tetragon-oci-hook: container name from annotations

We cannot use arg.Watcher.FindContainer() because it uses k8s API where the container is still not available. Instead, we extract the name of the container from arg.Req.ContainerName. If the name is not found, we do not abort the hook because we can do other types of filtering, e.g. by pod labels. Fixes: #1879 Signed-off-by: Oleh Neichev <[email protected]>
cilium · Apr 3, 2024 · e7f44b0 · e7f44b0
1 parent b597146
commit e7f44b0
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/pkg/policyfilter/rthooks/rthooks.go b/pkg/policyfilter/rthooks/rthooks.go
@@ -92,15 +92,12 @@ func createContainerHook(_ context.Context, arg *rthooks.CreateContainerArg) err
 		return err
 	}
 
-	var containerFound bool
-	var container *corev1.ContainerStatus
 	namespace := pod.ObjectMeta.Namespace
-	pod, container, containerFound = arg.Watcher.FindContainer(containerID)
-	if !containerFound {
-		log.WithError(err).Warnf("failed to find container information %s, aborting hook.", containerID)
-	}
 
-	containerName := container.Name
+	containerName := arg.Req.ContainerName
+	if containerName == "" {
+		log.Warnf("failed to find container information for %s, but will continue", containerID)
+	}
 
 	log.WithFields(logrus.Fields{
 		"pod-id":         podID,