tetragon-oci-hook: container name from annotations

We cannot use arg.Watcher.FindContainer() because it uses k8s API where the container is still not available. Therefore, we extract the name of the container from request annotations based on the container runtime. Fixes: #1879 Signed-off-by: Oleh Neichev <[email protected]>
cilium · Mar 23, 2024 · 17d66b7 · 17d66b7
1 parent 9b7ce77
commit 17d66b7
Showing 1 changed file with 16 additions and 6 deletions.
diff --git a/pkg/policyfilter/rthooks/rthooks.go b/pkg/policyfilter/rthooks/rthooks.go
@@ -5,6 +5,7 @@ package rthooks
 
 import (
 	"context"
+	"fmt"
 	"path/filepath"
 	"time"
 
@@ -92,15 +93,24 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err
 		return err
 	}
 
-	var containerFound bool
-	var container *corev1.ContainerStatus
 	namespace := pod.ObjectMeta.Namespace
-	pod, container, containerFound = arg.Watcher.FindContainer(containerID)
-	if !containerFound {
-		log.WithError(err).Warnf("failed to find container information %s, aborting hook.", containerID)
+
+	// we cannot use arg.Watcher.FindContainer() because it uses k8s API
+	// where the container is still not available
+	containerName := ""
+	// containerd
+	if val, ok := arg.Req.Annotations["io.kubernetes.cri.container-name"]; ok {
+		containerName = val
+	} else if val, ok := arg.Req.Annotations["io.kubernetes.container.name"]; ok {
+		// crio
+		containerName = val
 	}
 
-	containerName := container.Name
+	if containerName == "" {
+		err := fmt.Errorf("failed to find container information %s, aborting hook", containerID)
+		log.Warn(err)
+		return err
+	}
 
 	log.WithFields(logrus.Fields{
 		"pod-id":         podID,