Stricter container ID matching in K8s Workload Attestor (#4468)

The current regex groups are too loose in what they will accept as a container ID. Tighten the regex's to only accept 64 hex digits as a container ID. Fixes #4088 Signed-off-by: Andrew Harding <azdagron@gmail.com>
spiffe · Aug 31, 2023 · f4d259e · f4d259e
1 parent ea2da7a
commit f4d259e
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 8 deletions.
diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go
@@ -125,7 +125,7 @@ var cgroupREs = []*regexp.Regexp{
 		// zero or more punctuation separated "segments" (e.g. "docker-")
 		`(?:[[:^punct:]]+[[:punct:]])*` +
 		// non-punctuation end of string, i.e., the container ID
-		`(?P<containerid>[[:^punct:]]+)$`),
+		`(?P<containerid>[[:xdigit:]]{64})$`),
 
 	// This regex applies for container runtimes, that won't put the PodUID into
 	// the cgroup name.
@@ -138,7 +138,7 @@ var cgroupREs = []*regexp.Regexp{
 		// /crio-
 		`(?:[[:^punct:]]*/*)*crio[[:punct:]]` +
 		// non-punctuation end of string, i.e., the container ID
-		`(?P<containerid>[[:^punct:]]+)$`),
+		`(?P<containerid>[[:xdigit:]]{64})$`),
 }
 
 func reSubMatchMap(r *regexp.Regexp, str string) map[string]string {

diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix_test.go
@@ -32,12 +32,13 @@ const (
 	crioPodListFilePath                     = "testdata/crio_pod_list.json"
 	crioPodListDuplicateContainerIDFilePath = "testdata/crio_pod_list_duplicate_containerId.json"
 
-	cgPidInPodFilePath        = "testdata/cgroups_pid_in_pod.txt"
-	cgPidInKindPodFilePath    = "testdata/cgroups_pid_in_kind_pod.txt"
-	cgPidInCrioPodFilePath    = "testdata/cgroups_pid_in_crio_pod.txt"
-	cgInitPidInPodFilePath    = "testdata/cgroups_init_pid_in_pod.txt"
-	cgPidNotInPodFilePath     = "testdata/cgroups_pid_not_in_pod.txt"
-	cgSystemdPidInPodFilePath = "testdata/systemd_cgroups_pid_in_pod.txt"
+	cgPidInPodFilePath            = "testdata/cgroups_pid_in_pod.txt"
+	cgPidInKindPodFilePath        = "testdata/cgroups_pid_in_kind_pod.txt"
+	cgPidInCrioPodFilePath        = "testdata/cgroups_pid_in_crio_pod.txt"
+	cgInitPidInPodFilePath        = "testdata/cgroups_init_pid_in_pod.txt"
+	cgPidNotInPodFilePath         = "testdata/cgroups_pid_not_in_pod.txt"
+	cgSystemdPidInPodFilePath     = "testdata/systemd_cgroups_pid_in_pod.txt"
+	cgSystemdCrioPidInPodFilePath = "testdata/systemd_crio_cgroups_pid_in_pod.txt"
 )
 
 var (
@@ -195,6 +196,13 @@ func (s *Suite) TestAttestWithPidInPodSystemdCgroups() {
 	s.requireAttestSuccessWithPodSystemdCgroups(p)
 }
 
+func (s *Suite) TestAttestWithPidInPodSystemdCrioCgroups() {
+	s.startInsecureKubelet()
+	p := s.loadInsecurePlugin()
+
+	s.requireAttestSuccessWithPodSystemdCrioCgroups(p)
+}
+
 func (s *Suite) TestAttestAgainstNodeOverride() {
 	s.startInsecureKubelet()
 	p := s.loadInsecurePlugin()
@@ -428,6 +436,12 @@ func (s *Suite) requireAttestSuccessWithPodSystemdCgroups(p workloadattestor.Wor
 	s.requireAttestSuccess(p, testPodAndContainerSelectors)
 }
 
+func (s *Suite) requireAttestSuccessWithPodSystemdCrioCgroups(p workloadattestor.WorkloadAttestor) {
+	s.addPodListResponse(crioPodListFilePath)
+	s.addCgroupsResponse(cgSystemdCrioPidInPodFilePath)
+	s.requireAttestSuccess(p, testCrioPodSelectors)
+}
+
 func TestGetContainerIDFromCGroups(t *testing.T) {
 	makeCGroups := func(groupPaths []string) []cgroups.Cgroup {
 		var out []cgroups.Cgroup

diff --git a/pkg/agent/plugin/workloadattestor/k8s/testdata/systemd_crio_cgroups_pid_in_pod.txt b/pkg/agent/plugin/workloadattestor/k8s/testdata/systemd_crio_cgroups_pid_in_pod.txt
@@ -0,0 +1,13 @@
+12:hugetlb:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+11:netcls,net_prio:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+10:pids:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+9:cpuset:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+8:devices:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+7:memory:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+6:perf_event:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+5:blkio:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+4:cpu,cpuacct:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+3:rdma:/
+2:freezer:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+1:systemd:/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-poda2830d0d_b0f0_4ff0_81b5_0ee4e299cf80.slice/crio-09bc3d7ade839efec32b6bec4ec79d099027a668ddba043083ec21d3c3b8f1e6.scope
+0::/system.slice/crio.service