tetragon-oci-hook: fix issue for containerd

contrib/rthooks/tetragon-oci-hook/cel.go

@@ -31,22 +31,26 @@ func celUserExpr(expr string) (*celProg, error) {
 	return &celProg{
 		p: p,
 		values: map[string]interface{}{
-			"annotations_namespace_key": *annotationsNamespaceKey,
+			"annotations_namespace_keys": *annotationsNamespaceKeys,
 		},
 	}, nil
 }
 
 func celAllowNamespaces(vals []string) (*celProg, error) {
 	env, err := cel.NewEnv(
 		cel.Variable("annotations", cel.MapType(cel.StringType, cel.StringType)),
-		cel.Variable("annotations_namespace_key", cel.StringType),
+		cel.Variable("annotations_namespace_keys", cel.ListType(cel.StringType)),
 		cel.Variable("allow_labels", cel.ListType(cel.StringType)),
 	)
+	if err != nil {
+		return nil, err
+	}
 
-	expr := `!(annotations_namespace_key in annotations && annotations[annotations_namespace_key] in allow_labels)`
+	//expr := `!(annotations_namespace_key in annotations && annotations[annotations_namespace_key] in allow_labels)`
+	expr := `annotations_namespace_keys.all(key, !(key in annotations && annotations[key] in allow_labels))`
 	ast, issues := env.Compile(expr)
 	if issues != nil && issues.Err() != nil {
-		return nil, fmt.Errorf("failed to compile `%s`: %w", expr, err)
+		return nil, fmt.Errorf("failed to compile `%s`: %w", expr, issues.Err())
 	}
 
 	p, err := env.Program(ast)
@@ -57,8 +61,8 @@ func celAllowNamespaces(vals []string) (*celProg, error) {
 	return &celProg{
 		p: p,
 		values: map[string]interface{}{
-			"allow_labels":              vals,
-			"annotations_namespace_key": *annotationsNamespaceKey,
+			"allow_labels":               vals,
+			"annotations_namespace_keys": *annotationsNamespaceKeys,
 		},
 	}, nil
 }

contrib/rthooks/tetragon-oci-hook/cel_test.go

@@ -6,10 +6,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-const (
-	CelAllowKubeSystem = `!("io.kubernetes.pod.namespace" in annotations) || annotations["io.kubernetes.pod.namespace"] != "kube-system"`
-)
-
 func celUserExprNoError(t *testing.T, expr string) *celProg {
 	ret, err := celUserExpr(expr)
 	require.NoError(t, err)
@@ -40,6 +36,10 @@ func TestCel(t *testing.T) {
 		{prog: celAllowNamespacesNoError(t, []string{"root", "kube-system"}), expectedVal: false, annotations: map[string]string{
 			"io.kubernetes.pod.namespace": "kube-system",
 		}},
+		// expected value false: program will not fail because namespace is kube-system
+		{prog: celAllowNamespacesNoError(t, []string{"root", "kube-system"}), expectedVal: false, annotations: map[string]string{
+			"io.kubernetes.cri.sandbox-namespace": "kube-system",
+		}},
 	}
 
 	for _, tc := range testCases {

contrib/rthooks/tetragon-oci-hook/main.go

@@ -29,14 +29,15 @@ import (
 )
 
 var (
-	logFname                       = flag.String("log-fname", "/var/log/tetragon-oci-hook.log", "log output filename")
-	agentAddress                   = flag.String("grpc-address", "unix:///var/run/cilium/tetragon/tetragon.sock", "gRPC address for connecting to the tetragon agent")
-	grpcTimeout                    = flag.Duration("grpc-timeout", 10*time.Second, "timeout for connecting to agent via gRPC")
-	disableGrpc                    = flag.Bool("disable-grpc", false, "do not connect to gRPC address. Instead, write a message to log")
-	annotationsNamespaceDefaultKey = "io.kubernetes.pod.namespace"
-	annotationsNamespaceKey        = flag.String(
+	logFname                        = flag.String("log-fname", "/var/log/tetragon-oci-hook.log", "log output filename")
+	logLevel                        = flag.String("log-level", "info", "log level")
+	agentAddress                    = flag.String("grpc-address", "unix:///var/run/cilium/tetragon/tetragon.sock", "gRPC address for connecting to the tetragon agent")
+	grpcTimeout                     = flag.Duration("grpc-timeout", 10*time.Second, "timeout for connecting to agent via gRPC")
+	disableGrpc                     = flag.Bool("disable-grpc", false, "do not connect to gRPC address. Instead, write a message to log")
+	annotationsNamespaceDefaultKeys = []string{"io.kubernetes.pod.namespace", "io.kubernetes.cri.sandbox-namespace"}
+	annotationsNamespaceKeys        = flag.StringSlice(
 		"annotations-namespace-key",
-		annotationsNamespaceDefaultKey,
+		annotationsNamespaceDefaultKeys,
 		"Runtime annotations  key for kubernetes namespace")
 	failCelUser = flag.String(
 		"fail-cel-expr",
@@ -215,6 +216,7 @@ func checkFail(log *logrus.Entry, annotations map[string]string) {
 		log.WithError(err).Fatal("failCheck failed")
 	}
 
+	log.Debugf("running fail check with annotations: %v", annotations)
 	fail, err := prog.RunFailCheck(annotations)
 	if err != nil {
 		log.WithError(err).Fatal("failCheck failed")
@@ -238,6 +240,12 @@ func main() {
 		MaxAge:     7, //days
 	})
 
+	if lvl, err := logrus.ParseLevel(*logLevel); err == nil {
+		log.SetLevel(lvl)
+	} else {
+		log.WithField("log-level", *logLevel).Warn("unknonwn log level, ignoring")
+	}
+
 	args := flag.Args()
 	if len(args) < 1 {
 		log.Warn("hook called without event, bailing out")