diff --git a/pkg/security/resolvers/cgroup/model/model.go b/pkg/security/resolvers/cgroup/model/model.go index c916e45477876..1bde78216970f 100644 --- a/pkg/security/resolvers/cgroup/model/model.go +++ b/pkg/security/resolvers/cgroup/model/model.go @@ -15,7 +15,6 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/secl/containerutils" "github.com/DataDog/datadog-agent/pkg/security/secl/model" - "github.com/DataDog/datadog-agent/pkg/security/utils" ) // CacheEntry cgroup resolver cache entry @@ -23,9 +22,8 @@ type CacheEntry struct { model.CGroupContext model.ContainerContext sync.RWMutex - Deleted *atomic.Bool - WorkloadSelector WorkloadSelector - PIDs map[uint32]bool + Deleted *atomic.Bool + PIDs map[uint32]bool } // NewCacheEntry returns a new instance of a CacheEntry @@ -78,27 +76,3 @@ func (cgce *CacheEntry) AddPID(pid uint32) { cgce.PIDs[pid] = true } - -// SetTags sets the tags for the provided workload -func (cgce *CacheEntry) SetTags(tags []string) { - cgce.Lock() - defer cgce.Unlock() - - cgce.Tags = tags - cgce.WorkloadSelector.Image = utils.GetTagValue("image_name", tags) - cgce.WorkloadSelector.Tag = utils.GetTagValue("image_tag", tags) - if len(cgce.WorkloadSelector.Image) != 0 && len(cgce.WorkloadSelector.Tag) == 0 { - cgce.WorkloadSelector.Tag = "latest" - } -} - -// GetWorkloadSelectorCopy returns a copy of the workload selector of this cgroup -func (cgce *CacheEntry) GetWorkloadSelectorCopy() *WorkloadSelector { - cgce.Lock() - defer cgce.Unlock() - - return &WorkloadSelector{ - Image: cgce.WorkloadSelector.Image, - Tag: cgce.WorkloadSelector.Tag, - } -} diff --git a/pkg/security/resolvers/cgroup/model/types.go b/pkg/security/resolvers/cgroup/model/types.go index d07f94be04121..09a9a66473aa6 100644 --- a/pkg/security/resolvers/cgroup/model/types.go +++ b/pkg/security/resolvers/cgroup/model/types.go @@ -61,3 +61,8 @@ func (ws WorkloadSelector) ToTags() []string { "image_tag:" + ws.Tag, } } + +// Copy returns a copy of the selector +func (ws WorkloadSelector) Copy() *WorkloadSelector { + return &ws +} diff --git a/pkg/security/resolvers/sbom/resolver.go b/pkg/security/resolvers/sbom/resolver.go index d0a290975d6df..e282dbd6f23d9 100644 --- a/pkg/security/resolvers/sbom/resolver.go +++ b/pkg/security/resolvers/sbom/resolver.go @@ -33,6 +33,7 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/config" "github.com/DataDog/datadog-agent/pkg/security/metrics" cgroupModel "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup/model" + "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags" "github.com/DataDog/datadog-agent/pkg/security/secl/containerutils" "github.com/DataDog/datadog-agent/pkg/security/secl/model" "github.com/DataDog/datadog-agent/pkg/security/seclog" @@ -486,15 +487,15 @@ func (r *Resolver) triggerScan(sbom *SBOM) { } // OnWorkloadSelectorResolvedEvent is used to handle the creation of a new cgroup with its resolved tags -func (r *Resolver) OnWorkloadSelectorResolvedEvent(cgroup *cgroupModel.CacheEntry) { +func (r *Resolver) OnWorkloadSelectorResolvedEvent(workload *tags.Workload) { r.sbomsLock.Lock() defer r.sbomsLock.Unlock() - if cgroup == nil { + if workload == nil { return } - id := cgroup.ContainerID + id := workload.ContainerID // We don't scan hosts for now if len(id) == 0 { return @@ -502,8 +503,8 @@ func (r *Resolver) OnWorkloadSelectorResolvedEvent(cgroup *cgroupModel.CacheEntr _, ok := r.sboms[id] if !ok { - workloadKey := getWorkloadKey(cgroup.GetWorkloadSelectorCopy()) - sbom, err := r.newWorkloadEntry(id, cgroup, workloadKey) + workloadKey := getWorkloadKey(workload.Selector.Copy()) + sbom, err := r.newWorkloadEntry(id, workload.CacheEntry, workloadKey) if