From 569faa44228091e2a4ca998af4b1bf455f98fa73 Mon Sep 17 00:00:00 2001 From: Cesar Alaniz Date: Thu, 6 Jun 2019 13:53:20 -0700 Subject: [PATCH 1/2] Strip additional prefix/suffix data from container id Signed-off-by: Cesar Alaniz --- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index b292a74340..ea5b655174 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -335,7 +335,9 @@ func (p *K8SPlugin) getContainerIDFromCGroups(pid int32) (string, error) { log.Printf("Kube pod entry found, but without container id: %v", substring) continue } - return parts[4], nil + id := strings.TrimSuffix(parts[4], ".scope") + id = strings.TrimPrefix(id, "docker-") + return id, nil } } From 4a12c5228a1373549aedf60d8bd7ee2cdc4511d9 Mon Sep 17 00:00:00 2001 From: Cesar Alaniz Date: Thu, 6 Jun 2019 22:07:10 -0700 Subject: [PATCH 2/2] Make prefix striping apply to any container runtime Signed-off-by: Cesar Alaniz --- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 6 +++++- pkg/agent/plugin/workloadattestor/k8s/k8s_test.go | 14 ++++++++++++++ .../k8s/testdata/systemd_cgroups_pid_in_pod.txt | 11 +++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 pkg/agent/plugin/workloadattestor/k8s/testdata/systemd_cgroups_pid_in_pod.txt diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index ea5b655174..7aef2e8332 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -336,7 +336,11 @@ func (p *K8SPlugin) getContainerIDFromCGroups(pid int32) (string, error) { continue } id := strings.TrimSuffix(parts[4], ".scope") - id = strings.TrimPrefix(id, "docker-") + // Trim the id of any container runtime prefixes. Ex "docker-" or "crio-" + dash := strings.Index(id, "-") + if dash > -1 { + id = id[dash+1:] + } return id, nil } } diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go index c2982d727e..0c2b7262ec 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_test.go @@ -37,6 +37,7 @@ const ( cgPidInPodFilePath = "testdata/cgroups_pid_in_pod.txt" cgInitPidInPodFilePath = "testdata/cgroups_init_pid_in_pod.txt" cgPidNotInPodFilePath = "testdata/cgroups_pid_not_in_pod.txt" + cgSystemdPidInPodFilePath = "testdata/systemd_cgroups_pid_in_pod.txt" certPath = "cert.pem" keyPath = "key.pem" @@ -139,6 +140,13 @@ func (s *K8sAttestorSuite) TestAttestWithPidInPod() { s.requireAttestSuccessWithPod() } +func (s *K8sAttestorSuite) TestAttestWithPidInPodSystemdCgroups() { + s.startInsecureKubelet() + s.configureInsecure() + + s.requireAttestSuccessWithPodSystemdCgroups() +} + func (s *K8sAttestorSuite) TestAttestWithInitPidInPod() { s.startInsecureKubelet() s.configureInsecure() @@ -750,6 +758,12 @@ func (s *K8sAttestorSuite) requireAttestSuccessWithPod() { s.requireAttestSuccess(testPodSelectors) } +func (s *K8sAttestorSuite) requireAttestSuccessWithPodSystemdCgroups() { + s.addPodListResponse(podListFilePath) + s.addCgroupsResponse(cgSystemdPidInPodFilePath) + s.requireAttestSuccess(testPodSelectors) +} + func (s *K8sAttestorSuite) requireAttestSuccessWithInitPod() { s.addPodListResponse(podListFilePath) s.addCgroupsResponse(cgInitPidInPodFilePath) diff --git a/pkg/agent/plugin/workloadattestor/k8s/testdata/systemd_cgroups_pid_in_pod.txt b/pkg/agent/plugin/workloadattestor/k8s/testdata/systemd_cgroups_pid_in_pod.txt new file mode 100644 index 0000000000..bdbee38f0f --- /dev/null +++ b/pkg/agent/plugin/workloadattestor/k8s/testdata/systemd_cgroups_pid_in_pod.txt @@ -0,0 +1,11 @@ +11:hugetlb:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +10:devices:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +9:pids:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +8:perf_event:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +7:net_cls,net_prio:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +6:cpuset:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +5:memory:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +4:cpu,cpuacct:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +3:freezer:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +2:blkio:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope +1:name=systemd:/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope