feat(operator): Improve CRI socket detection by AryanBakliwal · Pull Request #2487 · kubearmor/KubeArmor

AryanBakliwal · 2026-03-03T11:31:24Z

Purpose of PR?:

Fixes #2360

Does this PR introduce a breaking change?
No

If the changes in this PR are manually verified, list down the scenarios covered:

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

Bug fix.
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update
PR Title follows the convention of <type>(<scope>): <subject>
Commit has unit tests
Commit has integration tests

pkg/KubeArmorOperator/runtime/runtime.go

Signed-off-by: Aryan Bakliwal <aryanbakliwal12345@gmail.com>

rksharma95

we'll need to handle it with kubearmor (k8s mode) as well, as snitch generate daemonset with nodeselector labels containing both runtime and socket we can make use of it. or either we can have another flag in addition to criSocket and can use that.

KubeArmor/KubeArmor/core/kubeArmor.go

Lines 782 to 883 in 5d622d3

    
           if cfg.GlobalCfg.UseOCIHooks && 
        
           	(strings.Contains(dm.Node.ContainerRuntimeVersion, "cri-o") || 
        
           		(strings.Contains(dm.Node.ContainerRuntimeVersion, "containerd") && dm.checkNRIAvailability() == nil)) { 
        
           	go dm.ListenToK8sHook() 
        
           } else if dm.checkNRIAvailability() == nil { 
        
           	// monitor NRI events 
        
           	go dm.MonitorNRIEvents() 
        
           } else if cfg.GlobalCfg.CRISocket != "" { // check if the CRI socket set while executing kubearmor exists 
        
           	trimmedSocket := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://") 
        
           	if _, err := os.Stat(trimmedSocket); err != nil { 
        
           		dm.Logger.Warnf("Error while looking for CRI socket file: %s", err.Error()) 
        
           		// destroy the daemon 
        
           		dm.DestroyKubeArmorDaemon() 
        
           		return 
        
           	} 
        
           	// monitor containers 
        
           	if strings.Contains(dm.Node.ContainerRuntimeVersion, "docker") || strings.Contains(cfg.GlobalCfg.CRISocket, "docker") { 
        
           		// update already deployed containers 
        
           		dm.GetAlreadyDeployedDockerContainers() 
        
           		// monitor docker events 
        
           		go dm.MonitorDockerEvents() 
        
           	} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "containerd") || strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") { 
        
           		// monitor containerd events 
        
           		go dm.MonitorContainerdEvents() 
        
           	} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "cri-o") || strings.Contains(cfg.GlobalCfg.CRISocket, "cri-o") { 
        
           		// monitor crio events 
        
           		go dm.MonitorCrioEvents() 
        
           	} else { 
        
           		dm.Logger.Errf("Failed to monitor containers: %s is not a supported CRI socket.", cfg.GlobalCfg.CRISocket) 
        
           		// destroy the daemon 
        
           		dm.DestroyKubeArmorDaemon() 
        
           		return 
        
           	} 
        
           	dm.Logger.Printf("Using %s for monitoring containers", cfg.GlobalCfg.CRISocket) 
        
           } else { // CRI socket not set, we'll have to auto detect 
        
           	dm.Logger.Print("CRI socket not set. Trying to detect.") 
        
           	if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "docker") { 
        
           		socketFile := kl.GetCRISocket("docker") 
        
           		if socketFile != "" { 
        
           			cfg.GlobalCfg.CRISocket = "unix://" + socketFile 
        
           			// update already deployed containers 
        
           			dm.GetAlreadyDeployedDockerContainers() 
        
           			// monitor docker events 
        
           			go dm.MonitorDockerEvents() 
        
           		} else { 
        
           			// we might have to use containerd's socket as docker's socket is not 
        
           			// available 
        
           			socketFile := kl.GetCRISocket("containerd") 
        
           			if socketFile != "" { 
        
           				cfg.GlobalCfg.CRISocket = "unix://" + socketFile 
        
           				// monitor containerd events 
        
           				go dm.MonitorContainerdEvents() 
        
