[v16] Workload ID: Podman Workload Attestation (#52980)

Backport #52192 to v16

Author: boxofrad

api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go

@@ -49,6 +49,34 @@ message WorkloadAttrsUnix {
   uint32 uid = 4;
 }
 
+// Attributes sourced from the Podman workload attestor.
+message WorkloadAttrsPodman {
+  // Whether the workload passed Podman attestation.
+  bool attested = 1;
+  // Attributes of the container.
+  WorkloadAttrsPodmanContainer container = 2;
+  // Attributes of the pod, if the container is in one.
+  optional WorkloadAttrsPodmanPod pod = 3;
+}
+
+// Attributes of the container sourced from the Podman workload attestation.
+message WorkloadAttrsPodmanContainer {
+  // The name of the container.
+  string name = 1;
+  // The image the container is running.
+  string image = 2;
+  // The labels attached to the container.
+  map<string, string> labels = 3;
+}
+
+// Attributes of the pod sourced from the Podman workload attestation.
+message WorkloadAttrsPodmanPod {
+  // The name of the pod.
+  string name = 1;
+  // The labels attached to the pod.
+  map<string, string> labels = 2;
+}
+
 // The attributes provided by `tbot` regarding the workload's attestation.
 // This will be mostly unset if the workload has not requested credentials via
 // the SPIFFE Workload API.
@@ -57,6 +85,8 @@ message WorkloadAttrs {
   WorkloadAttrsUnix unix = 1;
   // The Kubernetes-specific attributes.
   WorkloadAttrsKubernetes kubernetes = 2;
+  // The Podman-specific attributes.
+  WorkloadAttrsPodman podman = 3;
 }
 
 // Attributes related to the user/bot making the request for a workload

api/proto/teleport/workloadidentity/v1/attrs.proto

@@ -42,6 +42,8 @@ services:
     attestors:
       kubernetes:
         enabled: false
+      podman:
+        enabled: false
   - type: example
     message: llama
   - type: ssh-multiplexer
@@ -66,6 +68,8 @@ services:
     attestors:
       kubernetes:
         enabled: false
+      podman:
+        enabled: false
     selector:
       name: my-workload-identity
   - type: workload-identity-jwt

lib/tbot/config/testdata/TestBotConfig_YAML/standard_config.golden

@@ -30,4 +30,6 @@ attestors:
       ca_path: /path/to/ca.pem
       skip_verify: true
       anonymous: true
+  podman:
+    enabled: false
 jwt_svid_ttl: 5m0s

lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/full.golden

@@ -5,3 +5,5 @@ svids:
 attestors:
   kubernetes:
     enabled: false
+  podman:
+    enabled: false

lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/minimal.golden

@@ -9,5 +9,7 @@ attestors:
       ca_path: /path/to/ca.pem
       skip_verify: true
       anonymous: true
+  podman:
+    enabled: false
 selector:
   name: my-workload-identity

lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/full.golden

@@ -3,5 +3,7 @@ listen: tcp://0.0.0.0:4040
 attestors:
   kubernetes:
     enabled: false
+  podman:
+    enabled: false
 selector:
   name: my-workload-identity

lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/minimal.golden

@@ -36,16 +36,24 @@ type attestor[T any] interface {
 type Attestor struct {
 	log        *slog.Logger
 	kubernetes attestor[*workloadidentityv1pb.WorkloadAttrsKubernetes]
+	podman     attestor[*workloadidentityv1pb.WorkloadAttrsPodman]
 	unix       attestor[*workloadidentityv1pb.WorkloadAttrsUnix]
 }
 
 // Config is the configuration for Attestor
 type Config struct {
 	Kubernetes KubernetesAttestorConfig `yaml:"kubernetes"`
+	Podman     PodmanAttestorConfig     `yaml:"podman"`
 }
 
 func (c *Config) CheckAndSetDefaults() error {
-	return trace.Wrap(c.Kubernetes.CheckAndSetDefaults(), "validating kubernetes")
+	if err := c.Kubernetes.CheckAndSetDefaults(); err != nil {
+		return trace.Wrap(err, "validating kubernetes")
+	}
+	if err := c.Podman.CheckAndSetDefaults(); err != nil {
+		return trace.Wrap(err, "validating podman")
+	}
+	return nil
 }
 
