fix(plugins/container): guard against nil RuntimeSpec in CNI fallback

raajheshkannaa · poiana · commit fbfa300467af · 2026-05-19T16:05:05.000+02:00
containerd v2.3.0 (CRI API v0.36) does not populate the runtimeSpec field in sandbox info JSON. This field is cri-o specific. When CNIResult is also absent, the fallback branch dereferences a nil pointer in cniSandboxInfo.RuntimeSpec.Annotations and the plugin panics. All Falco DaemonSet pods on a containerd v2.3.0 node go into CrashLoopBackOff. Wrap the annotation lookup in a nil check, matching the existing pattern used for info.RuntimeSpec at cri.go:92 and :126. Closes #1353 Signed-off-by: Raajhesh Kannaa Chidambaram <495042+raajheshkannaa@users.noreply.github.com>
diff --git a/plugins/container/go-worker/pkg/container/cri.go b/plugins/container/go-worker/pkg/container/cri.go
@@ -240,8 +240,10 @@ func (c *criEngine) ctrToInfo(ctx context.Context, ctr *v1.ContainerStatus, podS
 				if err != nil {
 					cniJson = string(bytes)
 				}
-			} else if val, ok := cniInfo.RuntimeSpec.Annotations["io.kubernetes.cri-o.CNIResult"]; ok {
-				cniJson = val
+			} else if cniInfo.RuntimeSpec != nil {
+				if val, ok := cniInfo.RuntimeSpec.Annotations["io.kubernetes.cri-o.CNIResult"]; ok {
+					cniJson = val
+				}
 			}
 
 			if len(cniJson) > maxCNILen {

Original file line number	Diff line number	Diff line change
`@@ -240,8 +240,10 @@ func (c criEngine) ctrToInfo(ctx context.Context, ctr v1.ContainerStatus, podS`
`240`	`240`	`if err != nil {`
`241`	`241`	`cniJson = string(bytes)`
`242`	`242`	`}`
`243`		`- } else if val, ok := cniInfo.RuntimeSpec.Annotations["io.kubernetes.cri-o.CNIResult"]; ok {`
`244`		`- cniJson = val`
	`243`	`+ } else if cniInfo.RuntimeSpec != nil {`
	`244`	`+ if val, ok := cniInfo.RuntimeSpec.Annotations["io.kubernetes.cri-o.CNIResult"]; ok {`
	`245`	`+ cniJson = val`
	`246`	`+ }`
`245`	`247`	`}`
`246`	`248`
`247`	`249`	`if len(cniJson) > maxCNILen {`