K8s workload attestor can't parse cgroups for containerd k8s CRI

[scotte]

I ran into an issue when running SPIRE on a Kubernetes cluster using the containerd CRI where the k8s workload attestor in spire-agent is unable to parse container cgroups.

The logs from spire-agent (containing the cgroup names) look like:

2020/05/21 18:12:43 Kube pod entry found, but without container id:
/kubepods-besteffort-pod72f7f152_440c_66ac_9084_e0fc1d8a910c.slice:
cri-containerd:b2a102854b4969b2ce98dc329c86b4fb2b06e4ad2cc8da9d8a7578c9cd2004a2

Where : is used as delimiters in the cgroup name, confounding the current regexp. @azdagron gave me a quick patch to replace the containerIDRe regexp for a workaround.

Based on the number of similar issues in the past, perhaps a more flexible configuration method for the cgroup expression might be nice to have - this is likely to come around for any container implementation that names cgroups in a different way than spire expects.