tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard
verified publisher icon cilium

cgidmap depends on cri for pod association

Open kkourt opened this issue 10 months ago • 0 comments

https://github.com/cilium/tetragon/pull/2776 Introduced pod association via cgroup ids.

Currently, there are two ways that the cgidmap can be updated.

By contacting the CRI: https://github.com/cilium/tetragon/blob/0bf690aed79a6e0cf4ff9199454eb25d3063fd96/pkg/cgidmap/cri.go#L105 Or, in the runtime hooks: https://github.com/cilium/tetragon/blob/0bf690aed79a6e0cf4ff9199454eb25d3063fd96/pkg/cgidmap/rthooks.go#L70

This means that without --enable-cri being set, tetragon will not be able to do pod association for existing pods (even if runtime hooks are used).

This is reflected in the following warning:

level=warning msg="cgidmap is enabled but cri is not. This means that pod association will not work for existing pods. You can enable cri using --enable-cri"

One of the benefits of talking to the CRI is that it provides authoritative answers.

If --enable-cri is not set, we could scan the cgroup filesystem as we do in the policyfilter code: https://github.com/cilium/tetragon/blob/0bf690aed79a6e0cf4ff9199454eb25d3063fd96/pkg/policyfilter/cgroupid.go#L24-L36

kkourt avatar Feb 10 '25 13:02 kkourt