the same as in the original PR.

Allow to configure per-namespace persistence for process indicators, so that Central wouldn't need to store information, which never will be used.

It could be configured via DynamicConfig of the cluster configuration in the form:

message ProcessIndicators {
  string namespace_filter = 1;
  bool exclude_openshift_ns = 2;
  bool persistence = 3;
}

Where namespace_filter allows to specify a custom regex to filter out processes by matching namespace, exclude_openshift_ns instructs Central to exclude anything from openshift-* namespaces, and persistence can be used to disable storing process indicators at all.

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

How I validated my change

Manual validation (creating an operator-managed cluster and modifying the configuration), as well as E2E tests. Split from #19455 to simplify the review.

github-actions · 2026-04-13T13:14:21Z

🚀 Build Images Ready

Images are ready for commit 405c8cf. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-688-g405c8cf703

codecov · 2026-04-13T13:32:36Z

Codecov Report

❌ Patch coverage is 48.06202% with 67 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.69%. Comparing base (7b58df2) to head (7f1e4bd).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
central/graphql/resolvers/generated.go	13.04%	40 Missing ⚠️
central/cluster/datastore/datastore_impl.go	51.16%	19 Missing and 2 partials ⚠️
central/detection/lifecycle/manager_impl.go	75.00%	2 Missing and 1 partial ⚠️
pkg/cluster/filtering.go	88.88%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #19957      +/-   ##
==========================================
+ Coverage   49.67%   49.69%   +0.01%     
==========================================
  Files        2765     2766       +1     
  Lines      209049   209175     +126     
==========================================
+ Hits       103847   103950     +103     
- Misses      97523    97538      +15     
- Partials     7679     7687       +8

Flag	Coverage Δ
go-unit-tests	`49.69% <48.06%> (+0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

erthalion · 2026-04-14T08:46:47Z

/test ocp-4-21-qa-e2e-tests

erthalion · 2026-04-14T14:25:47Z

The only failing tests are flake #19959

erthalion · 2026-04-16T08:38:07Z

/retest

openshift-ci · 2026-04-16T11:45:46Z

@erthalion: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocp-4-21-qa-e2e-tests	`f03bc24`	link	false	`/test ocp-4-21-qa-e2e-tests`
ci/prow/ocp-4-12-qa-e2e-tests	`f03bc24`	link	false	`/test ocp-4-12-qa-e2e-tests`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Allow to configure per-namespace persistence for process indicators, so that Central wouldn't need to store information, which never will be used. It could be configured via DynamicConfig of the cluster configuration in the form: ``` message ProcessIndicators { bool no_persistence = 1; string exclude_namespace_filter = 2; bool exclude_openshift_ns = 3; } ``` Where `exclude_namespace_filter` allows to specify a custom regex to filter out processes by matching namespace, `exclude_openshift_ns` instructs Central to exclude anything from openshift-* namespaces, and `no_persistence` can be used to disable storing process indicators at all.

Commit 405c8cf ("ROX-33361: Per-namespace persistence for process indicators (#19957)") has introduced a possibility to configure per-namespace persistence for process indicators, but did not wire it up anywhere. Allow to provide new dynamic config fields via SecuredCluster CR, in the form: spec: processIndicators: persistence: true excludeNamespaceFilter: namespace-without-persistence excludeOpenshiftNs: false It works in exactly the same way as above mentioned dynamic config counterpart, except the reversed "persistence" field. Contrary to a protobuf dynamic config, SecuredCluster CR allows to distinguish not set values, thus we choose more natural to read version. It will be converted into the "noPersistence" during translation.

erthalion requested a review from a team as a code owner April 13, 2026 12:56

github-actions Bot added the area/central label Apr 13, 2026

erthalion requested review from dashrews78, ovalenti, porridge and vladbologa April 13, 2026 12:58

erthalion force-pushed the feature/per-namespace-persistence branch from 680576b to e2ec42b Compare April 13, 2026 14:00

porridge reviewed Apr 14, 2026

View reviewed changes

Comment thread proto/storage/cluster.proto Outdated

Comment thread proto/storage/cluster.proto Outdated

erthalion force-pushed the feature/per-namespace-persistence branch 2 times, most recently from 57f2aa8 to cad5788 Compare April 14, 2026 10:22

erthalion requested a review from porridge April 14, 2026 12:59