Saulparedes/genpolicy sync [DO NOT MERGE] #170
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add metadata containing the Policy annotation if the user didn't provide any metadata in the input yaml file. For a simple sanity test using a Kata CI YAML file: genpolicy -u -y job.yaml kubectl apply -f job.yaml kubectl get pods | grep job job-pi-test-64dxs 0/1 Completed 0 14s Fixes: kata-containers#8891 Signed-off-by: Dan Mihai <[email protected]>
Validating the node name is currently outside the scope of the CoCo policy. This change unblocks testing using Kata CI's test-pod-file-volume.yaml and pv-pod.yaml. Fixes: kata-containers#8888 Signed-off-by: Dan Mihai <[email protected]>
Allow Kata CI's pod-nested-configmap-secret.yaml to work with
genpolicy and current cbl-mariner images:
1. Ignore the optional type field of Secret input YAML files.
It's possible that CoCo will need a more sophisticated Policy
for Secrets, but this change at least unblocks CI testing for
already-existing genpolicy features.
2. Adapt the value of the settings field below to fit current CI
images for testing on cbl-mariner Hosts:
"kata_config": {
"confidential_guest": false
},
Switching this value from true to false instructs genpolicy to
expect ConfigMap volume mounts similar to:
"configMap": {
"mount_type": "bind",
"mount_source": "$(sfprefix)",
"mount_point": "^$(cpath)/watchable/$(bundle-id)-[a-z0-9]{16}-",
"driver": "watchable-bind",
"fstype": "bind",
"options": [
"rbind",
"rprivate",
"ro"
]
},
instead of:
"confidential_configMap": {
"mount_type": "bind",
"mount_source": "$(sfprefix)",
"mount_point": "$(sfprefix)",
"driver": "local",
"fstype": "bind",
"options": [
"rbind",
"rprivate",
"ro"
]
}
},
This settings change unblocks CI testing for ConfigMaps.
Simple sanity testing for these changes:
genpolicy -u -y pod-nested-configmap-secret.yaml
kubectl apply -f pod-nested-configmap-secret.yaml
kubectl get pods | grep config
nested-configmap-secret-pod 1/1 Running 0 26s
Fixes: kata-containers#8892
Signed-off-by: Dan Mihai <[email protected]>
The auto-generated Policy already allows these volumes to be mounted, regardless if they are: - Present, or - Missing and optional Fixes: kata-containers#8893 Signed-off-by: Dan Mihai <[email protected]>
Using custom input paths with -i is counter-intuitive. Simplify path handling with explicit flags for rules.rego and genpolicy-settings.json. Fixes: kata-containers#8568 Signed-Off-By: Malte Poll <[email protected]>
Allow users to specify in genpolicy-settings.json a default cluster namespace other than "default". For example, Kata CI uses as default namespace: "kata-containers-k8s-tests". Fixes: kata-containers#8976 Signed-off-by: Dan Mihai <[email protected]>
Kata CI's pod-sandbox-vcpus-allocation.yaml ends with "---", so the empty YAML document following that line should be ignored. To test this fix: genpolicy -u -y pod-sandbox-vcpus-allocation.yaml Fixes: kata-containers#8895 Signed-off-by: Dan Mihai <[email protected]>
The emergent Kata CI tests for Policy use confidential_guest = false
in genpolicy-settings.json. That value is inconsistent with the
following mount settings:
"emptyDir": {
"mount_type": "local",
"mount_source": "^$(cpath)/$(sandbox-id)/local/",
"mount_point": "^$(cpath)/$(sandbox-id)/local/",
"driver": "local",
"source": "local",
"fstype": "local",
"options": [
"mode=0777"
]
},
We need to keep those settings for confidential_guest = true, and
change confidential_guest = false to use:
"emptyDir": {
"mount_type": "local",
"mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/",
"mount_point": "^$(cpath)/$(sandbox-id)/local/",
"driver": "local",
"source": "local",
"fstype": "local",
"options": [
"mode=0777"
]
},
The value of the mount_source field is different.
