update crio regex for intra-pod workload attestation

[critterjohnson]

Pull Request check list

• Commit conforms to CONTRIBUTING.md?
• Proper tests/regressions included?
• Documentation updated?

Affected functionality

This PR updates the cgroup regex for workloads in the same pod as the agent. It affects the k8s WorkloadAttestor.

Description of change

This PR updates the cgroup regex for workloads in the same pod as the agent. Without this, any containers in the the agent's pod cannot verify with the agent.

Which issue this PR fixes

fixes #4917

[evan2645]

Thank you very much for sending this @critterjohnson - we assigned @azdagron who is doing some related work right now. He should touch back here in the next week or two with an update. Thanks for your patience

[critterjohnson]

@azdagron any updates here? I saw y'all moved the milestone for the cgroups issue to 1.9.3. Of course this is part of that larger issue, but this is a good band-aid for this use case.

[azdagron]

Thanks, @critterjohnson. This looks good and I'm glad it solves your edge case.

The work to more fully support cgroups v2 will almost completely replace our algorithm used to determine the container ID. When I have a PR ready, I'd love for you to give it a go in your environment.

[azdagron]

Hmm, looks like this breaks existing unit tests.

2024/04/03 15:20:10 More than one regex matches for cgroup /kubepods-besteffort-pod72f7f152_440c_66ac_9084_e0fc1d8a910c.slice:cri-containerd:b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2

There is a check that a given cgroup only matches one regex. Matching more than one regex isn't actually problematic unless the match would yield a different set of results, but the code isn't that smart (yet).

Since both this PR and the cgroups v2 support work that is under way are both slated for 1.9.3, one option is to just wait to see if that cgroups v2 work covers this case sufficiently. Otherwise, we'll need to change the code to relax a little like i described above.

[critterjohnson]

Or we could tighten the regex a little. I'll take a look this weekend; I had this passing unit tests locally originally but they're failing now.

[azdagron]

Thanks again for putting this fix together @critterjohnson. I was finally able to get #5076 opened to more robustly handle cgroups v2 support. This fix should no longer be necessary. So I'll go ahead and close out the PR.

Do you think you'd have time to test #5076 against your crio setup? You'd need to check it out and build an agent image. Then, to enable it, you have to turn on the new support in the agent configuration for the "k8s" WorkloadAttestor plugin.

WorkloadAttestor "k8s" {
     .... other config values ....
     use_new_container_locator = true
}

If enabled, you should see a line like the following on startup:

INFO[0000] Plugin loaded                                 external=false plugin_name=unix plugin_type=WorkloadAttestor subsystem_name=catalog
INFO[0000] Using the new container locator               external=false plugin_name=k8s plugin_type=WorkloadAttestor subsystem_name=catalog

[critterjohnson]

@azdagron Would love to try this on our env - I'll do it next week. Thanks!

[azdagron]

@critterjohnson awesome! For what it's worth, the nightly image has been built with the change, so it should be a little easier to test with.