 // NewAttestor returns an Attestor from the given config.
@@ -57,6 +65,9 @@ func NewAttestor(log *slog.Logger, cfg Config) (*Attestor, error) {
 	if cfg.Kubernetes.Enabled {
 		att.kubernetes = NewKubernetesAttestor(cfg.Kubernetes, log)
 	}
+	if cfg.Podman.Enabled {
+		att.podman = NewPodmanAttestor(cfg.Podman, log)
+	}
 	return att, nil
 }
 
@@ -81,6 +92,12 @@ func (a *Attestor) Attest(ctx context.Context, pid int) (*workloadidentityv1pb.W
 			a.log.WarnContext(ctx, "Failed to perform Kubernetes workload attestation", "error", err)
 		}
 	}
+	if a.podman != nil {
+		attrs.Podman, err = a.podman.Attest(ctx, pid)
+		if err != nil {
+			a.log.WarnContext(ctx, "Failed to perform Podman workload attestation", "error", err)
+		}
+	}
 
 	return attrs, nil
 }

lib/tbot/workloadidentity/workloadattest/attest.go

@@ -0,0 +1,99 @@
+/*
+ * Teleport
+ * Copyright (C) 2025  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package container
+
+import (
+	"path"
+	"strconv"
+
+	"github.com/gravitational/trace"
+	"k8s.io/utils/mount"
+)
+
+// Rootfulness describes whether a container was started by an unprivileged user
+// as in "rootless" Podman or by root. It's a best guess based on information
+// gleaned from procfs, not authoratative.
+type Rootfulness int
+
+const (
+	// RootfulnessUnknown means we were unable to infer whether the container is
+	// rootless or not.
+	RootfulnessUnknown Rootfulness = iota
+
+	// Rootful means the container was probably started by root.
+	Rootful
+
+	// Rootless means the container was probably started by an unprivileged user.
+	Rootless
+)
+
+// Info holds the information discovered about the container.
+type Info struct {
+	// ID is the container's  ID.
+	ID string
+
+	// PodID identifies to which "pod" the container belongs, in engines that
+	// support pods such as Kubernetes and Podman.
+	PodID string
+
+	// Rootfulness describes whether a container was started by an unprivileged
+	// user as in "rootless" Podman or by root. It's a best guess based on
+	// information gleaned from procfs, not authoratative.
+	Rootfulness Rootfulness
+}
+
+// Parser parses the cgroup mount path to extract the container and pod IDs.
+//
+// This information is encoded differently by the container runtimes.
+type Parser func(mountPath string) (*Info, error)
+
+// LookupPID discovers information about the container in which the process with
+// the given PID is running, by interrogating procfs.
+//
+// rootPath allows you to optionally override the system root path in tests,
+// pass an empty string to use the real root.
+func LookupPID(rootPath string, pid int, parser Parser) (*Info, error) {
+	info, err := mount.ParseMountInfo(
+		path.Join(rootPath, "/proc", strconv.Itoa(pid), "mountinfo"),
+	)
+	if err != nil {
+		return nil, trace.Wrap(err, "parsing mountinfo")
+	}
+
+	// Find the cgroup or cgroupv2 mount.
+	//
+	// For cgroup v2, we expect a single mount. But for cgroup v1, there will
+	// be one mount per subsystem, but regardless, they will all contain the
+	// same container ID/pod ID.
+	var cgroupMount mount.MountInfo
+	for _, m := range info {
+		if m.FsType == "cgroup" || m.FsType == "cgroup2" {
+			cgroupMount = m
+			break
+		}
+	}
+
+	ids, err := parser(cgroupMount.Root)
+	if err != nil {
+		return nil, trace.Wrap(
+			err, "parsing cgroup mount (root: %q)", cgroupMount.Root,
+		)
+	}
+	return ids, nil
+}

