Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix workload attestation for K8s 1.21+ #2600

Merged
merged 4 commits into from
Nov 1, 2021
Merged

Fix workload attestation for K8s 1.21+ #2600

merged 4 commits into from
Nov 1, 2021

Conversation

azdagron
Copy link
Member

Kubernetes 1.21 seems to use cgroups namespaces differently than 1.20. This breaks assumptions in the K8s workload attestor about how the paths of the cgroups are shaped which prevents the attestor from locating the
pod/container of the process under attestation.

This change relaxes the regular expression to not expect the cgroup paths we use to identify the pod/container to be expressely under a kubepods prefix.

Fixes: #2578

@azdagron
Fix workload attestation for K8s 1.21+
8235c35 
Kubernetes 1.21 seems to use cgroups namespaces differently than 1.20.
This breaks assumptions in the K8s workload attestor about how the paths
of the cgroups are shaped which prevents the attestor from locating the
pod/container of the process under attestation.

This change relaxes the regular expression to not expect the cgroup
paths we use to identify the pod/container to be expressely under a
kubepods prefix.

Fixes: spiffe#2578

Signed-off-by: Andrew Harding <aharding@vmware.com>
@azdagron
move to k8s 1.21 in tests
a45fde8 
Signed-off-by: Andrew Harding <aharding@vmware.com>
@evan2645 evan2645 added this to the 1.1.1 milestone Oct 25, 2021
@wwentland
Copy link

Thank you for looking into this, @azdagron !

I just tested a local build of this with the quickstart instructions (which required a few fixes to the server configuration) and can confirm that this change does indeed fix #2578

@azdagron
stricter matching between container and pod
626589d 
Signed-off-by: Andrew Harding <aharding@vmware.com>
evan2645
evan2645 approved these changes Nov 1, 2021
View reviewed changes
Copy link
Member

@evan2645 evan2645 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you @azdagron it's nice to see that the pod uid optimization ended up being so targeted

@azdagron azdagron merged commit 9fab47f into spiffe:main Nov 1, 2021
@azdagron azdagron deleted the fix-k8s-workload-attestation branch November 1, 2021 22:51
@goergch goergch mentioned this pull request Jun 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evan2645 evan2645 evan2645 approved these changes

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@APTy APTy Awaiting requested review from APTy

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

@evan2645 evan2645

Labels
None yet
Projects
None yet
Milestone
1.1.1
Development

Successfully merging this pull request may close these issues.

K8S Workload Attestation not working on Fedora 33
3 participants
@azdagron @wwentland @evan2645