From 7e0b326d555074fadab76d0a87c22c79cf47bdb2 Mon Sep 17 00:00:00 2001 From: Christopher Johnson Date: Tue, 27 Feb 2024 14:32:40 -0500 Subject: [PATCH 1/2] add regex for local pods Signed-off-by: Christopher Johnson --- pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 7b64f4c3b9..996dbabe9e 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -138,6 +138,17 @@ var cgroupREs = []*regexp.Regexp{ `(?:[[:^punct:]]*/*)*crio[[:punct:]]` + // non-punctuation end of string, i.e., the container ID `(?P[[:xdigit:]]{64})$`), + + // Within the same pod, the PodUID will not be present in the cgroup. + regexp.MustCompile(`` + + // intentionally empty poduid group + `(?P)` + + // mustnotmatch group: cgroup path must not include a poduid + `(?Ppod[[:xdigit:]]{8}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{12}[[:punct:]])?` + + // zero or more punctuation separated "segments" (e.g. "docker-") + `(?:[[:^punct:]]+[[:punct:]])*` + + // non-punctuation end of string, i.e., the container ID + `(?P[[:xdigit:]]{64})$`), } func reSubMatchMap(r *regexp.Regexp, str string) map[string]string { From 7b49e5135fb22204ad5bea6a4da0d2ee18e4f2ad Mon Sep 17 00:00:00 2001 From: Christopher Johnson Date: Tue, 5 Mar 2024 20:26:20 -0500 Subject: [PATCH 2/2] patch Signed-off-by: Christopher Johnson --- .../plugin/workloadattestor/k8s/k8s_posix.go | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 996dbabe9e..27a2a7562f 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -128,25 +128,15 @@ var cgroupREs = []*regexp.Regexp{ // This regex applies for container runtimes, that won't put the PodUID into // the cgroup name. - // Currently only cri-o in combination with kubeedge is known for this abnormally. + // cri-o in combination with kubeedge or processes in the same pod as + // spire will cause this. regexp.MustCompile(`` + // intentionally empty poduid group `(?P)` + // mustnotmatch group: cgroup path must not include a poduid `(?Ppod[[:xdigit:]]{8}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{12}[[:punct:]])?` + // /crio- - `(?:[[:^punct:]]*/*)*crio[[:punct:]]` + - // non-punctuation end of string, i.e., the container ID - `(?P[[:xdigit:]]{64})$`), - - // Within the same pod, the PodUID will not be present in the cgroup. - regexp.MustCompile(`` + - // intentionally empty poduid group - `(?P)` + - // mustnotmatch group: cgroup path must not include a poduid - `(?Ppod[[:xdigit:]]{8}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{4}[[:punct:]]?[[:xdigit:]]{12}[[:punct:]])?` + - // zero or more punctuation separated "segments" (e.g. "docker-") - `(?:[[:^punct:]]+[[:punct:]])*` + + `(?:[[:^punct:]]*/*)*cri(o)*(-containerd)*[[:punct:]]` + // non-punctuation end of string, i.e., the container ID `(?P[[:xdigit:]]{64})$`), }