This change unblocks testing using Kata CI's pod-empty-dir.yaml:
genpolicy -u -y pod-empty-dir.yaml
kubectl apply -f pod-empty-dir.yaml
k get pod sharevol-kata
NAME READY STATUS RESTARTS AGE
sharevol-kata 1/1 Running 0 53s
Fixes: kata-containers#8887
Signed-off-by: Dan Mihai <[email protected]>
1. Remove PullImageRequest because that is not used in the main branch. It was used in the CCv0 branch. 2. Add default false values for the remaining Kata Agent ttrpc requests. These changes don't change the functionality of the auto generated Policy, but they help with easier understanding the Policy text and the logging from the Rego rules. Fixes: kata-containers#9049 Signed-off-by: Dan Mihai <[email protected]>
For example, Kata CI's k8s-copy-file.bats transfers files between the Host and the Guest using "kubectl exec", and that results in CloseStdinRequest being called from the Host. Signed-off-by: Dan Mihai <[email protected]>
Additional logging from the ExecProcessRequest rules, for easier debugging. Signed-off-by: Dan Mihai <[email protected]>
Improve logging, for easier debugging. Fixes: kata-containers#9072 Signed-off-by: Dan Mihai <[email protected]>
Based on kata-containers/runtime#2812 Fixes: kata-containers#9145 Signed-off-by: Saul Paredes <[email protected]>
This adds support for sidecar container introduced in Kubernetes 1.28 Fixes: kata-containers#9220 Signed-off-by: Leonard Cohnen <[email protected]>
Kata CI has full debug output enabled for the cbl-mariner k8s tests, and the test AKS node is relatively slow. So debug prints from policy are expensive during CI. Fixes: kata-containers#9296 Signed-off-by: Dan Mihai <[email protected]>
|
Do not merge until changes in https://github.com/kata-containers/kata-containers/pull/9185/commits are incorporated |
danmihai1
requested changes
Apr 8, 2024
| # Use a custom path to `genpolicy` input files | ||
|
|
||
| By default, the `genpolicy` input files [`rules.rego`](rules.rego) and [`genpolicy-settings.json`](genpolicy-settings.json) must be present in the current directory - otherwise `genpolicy` returns an error. Users can specify a different path to these two files, using the `-i` command line parameter - e.g., | ||
| By default, the `genpolicy` input files [`rules.rego`](rules.rego) and [`genpolicy-settings.json`](genpolicy-settings.json) must be present in the current directory - otherwise `genpolicy` returns an error. Users can specify different paths to these two files, using the `-p` and `-j` command line parameters - e.g., |
There was a problem hiding this comment.
This breaking change requires a corresponding change in az confcom. Seth didn't mind making this change several weeks ago, but we need to sync up with him again.
|
|
||
| ```bash | ||
| $ genpolicy -i /tmp -y test.yaml | ||
| $ genpolicy -p /tmp/rules.rego -j /tmp/genpolicy-settings.json -y test.yaml |
There was a problem hiding this comment.
Do we need to update MSFT tests for this?
| "volumes": { | ||
| "emptyDir": { | ||
| "mount_type": "local", | ||
| "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/", |
There was a problem hiding this comment.
These paths might need to change when using confidential=true at MSFT. They are probably specific to main code on Mariner, without confidential enabled.
| }, | ||
| "kata_config": { | ||
| "confidential_guest": true | ||
| "confidential_guest": false |
There was a problem hiding this comment.
I believe MSFT needs this to be true.
| panic!("Unsupported"); | ||
| } | ||
|
|
||
| fn get_namespace(&self) -> String { |
There was a problem hiding this comment.
Removing this code seems suspect at a quick look.
|
Closing for #171 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream-missinglabel (orupstream-not-needed) has been set on the PR.Summary
Associated issues
Links to CVEs
Test Methodology