Skip to content

Commit

Permalink
Merge pull request spiffe#1649 from azdagron/improve-k8s-cgroup-parsing
Browse files Browse the repository at this point in the history
Improve K8S workload attestor container ID parsing
  • Loading branch information
azdagron authored Jun 12, 2020
2 parents 159cfe2 + 947c552 commit 6ea1530
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 13 deletions.
32 changes: 19 additions & 13 deletions pkg/agent/plugin/workloadattestor/k8s/k8s.go
Original file line number Diff line number Diff line change
Expand Up @@ -553,25 +553,31 @@ func getContainerIDFromCGroups(cgroups []cgroups.Cgroup) (string, error) {
}

// containerIDRe is the regex used to parse out the container ID from a cgroup
// name. This is the breakdown:
// /kubepods(?:\.slice)?/
// The /kubepods path segment, not necessarily at the start of the path,
// optionally followed by the systemd slice suffix (e.g., ".slice") and
// ending with a trailing slash.
// (?:[^/]*/){1,}
// One or more path segments with a trailing slash, e.g., the QOS setting,
// pod UID, etc.
// (?:[^-]+-)?((?U)[^/]+)(?:\.scope)?$`)
// Base name with the container ID. Optionally starts with a container
// runtime prefix (e.g., "docker-") and optionally ends in the systemd
// scope suffix (e.g., ".scope").
var containerIDRe = regexp.MustCompile(`/kubepods(?:\.slice)?/(?:[^/]+/){1,}(?:[^-]+-)?((?U)[^/]+)(?:\.scope)?$`)
// name. It assumes that any ".scope" suffix has been trimmed off beforehand.
var containerIDRe = regexp.MustCompile(`` +
// "kubepods" surrounded by punctuation
`[[:punct:]]kubepods[[:punct:]]` +
// zero or more punctuation separated "segments" (e.g. "burstable-")
`(?:[[:^punct:]]+[[:punct:]])*` +
// "pod"-prefixed Pod UUID (with punctuation separated groups) followed by punctuation
`pod[[:xdigit:]]{8}[[:punct:]][[:xdigit:]]{4}[[:punct:]][[:xdigit:]]{4}[[:punct:]][[:xdigit:]]{4}[[:punct:]][[:xdigit:]]{12}[[:punct:]]` +
// zero or more punctuation separated "segments" (e.g. "docker-")
`(?:[[:^punct:]]+[[:punct:]])*` +
// non-punctuation end of string, i.e., the container ID
`([[:^punct:]]+)$`)

func getContainerIDFromCGroupPath(cgroupPath string) (string, bool) {
// We are only interested in kube pods entries, for example:
// - /kubepods/burstable/pod2c48913c-b29f-11e7-9350-020968147796/9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961
// - /docker/8d461fa5765781bcf5f7eb192f101bc3103d4b932e26236f43feecfa20664f96/kubepods/besteffort/poddaa5c7ee-3484-4533-af39-3591564fd03e/aff34703e5e1f89443e9a1bffcc80f43f74d4808a2dd22c8f88c08547b323934
// - /kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod2c48913c-b29f-11e7-9350-020968147796.slice/docker-9bca8d63d5fa610783847915bcff0ecac1273e5b4bed3f6fa1b07350e0135961.scope
// - /kubepods-besteffort-pod72f7f152_440c_66ac_9084_e0fc1d8a910c.slice:cri-containerd:b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2"

// First trim off any .scope suffix. This allows for a cleaner regex since
// we don't have to muck with greediness. TrimSuffix is no-copy so this
// is cheap.
cgroupPath = strings.TrimSuffix(cgroupPath, ".scope")

matches := containerIDRe.FindStringSubmatch(cgroupPath)
if matches != nil {
return matches[1], true
Expand Down
6 changes: 6 additions & 0 deletions pkg/agent/plugin/workloadattestor/k8s/k8s_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -983,9 +983,15 @@ func TestGetContainerIDFromCGroupPath(t *testing.T) {
name: "no pod uid segment",
cgroupPath: "/kubepods/09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6",
},
{
name: "cri-containerd",
cgroupPath: "/kubepods-besteffort-pod72f7f152_440c_66ac_9084_e0fc1d8a910c.slice:cri-containerd:b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2",
containerID: "b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2",
},
} {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Logf("cgroup path=%s", tt.cgroupPath)
containerID, ok := getContainerIDFromCGroupPath(tt.cgroupPath)
if tt.containerID == "" {
assert.False(t, ok)
Expand Down

0 comments on commit 6ea1530

Please sign in to comment.