           			} else { 
        
           				dm.Logger.Err("Failed to monitor containers (Docker socket file is not accessible)") 
        
           				// destroy the daemon 
        
           				dm.DestroyKubeArmorDaemon() 
        
           				return 
        
           			} 
        
           		} 
        
           	} else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "containerd") { // containerd 
        
           		socketFile := kl.GetCRISocket("containerd") 
        
           		if socketFile != "" { 
        
           			cfg.GlobalCfg.CRISocket = "unix://" + socketFile 
        
           			// monitor containerd events 
        
           			go dm.MonitorContainerdEvents() 
        
           		} else { 
        
           			dm.Logger.Err("Failed to monitor containers (Containerd socket file is not accessible)") 
        
           			// destroy the daemon 
        
           			dm.DestroyKubeArmorDaemon() 
        
           			return 
        
           		} 
        
           	} else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "cri-o") { // cri-o 
        
           		socketFile := kl.GetCRISocket("cri-o") 
        
           		if socketFile != "" { 
        
           			cfg.GlobalCfg.CRISocket = "unix://" + socketFile 
        
           			// monitor cri-o events 
        
           			go dm.MonitorCrioEvents() 
        
           		} else { 
        
           			dm.Logger.Err("Failed to monitor containers (CRI-O socket file is not accessible)") 
        
           			// destroy the daemon 
        
           			dm.DestroyKubeArmorDaemon() 
        
           			return

AryanBakliwal force-pushed the improve-cri-sock-detection branch 2 times, most recently from 70ca32a to 7d42466 Compare March 5, 2026 05:07

AryanBakliwal marked this pull request as ready for review March 5, 2026 05:18

AryanBakliwal requested review from Aryan-sharma11 and rksharma95 March 5, 2026 05:18

rksharma95 requested a review from achrefbensaad March 5, 2026 05:21

rksharma95 reviewed Mar 5, 2026

View reviewed changes

pkg/KubeArmorOperator/runtime/runtime.go Outdated Show resolved Hide resolved

AryanBakliwal force-pushed the improve-cri-sock-detection branch 4 times, most recently from 05805c1 to 5b4445c Compare March 6, 2026 03:58

AryanBakliwal requested a review from rksharma95 March 6, 2026 04:08

achrefbensaad requested changes Mar 6, 2026

View reviewed changes

pkg/KubeArmorOperator/runtime/runtime.go Outdated Show resolved Hide resolved

pkg/KubeArmorOperator/runtime/runtime.go Outdated Show resolved Hide resolved

AryanBakliwal force-pushed the improve-cri-sock-detection branch from 5b4445c to 82c2dd4 Compare March 6, 2026 09:26

AryanBakliwal requested a review from achrefbensaad March 6, 2026 09:43

AryanBakliwal force-pushed the improve-cri-sock-detection branch 6 times, most recently from 43b9d2e to 9663cd3 Compare March 9, 2026 08:20

feat(operator): improve CRI socket detection

fc4006c

Signed-off-by: Aryan Bakliwal <aryanbakliwal12345@gmail.com>

AryanBakliwal force-pushed the improve-cri-sock-detection branch from 9663cd3 to fc4006c Compare March 11, 2026 07:18

rksharma95 requested changes Mar 13, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(operator): Improve CRI socket detection#2487

feat(operator): Improve CRI socket detection#2487
AryanBakliwal wants to merge 1 commit intokubearmor:mainfrom
AryanBakliwal:improve-cri-sock-detection

