Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incompatibility WorkloadAttestation k8s and Kubeedge k8s #3183

Closed
goergch opened this issue Jun 23, 2022 · 2 comments · Fixed by #3242
Closed

Incompatibility WorkloadAttestation k8s and Kubeedge k8s #3183

goergch opened this issue Jun 23, 2022 · 2 comments · Fixed by #3242
Labels
help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog
Milestone
1.4.0

Comments

@goergch
Copy link
Contributor

goergch commented Jun 23, 2022

We have a kubernetes cluster, which includes nodes, that are connected via kubeedge (https://kubeedge.io/) and run cri-o. In this system we are using spire and also the kubeedge nodes run spire agents.

Sadly the workloadattestor k8s was incompatible with our system, but we managed to patch it temporarily with spire v1.0.0.
The problem is that /proc/{PID}/cgroup looks different on our system, than on a "normal" k8s node.

"Normal" k8s node:

12:hugetlb:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
11:freezer:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
10:net_cls,net_prio:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
9:perf_event:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
8:memory:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
7:blkio:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
6:pids:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
5:cpu,cpuacct:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
4:rdma:/
3:cpuset:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
2:devices:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
1:name=systemd:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod169fbc47_41d0_4df5_be62_6b231010b6c4.slice/docker-bbf76635888294204963d9e32e4fae57dcbf8eddb7adeecbd55672cd5fbc2249.scope
0::/

our edge node:

0::/../crio-45490e76e0878aaa4d9808f7d2eefba37f093c3efbba9838b6d8ab804d9bd814.scope

As said, patching the workloadattestor in spire 1.0.0 was possible by adapting the regex extracting the container id.
But since #2600 v1.1.1, the algorithm also checks for PodUID. As this information is not available in the cgroup of our system, patching is no more possible.

A solution inside spire is highly appreciated. But hints on how to configure our edge node could also help.

  • Version: v1.2.3
  • Platform: Linux 1bdf700d-f0dd-4eb4-89eb-47eb8acfd704 5.18.4-1-default CLI authentication #1 SMP PREEMPT_DYNAMIC Wed Jun 15 06:00:33 UTC 2022 (ed6345d) x86_64 x86_64 x86_64 GNU/Linux, MicroOS Opensuse, cri-o, kubeedge
  • Subsystem: workloadattestor k8s
@MarcosDY MarcosDY added this to the 1.4.0 milestone Jun 23, 2022
@MarcosDY MarcosDY added help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog labels Jun 23, 2022
@azdagron
Copy link
Member

Hmm, that's interesting. I don't know much experience with either crio or kubeedge. If there were a way to influence cgroup structure that would be ideal.

However, that being said, the extraction of the pod uid is currently to short-circuit searching through unrelated pods for the container running the workload process. I think we could probably support this kind of setup by doing the following:

  1. Allowing the configured regex to only select the container id by choosing whether the regex had one or two match groups. If two, assume that match group 1 is the pod id and match group 2 is the container id (today's behavior). If only a single match group, assume it is the container id.
  2. If the pod id is not extracted, then search all pods in the listing for the target container. If more than one pod is identified as having that container (which would be an exceptional circumstance and likely a bug) then return error from workload attestation.

goergch added a commit to goergch/spire that referenced this issue Jul 11, 2022
@goergch
closes spiffe#3183
97172db 
adding cgroup regex for crio
adding check, that containerId is not duplicated
goergch added a commit to goergch/spire that referenced this issue Jul 13, 2022
@goergch
closes spiffe#3183
a4a56f2 
Signed-off-by: Christian Görg <christian.goerg@trumpf.com>
goergch added a commit to goergch/spire that referenced this issue Jul 13, 2022
@goergch
closes spiffe#3183
62601da 
Signed-off-by: Christian Görg <christian.goerg@trumpf.com>
@goergch goergch mentioned this issue Jul 13, 2022
Merged
3 tasks
goergch added a commit to goergch/spire that referenced this issue Jul 26, 2022
@goergch
closes spiffe#3183
65aba2c 
Signed-off-by: Christian Görg <christian.goerg@trumpf.com>
@goergch
Copy link
Contributor Author

goergch commented Aug 1, 2022

Issue is fixed by #3242
The issue is rather kubeedge than cri-o,

@goergch goergch closed this as completed Aug 1, 2022
MarcosDY pushed a commit that referenced this issue Aug 1, 2022
@goergch
Add crio compatibility to WorkloadAttestor k8s - fixes #3183 (#3242)
1d447fb 
- Adding cgroups regex to also match cgroup entries, that don't include a pod UI. That is explicitly currently crio, as no other container runtimes are known at the moment, that have the same behavior. The new regex therefore also explicitly checks for the "crio" string. It wasn't possible for me to combine the regex with the existing.
- search through all pods and check, that the containerId found in cgroups, is is only present in one pod
Signed-off-by: Christian Görg <christian.goerg@trumpf.com>

Signed-off-by: Christian Görg <christian.goerg@trumpf.com>
stevend-uber pushed a commit to stevend-uber/spire that referenced this issue Oct 16, 2023
@goergch @stevend-uber
Add crio compatibility to WorkloadAttestor k8s - fixes spiffe#3183 (s…
14ddabd 
…piffe#3242)

- Adding cgroups regex to also match cgroup entries, that don't include a pod UI. That is explicitly currently crio, as no other container runtimes are known at the moment, that have the same behavior. The new regex therefore also explicitly checks for the "crio" string. It wasn't possible for me to combine the regex with the existing.
- search through all pods and check, that the containerId found in cgroups, is is only present in one pod
Signed-off-by: Christian Görg <christian.goerg@trumpf.com>

Signed-off-by: Christian Görg <christian.goerg@trumpf.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog
Projects
None yet
Milestone
1.4.0
Development

Successfully merging a pull request may close this issue.

Add crio compatibility to WorkloadAttestor k8s - fixes #3183 goergch/spire
3 participants
@MarcosDY @azdagron @goergch