lib/tbot/workloadidentity/workloadattest/container/container.go

@@ -0,0 +1,135 @@
+/*
+ * Teleport
+ * Copyright (C) 2025  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package container_test
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/lib/tbot/workloadidentity/workloadattest/container"
+	"github.com/gravitational/teleport/lib/utils"
+)
+
+func TestLookupPID(t *testing.T) {
+	tests := map[string]struct {
+		parser   container.Parser
+		expected *container.Info
+		error    string
+	}{
+		"k8s-real-docker-desktop": {
+			parser: container.KubernetesParser,
+			expected: &container.Info{
+				PodID:       "941f292f-a62d-48ab-b9a8-eec84d87b928",
+				ID:          "3f79e718744418736d0f6b9958e08d44e969c6577068c33de1cc400d35aacec8",
+				Rootfulness: container.RootfulnessUnknown,
+			},
+		},
+		"k8s-real-orbstack": {
+			parser: container.KubernetesParser,
+			expected: &container.Info{
+				PodID:       "36827f77-691f-45aa-a470-0989cf3749c4",
+				ID:          "64dd9bf5199ff782835247cb072e4842dc3d0135ef02f6498cb6bb6f37a320d2",
+				Rootfulness: container.RootfulnessUnknown,
+			},
+		},
+		"k8s-real-k3s-ubuntu-v1.28.6+k3s2": {
+			parser: container.KubernetesParser,
+			expected: &container.Info{
+				PodID:       "fecd2321-17b5-49b9-9f75-8c5be777fbfb",
+				ID:          "397529d07efebd566f15dbc7e8af9f3ef586033f5e753adfa96b2bf730102c64",
+				Rootfulness: container.RootfulnessUnknown,
+			},
+		},
+		"k8s-real-gcp-v1.29.5-gke.1091002": {
+			parser: container.KubernetesParser,
+			expected: &container.Info{
+				PodID:       "61c266b0-6f75-4490-8d92-3c9ae4d02787",
+				ID:          "9da25af0b548c8c60aa60f77f299ba727bf72d58248bd7528eb5390ffcce555a",
+				Rootfulness: container.RootfulnessUnknown,
+			},
+		},
+		"podman-real-4.3.1-rootful-systemd-pod": {
+			parser: container.PodmanParser,
+			expected: &container.Info{
+				PodID:       "88c57f699ea2c137d7f19b7a6aaa5828072cf12207b56d7155f02d4ecade4510",
+				ID:          "4f6f96595778a052ebbd8e783156e347143cd79f81348d0995a0ffd5718c3393",
+				Rootfulness: container.Rootful,
+			},
+		},
+		"podman-real-4.3.1-rootful-systemd-container": {
+			parser: container.PodmanParser,
+			expected: &container.Info{
+				PodID:       "",
+				ID:          "12519ca1a57b8f58bc2a44f4e33e37eaf07c55a8d468ffb3db33f29d8d869186",
+				Rootfulness: container.Rootful,
+			},
+		},
+		"podman-real-4.3.1-rootless-systemd-pod": {
+			parser: container.PodmanParser,
+			expected: &container.Info{
+				PodID:       "5ffc3df0af9a6dd0f92668fc949734aad2ad41a5670b7218196d377d55ca32c5",
+				ID:          "d54768c18894b931db6f6876f6be2178d8a8b34fc3485659fda78fe86af3e08b",
+				Rootfulness: container.Rootless,
+			},
+		},
+		"podman-real-4.3.1-rootless-systemd-container": {
+			parser: container.PodmanParser,
+			expected: &container.Info{
+				PodID:       "",
+				ID:          "f89494c4c00e68029e176eb60c5be675f9b076b9ca63190678b27a2ef0d09d13",
+				Rootfulness: container.Rootless,
+			},
+		},
+		"podman-real-4.3.1-rootful-cgroupfs-container": {
+			parser: container.PodmanParser,
+			expected: &container.Info{
+				PodID:       "",
+				ID:          "1861a57278895fe0165c953c04e6c1082bcd73428776f5209616061d0022e881",
+				Rootfulness: container.Rootful,
+			},
+		},
+		"podman-real-4.3.1-rootless-cgroupfs-systemd-enabled-container": {
+			parser: container.PodmanParser,
+			error:  "--cgroup-manager cgroupfs",
+		},
+	}
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			tempDir := t.TempDir()
+			require.NoError(t, os.MkdirAll(filepath.Join(tempDir, "proc", "1234"), 0755))
+			require.NoError(t, utils.CopyFile(
+				filepath.Join("testdata", "mountfile", name),
+				filepath.Join(tempDir, "proc", "1234", "mountinfo"),
+				0755),
+			)
+
+			info, err := container.LookupPID(tempDir, 1234, tc.parser)
+			if tc.error != "" {
+				require.ErrorContains(t, err, tc.error)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tc.expected, info)
+			}
+		})
+	}
+}