err != nil { seclog.Errorf("couldn't create new SBOM entry for sbom '%s': %v", id, err) } diff --git a/pkg/security/resolvers/sbom/resolver_unsupported.go b/pkg/security/resolvers/sbom/resolver_unsupported.go index 9e073e03e552c..614682af506fa 100644 --- a/pkg/security/resolvers/sbom/resolver_unsupported.go +++ b/pkg/security/resolvers/sbom/resolver_unsupported.go @@ -15,6 +15,7 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/config" cgroupModel "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup/model" + "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags" "github.com/DataDog/datadog-agent/pkg/security/secl/containerutils" "github.com/DataDog/datadog-agent/pkg/security/secl/model" ) @@ -33,7 +34,7 @@ func (r *Resolver) OnCGroupDeletedEvent(_ *cgroupModel.CacheEntry) { } // OnWorkloadSelectorResolvedEvent is used to handle the creation of a new cgroup with its resolved tags -func (r *Resolver) OnWorkloadSelectorResolvedEvent(_ *cgroupModel.CacheEntry) { +func (r *Resolver) OnWorkloadSelectorResolvedEvent(_ *tags.Workload) { } // ResolvePackage returns the Package that owns the provided file diff --git a/pkg/security/resolvers/tags/resolver.go b/pkg/security/resolvers/tags/resolver.go index 051122e4436ec..a5f0a4b956775 100644 --- a/pkg/security/resolvers/tags/resolver.go +++ b/pkg/security/resolvers/tags/resolver.go @@ -21,6 +21,8 @@ type Event int const ( // WorkloadSelectorResolved is used to notify that a new cgroup with a resolved workload selector is ready WorkloadSelectorResolved Event = iota + // WorkloadSelectorDeleted is used to notify that a cgroup with a resolved workload selector is deleted + WorkloadSelectorDeleted ) // Tagger defines a Tagger for the Tags Resolver diff --git a/pkg/security/resolvers/tags/resolver_linux.go b/pkg/security/resolvers/tags/resolver_linux.go index e11b2001dba4a..e029f003696b6 100644 --- a/pkg/security/resolvers/tags/resolver_linux.go +++ b/pkg/security/resolvers/tags/resolver_linux.go @@ -13,21 +13,26 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup" cgroupModel "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup/model" + "github.com/DataDog/datadog-agent/pkg/security/secl/containerutils" "github.com/DataDog/datadog-agent/pkg/security/seclog" "github.com/DataDog/datadog-agent/pkg/security/utils" ) -type pendingWorkload struct { +// Workload represents a workload along with its tags +type Workload struct { *cgroupModel.CacheEntry - retries int + Tags []string + Selector cgroupModel.WorkloadSelector + retries int } // LinuxResolver represents a default resolver based directly on the underlying tagger type LinuxResolver struct { *DefaultResolver - *utils.Notifier[Event, *cgroupModel.CacheEntry] - workloadsWithoutTags chan *pendingWorkload + *utils.Notifier[Event, *Workload] + workloadsWithoutTags chan *Workload cgroupResolver *cgroup.Resolver + workloads map[containerutils.CGroupID]*Workload } // Start the resolver @@ -37,12 +42,19 @@ func (t *LinuxResolver) Start(ctx context.Context) error { } if err := t.cgroupResolver.RegisterListener(cgroup.CGroupCreated, func(cgce *cgroupModel.CacheEntry) { - workload := &pendingWorkload{CacheEntry: cgce, retries: 3} + workload := &Workload{CacheEntry: cgce, retries: 3} + t.workloads[cgce.CGroupID] = workload t.checkTags(workload) }); err != nil { return err } + if err := t.cgroupResolver.RegisterListener(cgroup.CGroupDeleted, func(cgce *cgroupModel.CacheEntry) { + delete(t.workloads, cgce.CGroupID) + }); err != nil { + return err + } + go func() { ctx, cancel := context.WithCancel(ctx) defer cancel() @@ -73,17 +85,18 @@ func (t *LinuxResolver) Start(ctx