tetragon-oci-hook: container name from annotations

We cannot use arg.Watcher.FindContainer() because it uses k8s API where the container is still not available. Instead, we extract the name of the container from arg.Req.ContainerName. If the name is not found, we do not abort the hook because we can do other types of filtering, e.g. by pod labels. Fixes: #1879 Signed-off-by: Oleh Neichev <[email protected]> fix: don't fail when container name is not found Signed-off-by: Oleh Neichev <[email protected]>
cilium · Apr 2, 2024 · 2a2f64d · 2a2f64d
1 parent b597146
commit 2a2f64d
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/pkg/policyfilter/rthooks/rthooks.go b/pkg/policyfilter/rthooks/rthooks.go
@@ -92,15 +92,12 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err
 		return err
 	}
 
-	var containerFound bool
-	var container *corev1.ContainerStatus
 	namespace := pod.ObjectMeta.Namespace
-	pod, container, containerFound = arg.Watcher.FindContainer(containerID)
-	if !containerFound {
-		log.WithError(err).Warnf("failed to find container information %s, aborting hook.", containerID)
-	}
 
-	containerName := container.Name
+	containerName := arg.Req.ContainerName
+	if containerName == "" {
+		log.Warnf("failed to find container information for %s, but will continue", containerID)
+	}
 
 	log.WithFields(logrus.Fields{
 		"pod-id":         podID,