stackrox · JoukoVirtanen · Sep 11, 2025 · Sep 8, 2025 · Sep 4, 2025 · Sep 4, 2025
diff --git a/central/detection/lifecycle/manager.go b/central/detection/lifecycle/manager.go
@@ -4,6 +4,7 @@ import (
 	"time"
 
 	"github.com/stackrox/rox/central/activecomponent/updater/aggregator"
+	clusterDatastore "github.com/stackrox/rox/central/cluster/datastore"
 	"github.com/stackrox/rox/central/deployment/cache"
 	deploymentDatastore "github.com/stackrox/rox/central/deployment/datastore"
 	"github.com/stackrox/rox/central/deployment/queue"
@@ -48,14 +49,16 @@ type Manager interface {
 
 // newManager returns a new manager with the injected dependencies.
 func newManager(buildTimeDetector buildtime.Detector, deployTimeDetector deploytime.Detector, runtimeDetector runtime.Detector,
-	deploymentDatastore deploymentDatastore.DataStore, processesDataStore processDatastore.DataStore, baselines baselineDataStore.DataStore,
-	alertManager alertmanager.AlertManager, reprocessor reprocessor.Loop, deletedDeploymentsCache cache.DeletedDeployments, filter filter.Filter,
-	processAggregator aggregator.ProcessAggregator, connectionManager connection.Manager) *managerImpl {
+	clusterDatastore clusterDatastore.DataStore, deploymentDatastore deploymentDatastore.DataStore, processesDataStore processDatastore.DataStore,
+	baselines baselineDataStore.DataStore, alertManager alertmanager.AlertManager, reprocessor reprocessor.Loop,
+	deletedDeploymentsCache cache.DeletedDeployments, filter filter.Filter, processAggregator aggregator.ProcessAggregator,
+	connectionManager connection.Manager) *managerImpl {
 	m := &managerImpl{
 		buildTimeDetector:       buildTimeDetector,
 		deployTimeDetector:      deployTimeDetector,
 		runtimeDetector:         runtimeDetector,
 		alertManager:            alertManager,
+		clusterDataStore:        clusterDatastore,
 		deploymentDataStore:     deploymentDatastore,
 		processesDataStore:      processesDataStore,
 		baselines:               baselines,

diff --git a/central/detection/lifecycle/manager_impl.go b/central/detection/lifecycle/manager_impl.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/stackrox/rox/central/activecomponent/updater/aggregator"
+	clusterDatastore "github.com/stackrox/rox/central/cluster/datastore"
 	"github.com/stackrox/rox/central/deployment/cache"
 	deploymentDatastore "github.com/stackrox/rox/central/deployment/datastore"
 	"github.com/stackrox/rox/central/deployment/queue"
@@ -43,7 +44,7 @@ import (
 var (
 	lifecycleMgrCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
 		sac.AllowFixedScopes(sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
-			sac.ResourceScopeKeys(resources.Alert, resources.Deployment, resources.Image,
+			sac.ResourceScopeKeys(resources.Alert, resources.Deployment, resources.Image, resources.Cluster,
 				resources.DeploymentExtension, resources.WorkflowAdministration, resources.Namespace)))
 
 	genDuration = env.BaselineGenerationDuration.DurationSetting()
@@ -65,6 +66,7 @@ type managerImpl struct {
 
 	alertManager alertmanager.AlertManager
 
+	clusterDataStore        clusterDatastore.DataStore
 	deploymentDataStore     deploymentDatastore.DataStore
 	processesDataStore      processIndicatorDatastore.DataStore
 	baselines               baselineDataStore.DataStore
@@ -169,32 +171,68 @@ func (m *managerImpl) flushBaselineQueue() {
 		// Grab the first deployment to baseline.
 		// NOTE:  This is the only place from which Pull is called.
 		deployment := m.deploymentObservationQueue.Pull()
+		deploymentId := deployment.DeploymentID
 
-		baselines := m.addBaseline(deployment.DeploymentID)
+		baselines := m.addBaseline(deploymentId)
 
-		if !features.AutoLockProcessBaselines.Enabled() {
+		fullDeployment, found, err := m.deploymentDataStore.GetDeployment(lifecycleMgrCtx, deploymentId)
+
+		if !found {
+			log.Errorf("Error: Cluster not found for deployment %s", deploymentId)
 			continue
 		}
 
-		for _, baseline := range baselines {
-			if baseline == nil || baseline.GetUserLockedTimestamp() != nil {
-				continue
-			}
+		if err != nil {
+			log.Errorf("Error getting cluster for deployment %s: %+v", deploymentId, err)
+			continue
+		}
 
