cgidmap depends on cri for pod association

[kkourt]

#2776 Introduced pod association via cgroup ids.

Currently, there are two ways that the cgidmap can be updated.

By contacting the CRI:

tetragon/pkg/cgidmap/cri.go

Line 105 in 0bf690a

m.Add(id.podID, id.contID, cgID)

Or, in the runtime hooks:

tetragon/pkg/cgidmap/rthooks.go

Line 70 in 0bf690a

m.Add(podID, containerID, cgID)

This means that without --enable-cri being set, tetragon will not be able to do pod association for existing pods (even if runtime hooks are used).

This is reflected in the following warning:

level=warning msg="cgidmap is enabled but cri is not. This means that pod association will not work for existing pods. You can enable cri using --enable-cri"

One of the benefits of talking to the CRI is that it provides authoritative answers.

If --enable-cri is not set, we could scan the cgroup filesystem as we do in the policyfilter code:

tetragon/pkg/policyfilter/cgroupid.go

Lines 24 to 36 in 0bf690a

	func (s *cgfsFinder) findCgroupID(podID PodID, containerID string) (CgroupID, error) {
	path, err := s.FindContainerPath(uuid.UUID(podID), containerID)
	if errors.Is(err, fsscan.ErrContainerPathWithoutMatchingPodID) {
	s.log.WithFields(logrus.Fields{
	"pod-id": podID,
	"container-id": containerID,
	}).Info("FindCgroupID: found path without matching pod id, continuing.")
	} else if err != nil {
	return CgroupID(0), err
	}
	cgid, err := cgroups.GetCgroupIDFromSubCgroup(path)
	return CgroupID(cgid), err
	}