Closed rafaeldtinoco closed 9 months ago
And I'm able to enrich the container events correctly because I'm telling that the "snap" containerd socket should be placed at the "default containerd.sock" location, so tracee knows how to find it.
So shouldn't the container and kubernetes keys be populated?
"value":"docker.io/library/fedora:38"
"value":"registry.k8s.io/pause:3.7"
THe container image and container name worked. Those came from the runtime. I believe the ones you're seeing empty come from k8s and would have come only if the expected labels were done (and only with docker):
SO containerd enrichment does not support (yet) picking Pod metadata (or it does not even contain the metadata). That is the part where the k8s API would take place (the k8s info would come from the k8s API and not from labels).
What did not work, in this case, was recognizing the runtime from the cgroup hierarchy pattern (there are some regex that checks uuids within cgroup directories, and things alike).
Could you provide the cgroup_path
from cgroup_mkdir
so I can update this table for microk8s?
EDIT: I get it from https://github.com/aquasecurity/tracee/issues/3003#issuecomment-1788232984 👍🏼
@rafaeldtinoco As you correctly pointed out, the runtime is picked from the path pattern. But that enrichment worked because of the fallback mechanism for unknown
runtimes, where the "main" enricher goes through all sub-enrichers. So it also went through the containerd enricher which was working because of the mount you set up for tracee's container (see pkg/containers/service.go
):
The pattern is probably the same one described in #3003 (pod<uid>/<container_id>
).
@geyslan @rafaeldtinoco About the kubernetes field being empty, this is because the kubernetes data of the container created are in the arguments for container events, not in the event fields. If we had for example a write
event inside the newly created pod, the enrichment data would go there. But since these are lifecycle events the data is in the argument. This is useful for example if we have a container created in a container, you'd have the creating container's data in container
and kubernetes
fields of the event, and the actual container created described in the arguments.
The 2nd event from the issue:
...{"name":"pod_name","type":"const char*","value":"fedora"},{"name":"pod_namespace","type":"const char*","value":"default"},{"name":"pod_uid","type":"const char*","value":"c7f0e802-84e5-411b-82e9-6bd6bb659e66"},{"name":"pod_sandbox","type":"bool","value":true}]}
(The sandbox container created)
The 3rd:
...{"name":"pod_name","type":"const char*","value":"fedora"},{"name":"pod_namespace","type":"const char*","value":"default"},{"name":"pod_uid","type":"const char*","value":"c7f0e802-84e5-411b-82e9-6bd6bb659e66"},{"name":"pod_sandbox","type":"bool","value":false}]}
(The actual workload)
So kubernetes enrichment did work here, the only problem is the runtime.
Considering @NDStrahilevitz comment above, this seems to be a duplicated of https://github.com/aquasecurity/tracee/issues/3003? So I'm closing it in favor of the other issue that @NDStrahilevitz is already investigating. Feel free to reopen if I misunderstood.
Description
When running tracee in a microk8s environment (that uses containerd), I use the following config:
and the following daemonset deployment settings:
And I'm able to enrich the container events correctly because I'm telling that the "snap" containerd socket should be placed at the "default containerd.sock" location, so tracee knows how to find it.
Problem is that, despite being able to talk to the socket and enriching the event correctly:
The
runtime
appears asunknown
. Same happens forcontainer_create
andcontainer_remove
.I believe we're picking the container runtime name from the cgroup filesystem hierarchy. We could also pick from the default socket place, like this case, we do know its coming from "containerd".