-			baseline.UserLockedTimestamp = protocompat.TimestampNow()
-			_, err := m.baselines.UserLockProcessBaseline(lifecycleMgrCtx, baseline.GetKey(), true)
-			if err != nil {
-				log.Errorf("Error setting user lock for %+v: %v", baseline.GetKey(), err)
-				continue
-			}
-			err = m.SendBaselineToSensor(baseline)
-			if err != nil {
-				log.Errorf("Error sending process baseline %+v: %v", baseline, err)
-			}
+		if m.isAutoLockEnabledForCluster(fullDeployment.GetClusterId()) {
+			m.autoLockProcessBaselines(baselines)
+		}
+	}
+}
+
+func (m *managerImpl) autoLockProcessBaselines(baselines []*storage.ProcessBaseline) {
+	for _, baseline := range baselines {
+		if baseline == nil || baseline.GetUserLockedTimestamp() != nil {
+			continue
+		}
+
+		baseline.UserLockedTimestamp = protocompat.TimestampNow()
+		_, err := m.baselines.UserLockProcessBaseline(lifecycleMgrCtx, baseline.GetKey(), true)
+		if err != nil {
+			log.Errorf("Error setting user lock for %+v: %v", baseline.GetKey(), err)
+			continue
+		}
+		err = m.SendBaselineToSensor(baseline)
+		if err != nil {
+			log.Errorf("Error sending process baseline %+v: %v", baseline, err)
 		}
 	}
 }
 
+// Perhaps the cluster config should be kept in memory and calling the database should not be needed
+func (m *managerImpl) isAutoLockEnabledForCluster(clusterId string) bool {
+	if !features.AutoLockProcessBaselines.Enabled() {
+		return false
+	}
+
+	cluster, found, err := m.clusterDataStore.GetCluster(lifecycleMgrCtx, clusterId)
+
+	if err != nil {
+		log.Errorf("Error getting cluster config %s: %v", clusterId, err)
+		return false
+	}
+
+	if !found {
+		log.Errorf("Error: Unable to find cluster %s", clusterId)
+		return false
+	}
+
+	return cluster.GetDynamicConfig().GetAutoLockProcessBaselinesConfig().GetEnabled()
+}
+
 func (m *managerImpl) flushIndicatorQueue() {
 	// This is a potentially long-running operation, and we don't want to have a pile of goroutines queueing up on
 	// this lock.

diff --git a/central/detection/lifecycle/manager_impl_test.go b/central/detection/lifecycle/manager_impl_test.go
@@ -6,14 +6,17 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	clusterDataStoreMocks "github.com/stackrox/rox/central/cluster/datastore/mocks"
 	queueMocks "github.com/stackrox/rox/central/deployment/queue/mocks"
 	alertManagerMocks "github.com/stackrox/rox/central/detection/alertmanager/mocks"
 	processBaselineDataStoreMocks "github.com/stackrox/rox/central/processbaseline/datastore/mocks"
 	reprocessorMocks "github.com/stackrox/rox/central/reprocessor/mocks"
 	connectionMocks "github.com/stackrox/rox/central/sensor/service/connection/mocks"
 	"github.com/stackrox/rox/generated/storage"
 	"github.com/stackrox/rox/pkg/env"
+	"github.com/stackrox/rox/pkg/features"
 	"github.com/stackrox/rox/pkg/fixtures"
+	"github.com/stackrox/rox/pkg/fixtures/fixtureconsts"
 	"github.com/stackrox/rox/pkg/protoassert"
 	"github.com/stackrox/rox/pkg/protocompat"
 	"github.com/stackrox/rox/pkg/set"
@@ -22,6 +25,26 @@ import (
 	"go.uber.org/mock/gomock"
 )
 
+var (
+	clusterAutolockEnabled = &storage.Cluster{
+		ManagedBy: storage.ManagerType_MANAGER_TYPE_MANUAL,
+		DynamicConfig: &storage.DynamicClusterConfig{
+			AutoLockProcessBaselinesConfig: &storage.AutoLockProcessBaselinesConfig{
+				Enabled: true,
+			},
+		},
+	}
+
+	clusterAutolockDisabled = &storage.Cluster{
+		ManagedBy: storage.ManagerType_MANAGER_TYPE_MANUAL,
+		DynamicConfig: &storage.DynamicClusterConfig{
+			AutoLockProcessBaselinesConfig: &storage.AutoLockProcessBaselinesConfig{
+				Enabled: false,
+			},
+		},
+	}
+)
+
 func TestManager(t *testing.T) {
 	suite.Run(t, new(ManagerTestSuite))
 }
@@ -36,6 +59,7 @@ type ManagerTestSuite struct {
 	manager                    *managerImpl
 	mockCtrl                   *gomock.Controller
 	connectionManager          *connectionMocks.MockManager
+	cluster                    *clusterDataStoreMocks.MockDataStore
 }
 
