From 7d4bf8313ecf6656504645a1f5af74c84d492f60 Mon Sep 17 00:00:00 2001
From: daemon1024 <barun1024@gmail.com>
Date: Wed, 20 Sep 2023 22:55:39 +0530
Subject: [PATCH 1/2] fix(core): verify cri from both node info and cri socket

It is possible that runtime itself uses an arbitrary runtime names. Example robin platform uses robin as Container Runtime Version, in which case we depend on the CRISocket passed to KubeArmor for determining the CRI Version

Signed-off-by: daemon1024 <barun1024@gmail.com>
---
 KubeArmor/core/kubeArmor.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
index b377e5e79a..5e1bc2dd43 100644
--- a/KubeArmor/core/kubeArmor.go
+++ b/KubeArmor/core/kubeArmor.go
@@ -512,15 +512,15 @@ func KubeArmor() {
 			}
 
 			// monitor containers
-			if strings.Contains(dm.Node.ContainerRuntimeVersion, "docker") {
+			if strings.Contains(dm.Node.ContainerRuntimeVersion, "docker") || strings.Contains(cfg.GlobalCfg.CRISocket, "docker") {
 				// update already deployed containers
 				dm.GetAlreadyDeployedDockerContainers()
 				// monitor docker events
 				go dm.MonitorDockerEvents()
-			} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "containerd") {
+			} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "containerd") || strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") {
 				// monitor containerd events
 				go dm.MonitorContainerdEvents()
-			} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "cri-o") {
+			} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "cri-o") || strings.Contains(cfg.GlobalCfg.CRISocket, "cri-o") {
 				// monitor crio events
 				go dm.MonitorCrioEvents()
 			} else {

From f49f40570da3fc33935f47d0b0392606cb5e77bf Mon Sep 17 00:00:00 2001
From: daemon1024 <barun1024@gmail.com>
Date: Thu, 21 Sep 2023 02:30:02 +0530
Subject: [PATCH 2/2] fix(core): handle container ids in CRI agnostic way

there are CRI providers out there which use different CRI name such as robin instead of docker,containerd or crio

this commit refactors the code to make it CRI agnostic

Signed-off-by: daemon1024 <barun1024@gmail.com>
---
 KubeArmor/core/kubeUpdate.go | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
index 957e50fe8d..32a3c542ad 100644
--- a/KubeArmor/core/kubeUpdate.go
+++ b/KubeArmor/core/kubeUpdate.go
@@ -583,16 +583,9 @@ func (dm *KubeArmorDaemon) WatchK8sPods() {
 				pod.ContainerImages = map[string]string{}
 				for _, container := range event.Object.Status.ContainerStatuses {
 					if len(container.ContainerID) > 0 {
-						if strings.HasPrefix(container.ContainerID, "docker://") {
-							containerID := strings.TrimPrefix(container.ContainerID, "docker://")
-							pod.Containers[containerID] = container.Name
-							pod.ContainerImages[containerID] = container.Image + kl.GetSHA256ofImage(container.ImageID)
-						} else if strings.HasPrefix(container.ContainerID, "containerd://") {
-							containerID := strings.TrimPrefix(container.ContainerID, "containerd://")
-							pod.Containers[containerID] = container.Name
-							pod.ContainerImages[containerID] = container.Image + kl.GetSHA256ofImage(container.ImageID)
-						} else if strings.HasPrefix(container.ContainerID, "cri-o://") {
-							containerID := strings.TrimPrefix(container.ContainerID, "cri-o://")
+						cid := strings.Split(container.ContainerID, "://")
+						if len(cid) == 2 { // always true because k8s spec defines format as '<type>://<container_id>'
+							containerID := cid[1]
 							pod.Containers[containerID] = container.Name
 							pod.ContainerImages[containerID] = container.Image + kl.GetSHA256ofImage(container.ImageID)
 						}