wip: Get container name from annotation for containerd #1004
Conversation
Signed-off-by: Ian Robertson <[email protected]>
poiana
added
do-not-merge/work-in-progress
kind/bug
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: IanRobertson-wpe The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Welcome @IanRobertson-wpe! It looks like this is your first PR to falcosecurity/plugins 🎉 |
|
AFAIK, this issue is the same as falcosecurity/falco#3631 and can be solved at the configuration level, see 👇 The rationale is that Please let us know if this works for you as well, or if your case is different. Thanks! |
Rules files suggestions |
3 participants
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area plugins
What this PR does / why we need it:
This addresses an issue with the "container" plugin.
The container name is not correctly pulled in when fetching from a containerd source. It uses the shortened container ID instead. This change pulls in the container name from the K8s annotation if it exists and is not empty, otherwise defaulting back to the shortened container ID.
Which issue(s) this PR fixes:
Special notes for your reviewer:
This needs testing.
I identifed this issue in a GKE environment which has a CRI-O socket at /run/containerd/containerd.sock. I had the plugin configured to use CRI-O pointing to /run/crio/crio.sock, and containerd for /run/containerd/containerd.sock. The plugin used the containerd logic for pulling in the data, and this is where I found it was lacking the proper container name, and thus this code contribution. I was able to resolve this issue on my end by disabling containerd and pointing the crio socket to /run/containerd/containerd.sock, but I believe this issue still needs to be addressed for containerd, and I don't have a good way of testing it myself.