context.Context) error { return nil } -func needsTagsResolution(cgce *cgroupModel.CacheEntry) bool { - return len(cgce.ContainerID) != 0 && !cgce.WorkloadSelector.IsReady() +func needsTagsResolution(workload *Workload) bool { + return len(workload.ContainerID) != 0 && !workload.Selector.IsReady() } // checkTags checks if the tags of a workload were properly set -func (t *LinuxResolver) checkTags(pendingWorkload *pendingWorkload) { - workload := pendingWorkload.CacheEntry +func (t *LinuxResolver) checkTags(pendingWorkload *Workload) { + workload := pendingWorkload // check if the workload tags were found or if it was deleted if !workload.Deleted.Load() && needsTagsResolution(workload) { // this is an alive cgroup, try to resolve its tags now - if err := t.fetchTags(workload); err != nil || needsTagsResolution(workload) { + err := t.fetchTags(workload) + if err != nil || needsTagsResolution(workload) { if pendingWorkload.retries--; pendingWorkload.retries >= 0 { // push to the workloadsWithoutTags chan so that its tags can be resolved later select { @@ -102,22 +115,29 @@ func (t *LinuxResolver) checkTags(pendingWorkload *pendingWorkload) { } // fetchTags fetches tags for the provided workload -func (t *LinuxResolver) fetchTags(container *cgroupModel.CacheEntry) error { - newTags, err := t.ResolveWithErr(container.ContainerID) +func (t *LinuxResolver) fetchTags(workload *Workload) error { + newTags, err := t.ResolveWithErr(workload.ContainerID) if err != nil { - return fmt.Errorf("failed to resolve %s: %w", container.ContainerID, err) + return fmt.Errorf("failed to resolve %s: %w", workload.ContainerID, err) } - container.SetTags(newTags) + + workload.Selector.Image = utils.GetTagValue("image_name", newTags) + workload.Selector.Tag = utils.GetTagValue("image_tag", newTags) + if len(workload.Selector.Image) != 0 && len(workload.Selector.Tag) == 0 { + workload.Selector.Tag = "latest" + } + return nil } // NewResolver returns a new tags resolver func NewResolver(tagger Tagger, cgroupsResolver *cgroup.Resolver) *LinuxResolver { resolver := &LinuxResolver{ - Notifier: utils.NewNotifier[Event, *cgroupModel.CacheEntry](), + Notifier: utils.NewNotifier[Event, *Workload](), DefaultResolver: NewDefaultResolver(tagger), - workloadsWithoutTags: make(chan *pendingWorkload, 100), + workloadsWithoutTags: make(chan *Workload, 100), cgroupResolver: cgroupsResolver, + workloads: make(map[containerutils.CGroupID]*Workload), } return resolver } diff --git a/pkg/security/security_profile/dump/manager.go b/pkg/security/security_profile/dump/manager.go index a0b8c490b965e..b37a2c7264f1a 100644 --- a/pkg/security/security_profile/dump/manager.go +++ b/pkg/security/security_profile/dump/manager.go @@ -34,6 +34,7 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/proto/api" "github.com/DataDog/datadog-agent/pkg/security/resolvers" cgroupModel "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup/model" + "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags" "github.com/DataDog/datadog-agent/pkg/security/secl/model" "github.com/DataDog/datadog-agent/pkg/security/seclog" activity_tree "github.com/DataDog/datadog-agent/pkg/security/security_profile/activity_tree" @@ -47,7 +48,7 @@ type ActivityDumpHandler interface { // SecurityProfileManager is a generic interface used to communicate with the Security Profile manager type SecurityProfileManager interface { - FetchSilentWorkloads() map[cgroupModel.WorkloadSelector][]*cgroupModel.CacheEntry + FetchSilentWorkloads() map[cgroupModel.WorkloadSelector][]*tags.Workload OnLocalStorageCleanup(files []string) } diff --git a/pkg/security/security_profile/profile/manager.go