 func (suite *ManagerTestSuite) SetupTest() {
@@ -46,13 +70,15 @@ func (suite *ManagerTestSuite) SetupTest() {
 	suite.alertManager = alertManagerMocks.NewMockAlertManager(suite.mockCtrl)
 	suite.deploymentObservationQueue = queueMocks.NewMockDeploymentObservationQueue(suite.mockCtrl)
 	suite.connectionManager = connectionMocks.NewMockManager(suite.mockCtrl)
+	suite.cluster = clusterDataStoreMocks.NewMockDataStore(suite.mockCtrl)
 
 	suite.manager = &managerImpl{
 		baselines:                  suite.baselines,
 		reprocessor:                suite.reprocessor,
 		alertManager:               suite.alertManager,
 		deploymentObservationQueue: suite.deploymentObservationQueue,
 		connectionManager:          suite.connectionManager,
+		clusterDataStore:           suite.cluster,
 	}
 }
 
@@ -216,3 +242,38 @@ func TestFilterOutDisabledPolicies(t *testing.T) {
 		protoassert.SlicesEqual(t, c.expectedAlerts, testAlerts)
 	}
 }
+
+func (suite *ManagerTestSuite) TestAutoLockProcessBaselines() {
+	clusterId := fixtureconsts.Cluster1
+
+	suite.T().Setenv(features.AutoLockProcessBaselines.EnvVar(), "true")
+	suite.cluster.EXPECT().GetCluster(gomock.Any(), clusterId).Return(clusterAutolockEnabled, true, nil)
+	enabled := suite.manager.isAutoLockEnabledForCluster(clusterId)
+	suite.True(enabled)
+}
+
+func (suite *ManagerTestSuite) TestAutoLockProcessBaselinesFeatureFlagDisabled() {
+	clusterId := fixtureconsts.Cluster1
+
+	suite.T().Setenv(features.AutoLockProcessBaselines.EnvVar(), "false")
+	enabled := suite.manager.isAutoLockEnabledForCluster(clusterId)
+	suite.False(enabled)
+}
+
+func (suite *ManagerTestSuite) TestAutoLockProcessBaselinesDisabled() {
+	clusterId := fixtureconsts.Cluster1
+
+	suite.T().Setenv(features.AutoLockProcessBaselines.EnvVar(), "true")
+	suite.cluster.EXPECT().GetCluster(gomock.Any(), clusterId).Return(clusterAutolockDisabled, true, nil)
+	enabled := suite.manager.isAutoLockEnabledForCluster(clusterId)
+	suite.False(enabled)
+}
+
+func (suite *ManagerTestSuite) TestAutoLockProcessBaselinesNoCluster() {
+	clusterId := fixtureconsts.Cluster1
+
+	suite.T().Setenv(features.AutoLockProcessBaselines.EnvVar(), "true")
+	suite.cluster.EXPECT().GetCluster(gomock.Any(), clusterId).Return(nil, false, nil)
+	enabled := suite.manager.isAutoLockEnabledForCluster(clusterId)
+	suite.False(enabled)
+}
diff --git a/central/detection/lifecycle/singleton.go b/central/detection/lifecycle/singleton.go
@@ -3,6 +3,7 @@ package lifecycle
 import (
 	"github.com/pkg/errors"
 	"github.com/stackrox/rox/central/activecomponent/updater/aggregator"
+	clusterDatastore "github.com/stackrox/rox/central/cluster/datastore"
 	"github.com/stackrox/rox/central/deployment/cache"
 	deploymentDatastore "github.com/stackrox/rox/central/deployment/datastore"
 	"github.com/stackrox/rox/central/detection/alertmanager"
@@ -29,6 +30,7 @@ func initialize() {
 		buildtime.SingletonDetector(),
 		deploytime.SingletonDetector(),
 		runtime.SingletonDetector(),
+		clusterDatastore.Singleton(),
 		deploymentDatastore.Singleton(),
 		processDatastore.Singleton(),
 		baselineDataStore.Singleton(),

diff --git a/central/graphql/resolvers/generated.go b/central/graphql/resolvers/generated.go
diff --git a/generated/api/v1/cluster_service.swagger.json b/generated/api/v1/cluster_service.swagger.json