AryanBakliwal commented Mar 3, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

rksharma95 left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

	if cfg.GlobalCfg.UseOCIHooks &&
	(strings.Contains(dm.Node.ContainerRuntimeVersion, "cri-o") \|\|
	(strings.Contains(dm.Node.ContainerRuntimeVersion, "containerd") && dm.checkNRIAvailability() == nil)) {
	go dm.ListenToK8sHook()
	} else if dm.checkNRIAvailability() == nil {
	// monitor NRI events
	go dm.MonitorNRIEvents()
	} else if cfg.GlobalCfg.CRISocket != "" { // check if the CRI socket set while executing kubearmor exists
	trimmedSocket := strings.TrimPrefix(cfg.GlobalCfg.CRISocket, "unix://")
	if _, err := os.Stat(trimmedSocket); err != nil {
	dm.Logger.Warnf("Error while looking for CRI socket file: %s", err.Error())

	// destroy the daemon
	dm.DestroyKubeArmorDaemon()
	return
	}

	// monitor containers
	if strings.Contains(dm.Node.ContainerRuntimeVersion, "docker") \|\| strings.Contains(cfg.GlobalCfg.CRISocket, "docker") {
	// update already deployed containers
	dm.GetAlreadyDeployedDockerContainers()
	// monitor docker events
	go dm.MonitorDockerEvents()
	} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "containerd") \|\| strings.Contains(cfg.GlobalCfg.CRISocket, "containerd") {
	// monitor containerd events
	go dm.MonitorContainerdEvents()
	} else if strings.Contains(dm.Node.ContainerRuntimeVersion, "cri-o") \|\| strings.Contains(cfg.GlobalCfg.CRISocket, "cri-o") {
	// monitor crio events
	go dm.MonitorCrioEvents()
	} else {
	dm.Logger.Errf("Failed to monitor containers: %s is not a supported CRI socket.", cfg.GlobalCfg.CRISocket)
	// destroy the daemon
	dm.DestroyKubeArmorDaemon()
	return
	}

	dm.Logger.Printf("Using %s for monitoring containers", cfg.GlobalCfg.CRISocket)

	} else { // CRI socket not set, we'll have to auto detect
	dm.Logger.Print("CRI socket not set. Trying to detect.")

	if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "docker") {
	socketFile := kl.GetCRISocket("docker")

	if socketFile != "" {
	cfg.GlobalCfg.CRISocket = "unix://" + socketFile

	// update already deployed containers
	dm.GetAlreadyDeployedDockerContainers()

	// monitor docker events
	go dm.MonitorDockerEvents()
	} else {
	// we might have to use containerd's socket as docker's socket is not
	// available
	socketFile := kl.GetCRISocket("containerd")

	if socketFile != "" {
	cfg.GlobalCfg.CRISocket = "unix://" + socketFile

	// monitor containerd events
	go dm.MonitorContainerdEvents()
	} else {
	dm.Logger.Err("Failed to monitor containers (Docker socket file is not accessible)")

	// destroy the daemon
	dm.DestroyKubeArmorDaemon()

	return
	}
	}
	} else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "containerd") { // containerd
	socketFile := kl.GetCRISocket("containerd")

	if socketFile != "" {
	cfg.GlobalCfg.CRISocket = "unix://" + socketFile

	// monitor containerd events
	go dm.MonitorContainerdEvents()
	} else {
	dm.Logger.Err("Failed to monitor containers (Containerd socket file is not accessible)")

	// destroy the daemon
	dm.DestroyKubeArmorDaemon()

	return
	}
	} else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "cri-o") { // cri-o
	socketFile := kl.GetCRISocket("cri-o")

	if socketFile != "" {
	cfg.GlobalCfg.CRISocket = "unix://" + socketFile

	// monitor cri-o events
	go dm.MonitorCrioEvents()
	} else {
	dm.Logger.Err("Failed to monitor containers (CRI-O socket file is not accessible)")

	// destroy the daemon
	dm.DestroyKubeArmorDaemon()

	return

Conversation

AryanBakliwal commented Mar 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

rksharma95 left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

AryanBakliwal commented Mar 3, 2026 •

edited

Loading