b/pkg/security/security_profile/profile/manager.go index aadd9b94cd88b..38fd111fbfe5a 100644 --- a/pkg/security/security_profile/profile/manager.go +++ b/pkg/security/security_profile/profile/manager.go @@ -29,7 +29,6 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/metrics" "github.com/DataDog/datadog-agent/pkg/security/proto/api" "github.com/DataDog/datadog-agent/pkg/security/resolvers" - "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup" cgroupModel "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup/model" "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags" "github.com/DataDog/datadog-agent/pkg/security/secl/containerutils" @@ -228,7 +227,7 @@ func (m *SecurityProfileManager) Start(ctx context.Context) { // register the manager to the CGroup resolver _ = m.resolvers.TagsResolver.RegisterListener(tags.WorkloadSelectorResolved, m.OnWorkloadSelectorResolvedEvent) - _ = m.resolvers.CGroupResolver.RegisterListener(cgroup.CGroupDeleted, m.OnCGroupDeletedEvent) + _ = m.resolvers.TagsResolver.RegisterListener(tags.WorkloadSelectorDeleted, m.OnWorkloadDeletedEvent) seclog.Infof("security profile manager started") @@ -250,7 +249,7 @@ func (m *SecurityProfileManager) propagateWorkloadSelectorsToProviders() { } // OnWorkloadSelectorResolvedEvent is used to handle the creation of a new cgroup with its resolved tags -func (m *SecurityProfileManager) OnWorkloadSelectorResolvedEvent(workload *cgroupModel.CacheEntry) { +func (m *SecurityProfileManager) OnWorkloadSelectorResolvedEvent(workload *tags.Workload) { m.profilesLock.Lock() defer m.profilesLock.Unlock() workload.Lock() @@ -261,7 +260,7 @@ func (m *SecurityProfileManager) OnWorkloadSelectorResolvedEvent(workload *cgrou return } - selector := workload.WorkloadSelector + selector := workload.Selector selector.Tag = "*" // check if the workload of this selector already exists @@ -307,7 +306,7 @@ func (m *SecurityProfileManager) OnWorkloadSelectorResolvedEvent(workload *cgrou } // LinkProfile applies a profile to the provided workload -func (m *SecurityProfileManager) LinkProfile(profile *SecurityProfile, workload *cgroupModel.CacheEntry) { +func (m *SecurityProfileManager) LinkProfile(profile *SecurityProfile, workload *tags.Workload) { profile.Lock() defer profile.Unlock() @@ -329,7 +328,7 @@ func (m *SecurityProfileManager) LinkProfile(profile *SecurityProfile, workload } // UnlinkProfile removes the link between a workload and a profile -func (m *SecurityProfileManager) UnlinkProfile(profile *SecurityProfile, workload *cgroupModel.CacheEntry) { +func (m *SecurityProfileManager) UnlinkProfile(profile *SecurityProfile, workload *tags.Workload) { profile.Lock() defer profile.Unlock() @@ -394,11 +393,11 @@ func FillProfileContextFromProfile(ctx *model.SecurityProfileContext, profile *S } } -// OnCGroupDeletedEvent is used to handle a CGroupDeleted event -func (m *SecurityProfileManager) OnCGroupDeletedEvent(workload *cgroupModel.CacheEntry) { +// OnWorkloadDeletedEvent is used to handle a WorkloadDeleted event +func (m *SecurityProfileManager) OnWorkloadDeletedEvent(workload *tags.Workload) { // lookup the profile selector := cgroupModel.WorkloadSelector{ - Image: workload.WorkloadSelector.Image, + Image: workload.Selector.Image, Tag: "*", } profile := m.GetProfile(selector) @@ -640,24 +639,24 @@ func (m *SecurityProfileManager) unloadProfile(profile *SecurityProfile) { } // linkProfile (thread unsafe) updates the kernel space mapping between a workload and its profile -func (m *SecurityProfileManager) linkProfile(profile *SecurityProfile, workload *cgroupModel.CacheEntry) { +func (m *SecurityProfileManager) linkProfile(profile *SecurityProfile, workload *tags.Workload) { if err := m.securityProfileMap.Put([]byte(workload.ContainerID), profile.profileCookie); err != nil { - seclog.Errorf("couldn't link workload %s (selector: %s) with profile %s (check map size limit ?): %v", workload.ContainerID, workload.WorkloadSelector.String(), profile.Metadata.Name, err) + seclog.Errorf("couldn't link workload %s (selector: %s) with profile %s (check map size limit ?): %v", workload.ContainerID, workload.Selector.String(), profile.Metadata.Name, err) return } - seclog.Infof("workload %s (selector: %s) successfully linked to profile %s", workload.ContainerID, workload.WorkloadSelector.String(), profile.Metadata.Name) + seclog.Infof("workload %s (selector: %s) successfully linked to profile %s", workload.ContainerID, workload.Selector.String(), profile.Metadata.Name) } // unlinkProfile (thread unsafe) updates the kernel space mapping between a workload and its profile -func (m *SecurityProfileManager) unlinkProfile(profile *SecurityProfile, workload *cgroupModel.CacheEntry) { +func (m *SecurityProfileManager) unlinkProfile(profile *SecurityProfile, workload *tags.Workload) { if !profile.loadedInKernel { return } if err := m.securityProfileMap.Delete([]byte(workload.ContainerID)); err != nil { - seclog.Errorf("couldn't unlink workload %s (selector: %s) with profile %s: %v", workload.ContainerID, workload.WorkloadSelector.String(), profile.Metadata.Name, err) + seclog.Errorf("couldn't unlink workload %s (selector: %s) with profile %s: %v", workload.ContainerID, workload.Selector.String(), profile.Metadata.Name, err) } - seclog.Infof("workload %s (selector: %s) successfully unlinked from profile %s", workload.ContainerID, workload.WorkloadSelector.String(), profile.Metadata.Name) + seclog.Infof("workload %s (selector: %s) successfully unlinked from profile %s", workload.ContainerID, workload.Selector.String(), profile.Metadata.Name) } func (m *SecurityProfileManager) canGenerateAnomaliesFor(e *model.Event) bool { @@ -960,11 +959,11 @@ func (m *SecurityProfileManager) SaveSecurityProfile(params *api.SecurityProfile } // FetchSilentWorkloads returns the list of workloads for which we haven't received any profile -func (m *SecurityProfileManager) FetchSilentWorkloads() map[cgroupModel.WorkloadSelector][]*cgroupModel.CacheEntry { +func (m *SecurityProfileManager) FetchSilentWorkloads() map[cgroupModel.WorkloadSelector][]*tags.Workload { m.profilesLock.Lock() defer m.profilesLock.Unlock() - out := make(map[cgroupModel.WorkloadSelector][]*cgroupModel.CacheEntry) + out := make(map[cgroupModel.WorkloadSelector][]*tags.Workload) for selector, profile := range m.profiles { profile.Lock() diff --git a/pkg/security/security_profile/profile/manager_test.go b/pkg/security/security_profile/profile/manager_test.go index dc41ce396c286..b25390fbad9d0 100644 --- a/pkg/security/security_profile/profile/manager_test.go +++ b/pkg/security/security_profile/profile/manager_test.go @@ -21,6 +21,7 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/config" cgroupModel "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup/model" + "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags" "github.com/DataDog/datadog-agent/pkg/security/secl/containerutils" "github.com/DataDog/datadog-agent/pkg/security/secl/model" activity_tree "github.com/DataDog/datadog-agent/pkg/security/security_profile/activity_tree" @@ -841,14 +842,15 @@ func TestSecurityProfileManager_tryAutolearn(t *testing.T) { if ti.newProfile || profile == nil { profile = NewSecurityProfile(cgroupModel.WorkloadSelector{Image: "image", Tag: "tag"}, []model.EventType{model.ExecEventType, model.DNSEventType}, nil) profile.ActivityTree = activity_tree.NewActivityTree(profile, nil, "security_profile") - profile.Instances = append(profile.Instances, &cgroupModel.CacheEntry{ - ContainerContext: model.ContainerContext{ + profile.Instances = append(profile.Instances, &tags.Workload{ + CacheEntry: &cgroupModel.CacheEntry{ContainerContext: model.ContainerContext{ ContainerID: containerutils.ContainerID(defaultContainerID), }, - CGroupContext: model.CGroupContext{ - CGroupID: containerutils.CGroupID(defaultContainerID), + CGroupContext: model.CGroupContext{ + CGroupID: containerutils.CGroupID(defaultContainerID), + }, }, - WorkloadSelector: cgroupModel.WorkloadSelector{Image: "image", Tag: "tag"}, + Selector: cgroupModel.WorkloadSelector{Image: "image", Tag: "tag"}, }) profile.loadedNano = uint64(t0.UnixNano()) } diff --git a/pkg/security/security_profile/profile/profile.go b/pkg/security/security_profile/profile/profile.go index c70c28f9712b2..b7118732d1a9d 100644 --- a/pkg/security/security_profile/profile/profile.go +++ b/pkg/security/security_profile/profile/profile.go @@ -22,6 +22,7 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/proto/api" cgroupModel "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup/model" + "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags" "github.com/DataDog/datadog-agent/pkg/security/secl/model" activity_tree "github.com/DataDog/datadog-agent/pkg/security/security_profile/activity_tree" mtdt "github.com/DataDog/datadog-agent/pkg/security/security_profile/activity_tree/metadata" @@ -69,7 +70,7 @@ type SecurityProfile struct { pathsReducer *activity_tree.PathsReducer // Instances is the list of workload instances to witch the profile should apply - Instances []*cgroupModel.CacheEntry + Instances []*tags.Workload // Metadata contains metadata for the current profile Metadata mtdt.Metadata diff --git a/pkg/security/security_profile/tests/activity_tree_test.go b/pkg/security/security_profile/tests/activity_tree_test.go index 5f9afbb1c9e9a..a814932f385fd 100644 --- a/pkg/security/security_profile/tests/activity_tree_test.go +++ b/pkg/security/security_profile/tests/activity_tree_test.go @@ -20,6 +20,7 @@ import ( "github.com/stretchr/testify/assert" cgroupModel "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup/model" + "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags" "github.com/DataDog/datadog-agent/pkg/security/secl/containerutils" "github.com/DataDog/datadog-agent/pkg/security/secl/model" activity_tree "github.com/DataDog/datadog-agent/pkg/security/security_profile/activity_tree" @@ -692,12 +693,14 @@ func TestActivityTree_CreateProcessNode(t *testing.T) { profile := profile.NewSecurityProfile(cgroupModel.WorkloadSelector{Image: "image", Tag: "tag"}, []model.EventType{model.ExecEventType, model.DNSEventType}, nil) at = activity_tree.NewActivityTree(profile, nil, "profile") profile.ActivityTree = at - profile.Instances = append(profile.Instances, &cgroupModel.CacheEntry{ - ContainerContext: model.ContainerContext{ - ContainerID: containerutils.ContainerID(contID), + profile.Instances = append(profile.Instances, &tags.Workload{ + CacheEntry: &cgroupModel.CacheEntry{ + ContainerContext: model.ContainerContext{ + ContainerID: containerutils.ContainerID(contID), + }, + CGroupContext: model.CGroupContext{CGroupID: containerutils.CGroupID(contID)}, }, - CGroupContext: model.CGroupContext{CGroupID: containerutils.CGroupID(contID)}, - WorkloadSelector: cgroupModel.WorkloadSelector{Image: "image", Tag: "tag"}, + Selector: cgroupModel.WorkloadSelector{Image: "image", Tag: "tag"}, }) } } else { // retrieve last saved tree state