Skip to content

inconsistent splitting of container image information #825

New issue
New issue
Open
Open
inconsistent splitting of container image information#825
Labels
kind/bugSomething isn't working
@crinjes

Description

@crinjes
crinjes
opened on Jun 4, 2025

Describe the bug

After updating to 0.41.0 using the 5.0.1 helm chart, some image repo/tag aren't parsed correctly, and now sometimes missing entirely.

image: internal.example.com:5000/foo/bar:1.2.3 becomes

  • container_image_repository=internal.example.com
  • container_image_tag=5000/foo/bar

image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 becomes

  • container_image_repository=registry.k8s.io/ingress-nginx/controller@sha256
  • container_image_tag=03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9

previously the repository was registry.k8s.io/ingress-nginx/controller

How to reproduce it

Expected behaviour

Screenshots

Environment

  • Falco version: 0.41.0
  • System info:
  • Cloud provider or hardware configuration:
  • OS:
  • Kernel:
  • Installation method: kubernetes

Additional context

2025-06-04T14:25:59+0000: Loading plugin 'container' from file /usr/share/falco/plugins/libcontainer.so
2025-06-04T14:25:59+0000: [libs]: container: Enabled 'docker' container engine.
2025-06-04T14:25:59+0000: [libs]: container: * enabled container runtime socket at '/host/var/run/docker.sock'
2025-06-04T14:25:59+0000: [libs]: container: Enabled 'cri' container engine.
2025-06-04T14:25:59+0000: [libs]: container: * enabled container runtime socket at '/host/run/crio/crio.sock'
2025-06-04T14:25:59+0000: [libs]: container: Enabled 'containerd' container engine.
2025-06-04T14:25:59+0000: [libs]: container: * enabled container runtime socket at '/host/run/containerd/containerd.sock'

Some of the generated config inside the pod:

container_engines:
  bpm:
    enabled: false
  cri:
    disable_async: false
    enabled: false
    sockets:
    - /run/containerd/containerd.sock
    - /run/crio/crio.sock
    - /run/k3s/containerd/containerd.sock
  docker:
    enabled: false
  libvirt_lxc:
    enabled: false
  lxc:
    enabled: false
  podman:
    enabled: false
load_plugins:
- container
plugins:
- init_config: null
  library_path: libk8saudit.so
  name: k8saudit
  open_params: http://:9765/k8s-audit
- library_path: libcloudtrail.so
  name: cloudtrail
- init_config: ""
  library_path: libjson.so
  name: json
- init_config:
    engines:
      bpm:
        enabled: false
      containerd:
        enabled: true
        sockets:
        - /run/containerd/containerd.sock
      cri:
        enabled: true
        sockets:
        - /run/crio/crio.sock
      docker:
        enabled: true
        sockets:
        - /var/run/docker.sock
      libvirt_lxc:
        enabled: false
      lxc:
        enabled: false
      podman:
        enabled: false
        sockets:
        - /run/podman/podman.sock
    hooks:
    - create
    label_max_len: 100
    with_size: false
  library_path: libcontainer.so
  name: container

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions