From 9b04994a9dcc91e5dac4560cd6e15f0e50568111 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Thu, 25 Jan 2024 15:12:07 +0000 Subject: [PATCH 01/15] genpolicy: optional PodTemplateSpec metadata field Add metadata containing the Policy annotation if the user didn't provide any metadata in the input yaml file. For a simple sanity test using a Kata CI YAML file: genpolicy -u -y job.yaml kubectl apply -f job.yaml kubectl get pods | grep job job-pi-test-64dxs 0/1 Completed 0 14s Fixes: #8891 Signed-off-by: Dan Mihai --- src/tools/genpolicy/src/daemon_set.rs | 7 +++++-- src/tools/genpolicy/src/deployment.rs | 7 +++++-- src/tools/genpolicy/src/job.rs | 7 +++++-- src/tools/genpolicy/src/pod.rs | 2 +- src/tools/genpolicy/src/pod_template.rs | 4 +++- src/tools/genpolicy/src/replica_set.rs | 7 +++++-- .../genpolicy/src/replication_controller.rs | 7 +++++-- src/tools/genpolicy/src/stateful_set.rs | 7 +++++-- src/tools/genpolicy/src/yaml.rs | 19 ++++++++++++++++--- 9 files changed, 50 insertions(+), 17 deletions(-) diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs index 52a08ae70ec3..28c431678600 100644 --- a/src/tools/genpolicy/src/daemon_set.rs +++ b/src/tools/genpolicy/src/daemon_set.rs @@ -111,7 +111,7 @@ impl yaml::K8sResource for DaemonSet { } fn serialize(&mut self, policy: &str) -> String { - yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template.metadata", policy); + yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template", policy); serde_yaml::to_string(&self.doc_mapping).unwrap() } @@ -120,7 +120,10 @@ impl yaml::K8sResource for DaemonSet { } fn get_annotations(&self) -> &Option> { - &self.spec.template.metadata.annotations + if let Some(metadata) = &self.spec.template.metadata { + return &metadata.annotations; + } + &None } fn use_host_network(&self) -> bool { diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs index a007164dd6d7..dc7bc4444c77 100644 --- a/src/tools/genpolicy/src/deployment.rs +++ b/src/tools/genpolicy/src/deployment.rs @@ -109,7 +109,7 @@ impl yaml::K8sResource for Deployment { } fn serialize(&mut self, policy: &str) -> String { - yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template.metadata", policy); + yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template", policy); serde_yaml::to_string(&self.doc_mapping).unwrap() } @@ -118,7 +118,10 @@ impl yaml::K8sResource for Deployment { } fn get_annotations(&self) -> &Option> { - &self.spec.template.metadata.annotations + if let Some(metadata) = &self.spec.template.metadata { + return &metadata.annotations; + } + &None } fn use_host_network(&self) -> bool { diff --git a/src/tools/genpolicy/src/job.rs b/src/tools/genpolicy/src/job.rs index d7ef7c7cd4b6..9145a0d24bbb 100644 --- a/src/tools/genpolicy/src/job.rs +++ b/src/tools/genpolicy/src/job.rs @@ -83,7 +83,7 @@ impl yaml::K8sResource for Job { } fn serialize(&mut self, policy: &str) -> String { - yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template.metadata", policy); + yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template", policy); serde_yaml::to_string(&self.doc_mapping).unwrap() } @@ -92,7 +92,10 @@ impl yaml::K8sResource for Job { } fn get_annotations(&self) -> &Option> { - &self.spec.template.metadata.annotations + if let Some(metadata) = &self.spec.template.metadata { + return &metadata.annotations; + } + &None } fn use_host_network(&self) -> bool { diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs index 639daad999da..c10dcc84321a 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -842,7 +842,7 @@ impl yaml::K8sResource for Pod { } fn serialize(&mut self, policy: &str) -> String { - yaml::add_policy_annotation(&mut self.doc_mapping, "metadata", policy); + yaml::add_policy_annotation(&mut self.doc_mapping, "", policy); serde_yaml::to_string(&self.doc_mapping).unwrap() } diff --git a/src/tools/genpolicy/src/pod_template.rs b/src/tools/genpolicy/src/pod_template.rs index f4b7c6c2eb64..37933c2d38b4 100644 --- a/src/tools/genpolicy/src/pod_template.rs +++ b/src/tools/genpolicy/src/pod_template.rs @@ -23,6 +23,8 @@ pub struct PodTemplate { /// Reference / Kubernetes API / Workload / Resources / PodTemplate. #[derive(Clone, Debug, Serialize, Deserialize)] pub struct PodTemplateSpec { - pub metadata: obj_meta::ObjectMeta, + #[serde(skip_serializing_if = "Option::is_none")] + pub metadata: Option, + pub spec: pod::PodSpec, } diff --git a/src/tools/genpolicy/src/replica_set.rs b/src/tools/genpolicy/src/replica_set.rs index 78374f9b33e2..db665d36fa7a 100644 --- a/src/tools/genpolicy/src/replica_set.rs +++ b/src/tools/genpolicy/src/replica_set.rs @@ -81,7 +81,7 @@ impl yaml::K8sResource for ReplicaSet { } fn serialize(&mut self, policy: &str) -> String { - yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template.metadata", policy); + yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template", policy); serde_yaml::to_string(&self.doc_mapping).unwrap() } @@ -90,7 +90,10 @@ impl yaml::K8sResource for ReplicaSet { } fn get_annotations(&self) -> &Option> { - &self.spec.template.metadata.annotations + if let Some(metadata) = &self.spec.template.metadata { + return &metadata.annotations; + } + &None } fn use_host_network(&self) -> bool { diff --git a/src/tools/genpolicy/src/replication_controller.rs b/src/tools/genpolicy/src/replication_controller.rs index 3db54ac3d303..8079f0cc846d 100644 --- a/src/tools/genpolicy/src/replication_controller.rs +++ b/src/tools/genpolicy/src/replication_controller.rs @@ -83,7 +83,7 @@ impl yaml::K8sResource for ReplicationController { } fn serialize(&mut self, policy: &str) -> String { - yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template.metadata", policy); + yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template", policy); serde_yaml::to_string(&self.doc_mapping).unwrap() } @@ -92,7 +92,10 @@ impl yaml::K8sResource for ReplicationController { } fn get_annotations(&self) -> &Option> { - &self.spec.template.metadata.annotations + if let Some(metadata) = &self.spec.template.metadata { + return &metadata.annotations; + } + &None } fn use_host_network(&self) -> bool { diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs index a58c554f1fcb..43cd1896a998 100644 --- a/src/tools/genpolicy/src/stateful_set.rs +++ b/src/tools/genpolicy/src/stateful_set.rs @@ -156,7 +156,7 @@ impl yaml::K8sResource for StatefulSet { } fn serialize(&mut self, policy: &str) -> String { - yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template.metadata", policy); + yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template", policy); serde_yaml::to_string(&self.doc_mapping).unwrap() } @@ -165,7 +165,10 @@ impl yaml::K8sResource for StatefulSet { } fn get_annotations(&self) -> &Option> { - &self.spec.template.metadata.annotations + if let Some(metadata) = &self.spec.template.metadata { + return &metadata.annotations; + } + &None } fn use_host_network(&self) -> bool { diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs index d445c968932d..964560aea7ef 100644 --- a/src/tools/genpolicy/src/yaml.rs +++ b/src/tools/genpolicy/src/yaml.rs @@ -271,10 +271,23 @@ pub fn add_policy_annotation( let policy_key = serde_yaml::Value::String("io.katacontainers.config.agent.policy".to_string()); let policy_value = serde_yaml::Value::String(policy.to_string()); - let path_components = metadata_path.split('.'); - for name in path_components { - ancestor = ancestor.get_mut(name).unwrap(); + if !metadata_path.is_empty() { + let path_components = metadata_path.split('.'); + for name in path_components { + ancestor = ancestor.get_mut(name).unwrap(); + } + } + + // Add metadata to the output if the input YAML didn't include it. + let metadata = "metadata"; + if ancestor.get(metadata).is_none() { + let new_mapping = serde_yaml::Value::Mapping(serde_yaml::Mapping::new()); + ancestor + .as_mapping_mut() + .unwrap() + .insert(serde_yaml::Value::String(metadata.to_string()), new_mapping); } + ancestor = ancestor.get_mut(metadata).unwrap(); if let Some(annotations) = ancestor.get_mut(&annotations_key) { if let Some(annotation) = annotations.get_mut(&policy_key) { From 7868fdbb1630ff87b9aded6b50f36a7ea101af61 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Fri, 26 Jan 2024 16:30:55 +0000 Subject: [PATCH 02/15] genpolicy: ignore the nodeName field Validating the node name is currently outside the scope of the CoCo policy. This change unblocks testing using Kata CI's test-pod-file-volume.yaml and pv-pod.yaml. Fixes: #8888 Signed-off-by: Dan Mihai --- src/tools/genpolicy/src/pod.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs index c10dcc84321a..08ebb9b63e79 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -59,6 +59,9 @@ pub struct PodSpec { #[serde(skip_serializing_if = "Option::is_none")] pub volumes: Option>, + #[serde(skip_serializing_if = "Option::is_none")] + nodeName: Option, + #[serde(skip_serializing_if = "Option::is_none")] serviceAccountName: Option, From 3cc0745d6c10bd8afb48d14673af5fcfc4d9905d Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Fri, 26 Jan 2024 01:20:00 +0000 Subject: [PATCH 03/15] genpolicy: fix ConfigMap volume mount paths Allow Kata CI's pod-nested-configmap-secret.yaml to work with genpolicy and current cbl-mariner images: 1. Ignore the optional type field of Secret input YAML files. It's possible that CoCo will need a more sophisticated Policy for Secrets, but this change at least unblocks CI testing for already-existing genpolicy features. 2. Adapt the value of the settings field below to fit current CI images for testing on cbl-mariner Hosts: "kata_config": { "confidential_guest": false }, Switching this value from true to false instructs genpolicy to expect ConfigMap volume mounts similar to: "configMap": { "mount_type": "bind", "mount_source": "$(sfprefix)", "mount_point": "^$(cpath)/watchable/$(bundle-id)-[a-z0-9]{16}-", "driver": "watchable-bind", "fstype": "bind", "options": [ "rbind", "rprivate", "ro" ] }, instead of: "confidential_configMap": { "mount_type": "bind", "mount_source": "$(sfprefix)", "mount_point": "$(sfprefix)", "driver": "local", "fstype": "bind", "options": [ "rbind", "rprivate", "ro" ] } }, This settings change unblocks CI testing for ConfigMaps. Simple sanity testing for these changes: genpolicy -u -y pod-nested-configmap-secret.yaml kubectl apply -f pod-nested-configmap-secret.yaml kubectl get pods | grep config nested-configmap-secret-pod 1/1 Running 0 26s Fixes: #8892 Signed-off-by: Dan Mihai --- src/tools/genpolicy/genpolicy-settings.json | 2 +- src/tools/genpolicy/src/secret.rs | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index 7a732b106955..55ad3bf7b8fd 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -277,7 +277,7 @@ ] }, "kata_config": { - "confidential_guest": true + "confidential_guest": false }, "request_defaults": { "CreateContainerRequest": { diff --git a/src/tools/genpolicy/src/secret.rs b/src/tools/genpolicy/src/secret.rs index 191ed6426ce0..00031b2b28c4 100644 --- a/src/tools/genpolicy/src/secret.rs +++ b/src/tools/genpolicy/src/secret.rs @@ -33,6 +33,9 @@ pub struct Secret { #[serde(skip_serializing_if = "Option::is_none")] immutable: Option, + + #[serde(skip_serializing_if = "Option::is_none")] + r#type: Option, // TODO: additional fields. } From 9fca5234ea4b84fcd2be817b18ba5afd532d03f1 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 30 Jan 2024 02:21:11 +0000 Subject: [PATCH 04/15] genpolicy: ignore volume configMap optional field The auto-generated Policy already allows these volumes to be mounted, regardless if they are: - Present, or - Missing and optional Fixes: #8893 Signed-off-by: Dan Mihai --- src/tools/genpolicy/src/volume.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/tools/genpolicy/src/volume.rs b/src/tools/genpolicy/src/volume.rs index b4336a85a9bd..0bb908a81c2f 100644 --- a/src/tools/genpolicy/src/volume.rs +++ b/src/tools/genpolicy/src/volume.rs @@ -71,6 +71,7 @@ pub struct PersistentVolumeClaimVolumeSource { pub struct ConfigMapVolumeSource { pub name: String, pub items: Option>, + optional: Option, // TODO: additional fields. } From 98c5af6147c42c8e8c3292dbac5af413eba279f0 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 29 Jan 2024 09:49:07 +0100 Subject: [PATCH 05/15] genpolicy: allow separate paths for rules and settings files Using custom input paths with -i is counter-intuitive. Simplify path handling with explicit flags for rules.rego and genpolicy-settings.json. Fixes: #8568 Signed-Off-By: Malte Poll <1780588+malt3@users.noreply.github.com> --- ...policy-advanced-command-line-parameters.md | 4 +-- src/tools/genpolicy/src/policy.rs | 8 ++--- src/tools/genpolicy/src/settings.rs | 8 ++--- src/tools/genpolicy/src/utils.rs | 31 +++++++------------ 4 files changed, 22 insertions(+), 29 deletions(-) diff --git a/src/tools/genpolicy/genpolicy-advanced-command-line-parameters.md b/src/tools/genpolicy/genpolicy-advanced-command-line-parameters.md index a0fe3a9f2087..ec18a258ea3a 100644 --- a/src/tools/genpolicy/genpolicy-advanced-command-line-parameters.md +++ b/src/tools/genpolicy/genpolicy-advanced-command-line-parameters.md @@ -83,10 +83,10 @@ $ genpolicy -j my-settings.json -y test.yaml # Use a custom path to `genpolicy` input files -By default, the `genpolicy` input files [`rules.rego`](rules.rego) and [`genpolicy-settings.json`](genpolicy-settings.json) must be present in the current directory - otherwise `genpolicy` returns an error. Users can specify a different path to these two files, using the `-i` command line parameter - e.g., +By default, the `genpolicy` input files [`rules.rego`](rules.rego) and [`genpolicy-settings.json`](genpolicy-settings.json) must be present in the current directory - otherwise `genpolicy` returns an error. Users can specify different paths to these two files, using the `-p` and `-j` command line parameters - e.g., ```bash -$ genpolicy -i /tmp -y test.yaml +$ genpolicy -p /tmp/rules.rego -j /tmp/genpolicy-settings.json -y test.yaml ``` # Silently ignore unsupported input `YAML` fields diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 379a9e95ccc1..8af7457d3ad7 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -405,7 +405,7 @@ impl AgentPolicy { resources.push(resource); } - let settings = settings::Settings::new(&config.settings_file); + let settings = settings::Settings::new(&config.json_settings_path); if let Some(config_map_files) = &config.config_map_files { for file in config_map_files { @@ -413,7 +413,7 @@ impl AgentPolicy { } } - if let Ok(rules) = read_to_string(&config.rules_file) { + if let Ok(rules) = read_to_string(&config.rego_rules_path) { Ok(AgentPolicy { resources, rules, @@ -423,8 +423,8 @@ impl AgentPolicy { config: config.clone(), }) } else { - panic!("Cannot open file {}. Please copy it to the current directory or specify the path to it using the -i parameter.", - &config.rules_file); + panic!("Cannot open file {}. Please copy it to the current directory or specify the path to it using the -p parameter.", + &config.rego_rules_path); } } diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs index fc3acc97fb2f..13d10fd06553 100644 --- a/src/tools/genpolicy/src/settings.rs +++ b/src/tools/genpolicy/src/settings.rs @@ -66,15 +66,15 @@ pub struct KataConfig { } impl Settings { - pub fn new(settings_file: &str) -> Self { + pub fn new(json_settings_path: &str) -> Self { debug!("Loading settings file..."); - if let Ok(file) = File::open(settings_file) { + if let Ok(file) = File::open(json_settings_path) { let settings: Self = serde_json::from_reader(file).unwrap(); debug!("settings = {:?}", &settings); settings } else { - panic!("Cannot open file {}. Please copy it to the current directory or specify the path to it using the -i parameter.", - settings_file); + panic!("Cannot open file {}. Please copy it to the current directory or specify the path to it using the -p parameter.", + json_settings_path); } } diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs index 0bb6ce723050..34b2e53cc523 100644 --- a/src/tools/genpolicy/src/utils.rs +++ b/src/tools/genpolicy/src/utils.rs @@ -4,7 +4,6 @@ // use clap::Parser; -use log::debug; #[derive(Debug, Parser)] struct CommandLineOptions { @@ -23,20 +22,20 @@ struct CommandLineOptions { config_map_file: Option, #[clap( - short = 'j', + short = 'p', long, - default_value_t = String::from("genpolicy-settings.json"), - help = "genpolicy settings file name" + default_value_t = String::from("rules.rego"), + help = "Path to rego rules file" )] - settings_file_name: String, + rego_rules_path: String, #[clap( - short, + short = 'j', long, - default_value_t = String::from("."), - help = "Path to the rules.rego and settings input files" + default_value_t = String::from("genpolicy-settings.json"), + help = "Path to genpolicy settings file" )] - input_files_path: String, + json_settings_path: String, #[clap( short, @@ -73,8 +72,8 @@ pub struct Config { pub use_cache: bool, pub yaml_file: Option, - pub rules_file: String, - pub settings_file: String, + pub rego_rules_path: String, + pub json_settings_path: String, pub config_map_files: Option>, pub silent_unsupported_fields: bool, @@ -97,17 +96,11 @@ impl Config { None }; - let rules_file = format!("{}/rules.rego", &args.input_files_path); - debug!("Rules file: {rules_file}"); - - let settings_file = format!("{}/{}", &args.input_files_path, &args.settings_file_name); - debug!("Settings file: {settings_file}"); - Self { use_cache: args.use_cached_files, yaml_file: args.yaml_file, - rules_file, - settings_file, + rego_rules_path: args.rego_rules_path, + json_settings_path: args.json_settings_path, config_map_files: cm_files, silent_unsupported_fields: args.silent_unsupported_fields, raw_out: args.raw_out, From b03927aaa65537460541c564bf126b3d0f34de0f Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 31 Jan 2024 15:47:01 +0000 Subject: [PATCH 06/15] genpolicy: support non-default namespace name Allow users to specify in genpolicy-settings.json a default cluster namespace other than "default". For example, Kata CI uses as default namespace: "kata-containers-k8s-tests". Fixes: #8976 Signed-off-by: Dan Mihai --- src/tools/genpolicy/genpolicy-settings.json | 3 +++ src/tools/genpolicy/src/config_map.rs | 4 ---- src/tools/genpolicy/src/daemon_set.rs | 2 +- src/tools/genpolicy/src/deployment.rs | 2 +- src/tools/genpolicy/src/job.rs | 2 +- src/tools/genpolicy/src/list.rs | 4 ---- src/tools/genpolicy/src/no_policy.rs | 4 ---- src/tools/genpolicy/src/obj_meta.rs | 10 +++------- src/tools/genpolicy/src/pod.rs | 2 +- src/tools/genpolicy/src/policy.rs | 12 +++++++++++- src/tools/genpolicy/src/replica_set.rs | 2 +- src/tools/genpolicy/src/replication_controller.rs | 2 +- src/tools/genpolicy/src/secret.rs | 4 ---- src/tools/genpolicy/src/settings.rs | 1 + src/tools/genpolicy/src/stateful_set.rs | 2 +- src/tools/genpolicy/src/yaml.rs | 4 +++- 16 files changed, 28 insertions(+), 32 deletions(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index 55ad3bf7b8fd..bc3079c3c2cb 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -279,6 +279,9 @@ "kata_config": { "confidential_guest": false }, + "cluster_config": { + "default_namespace": "default" + }, "request_defaults": { "CreateContainerRequest": { "allow_env_regex": [ diff --git a/src/tools/genpolicy/src/config_map.rs b/src/tools/genpolicy/src/config_map.rs index 09e96481acf3..a27ec8b08d0e 100644 --- a/src/tools/genpolicy/src/config_map.rs +++ b/src/tools/genpolicy/src/config_map.rs @@ -116,10 +116,6 @@ impl yaml::K8sResource for ConfigMap { panic!("Unsupported"); } - fn get_namespace(&self) -> String { - panic!("Unsupported"); - } - fn get_container_mounts_and_storages( &self, _policy_mounts: &mut Vec, diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs index 28c431678600..a4a25bd0a947 100644 --- a/src/tools/genpolicy/src/daemon_set.rs +++ b/src/tools/genpolicy/src/daemon_set.rs @@ -84,7 +84,7 @@ impl yaml::K8sResource for DaemonSet { None } - fn get_namespace(&self) -> String { + fn get_namespace(&self) -> Option { self.metadata.get_namespace() } diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs index dc7bc4444c77..0c59af276839 100644 --- a/src/tools/genpolicy/src/deployment.rs +++ b/src/tools/genpolicy/src/deployment.rs @@ -82,7 +82,7 @@ impl yaml::K8sResource for Deployment { None } - fn get_namespace(&self) -> String { + fn get_namespace(&self) -> Option { self.metadata.get_namespace() } diff --git a/src/tools/genpolicy/src/job.rs b/src/tools/genpolicy/src/job.rs index 9145a0d24bbb..b2972f9bfd05 100644 --- a/src/tools/genpolicy/src/job.rs +++ b/src/tools/genpolicy/src/job.rs @@ -56,7 +56,7 @@ impl yaml::K8sResource for Job { None } - fn get_namespace(&self) -> String { + fn get_namespace(&self) -> Option { self.metadata.get_namespace() } diff --git a/src/tools/genpolicy/src/list.rs b/src/tools/genpolicy/src/list.rs index 26f13818297b..7e4131ae91dc 100644 --- a/src/tools/genpolicy/src/list.rs +++ b/src/tools/genpolicy/src/list.rs @@ -53,10 +53,6 @@ impl yaml::K8sResource for List { panic!("Unsupported"); } - fn get_namespace(&self) -> String { - panic!("Unsupported"); - } - fn get_container_mounts_and_storages( &self, _policy_mounts: &mut Vec, diff --git a/src/tools/genpolicy/src/no_policy.rs b/src/tools/genpolicy/src/no_policy.rs index ae8443934579..c56e154b534a 100644 --- a/src/tools/genpolicy/src/no_policy.rs +++ b/src/tools/genpolicy/src/no_policy.rs @@ -34,10 +34,6 @@ impl yaml::K8sResource for NoPolicyResource { panic!("Unsupported"); } - fn get_namespace(&self) -> String { - panic!("Unsupported"); - } - fn get_container_mounts_and_storages( &self, _policy_mounts: &mut Vec, diff --git a/src/tools/genpolicy/src/obj_meta.rs b/src/tools/genpolicy/src/obj_meta.rs index e8c55452f103..3da75fc0ff67 100644 --- a/src/tools/genpolicy/src/obj_meta.rs +++ b/src/tools/genpolicy/src/obj_meta.rs @@ -33,17 +33,13 @@ impl ObjectMeta { if let Some(name) = &self.name { name.clone() } else if self.generateName.is_some() { - return "$(generated-name)".to_string(); + "$(generated-name)".to_string() } else { String::new() } } - pub fn get_namespace(&self) -> String { - if let Some(namespace) = &self.namespace { - namespace.clone() - } else { - "default".to_string() - } + pub fn get_namespace(&self) -> Option { + self.namespace.as_ref().cloned() } } diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs index 08ebb9b63e79..ae3fb2ed0a38 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -818,7 +818,7 @@ impl yaml::K8sResource for Pod { panic!("No pod name."); } - fn get_namespace(&self) -> String { + fn get_namespace(&self) -> Option { self.metadata.get_namespace() } diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 8af7457d3ad7..70ec3a2a9005 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -372,6 +372,11 @@ pub struct SandboxData { pub storages: Vec, } +#[derive(Clone, Debug, Serialize, Deserialize)] +pub struct ClusterConfig { + default_namespace: String, +} + impl AgentPolicy { pub async fn from_files(config: &utils::Config) -> Result { let mut config_maps = Vec::new(); @@ -486,7 +491,12 @@ impl AgentPolicy { let mut root = c_settings.Root.clone(); root.Readonly = yaml_container.read_only_root_filesystem(); - let namespace = resource.get_namespace(); + let namespace = if let Some(ns) = resource.get_namespace() { + ns + } else { + self.settings.cluster_config.default_namespace.clone() + }; + let use_host_network = resource.use_host_network(); let annotations = get_container_annotations( resource, diff --git a/src/tools/genpolicy/src/replica_set.rs b/src/tools/genpolicy/src/replica_set.rs index db665d36fa7a..1830f8909883 100644 --- a/src/tools/genpolicy/src/replica_set.rs +++ b/src/tools/genpolicy/src/replica_set.rs @@ -54,7 +54,7 @@ impl yaml::K8sResource for ReplicaSet { None } - fn get_namespace(&self) -> String { + fn get_namespace(&self) -> Option { self.metadata.get_namespace() } diff --git a/src/tools/genpolicy/src/replication_controller.rs b/src/tools/genpolicy/src/replication_controller.rs index 8079f0cc846d..1f5866e147ee 100644 --- a/src/tools/genpolicy/src/replication_controller.rs +++ b/src/tools/genpolicy/src/replication_controller.rs @@ -56,7 +56,7 @@ impl yaml::K8sResource for ReplicationController { None } - fn get_namespace(&self) -> String { + fn get_namespace(&self) -> Option { self.metadata.get_namespace() } diff --git a/src/tools/genpolicy/src/secret.rs b/src/tools/genpolicy/src/secret.rs index 00031b2b28c4..fb4864b87321 100644 --- a/src/tools/genpolicy/src/secret.rs +++ b/src/tools/genpolicy/src/secret.rs @@ -108,10 +108,6 @@ impl yaml::K8sResource for Secret { panic!("Unsupported"); } - fn get_namespace(&self) -> String { - panic!("Unsupported"); - } - fn get_container_mounts_and_storages( &self, _policy_mounts: &mut Vec, diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs index 13d10fd06553..3d86971914ad 100644 --- a/src/tools/genpolicy/src/settings.rs +++ b/src/tools/genpolicy/src/settings.rs @@ -20,6 +20,7 @@ pub struct Settings { pub other_container: policy::KataSpec, pub volumes: Volumes, pub kata_config: KataConfig, + pub cluster_config: policy::ClusterConfig, pub request_defaults: policy::RequestDefaults, pub common: policy::CommonData, pub mount_destinations: Vec, diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs index 43cd1896a998..7b3749bbe81a 100644 --- a/src/tools/genpolicy/src/stateful_set.rs +++ b/src/tools/genpolicy/src/stateful_set.rs @@ -104,7 +104,7 @@ impl yaml::K8sResource for StatefulSet { None } - fn get_namespace(&self) -> String { + fn get_namespace(&self) -> Option { self.metadata.get_namespace() } diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs index 964560aea7ef..241bdc08b6a5 100644 --- a/src/tools/genpolicy/src/yaml.rs +++ b/src/tools/genpolicy/src/yaml.rs @@ -52,7 +52,9 @@ pub trait K8sResource { fn serialize(&mut self, policy: &str) -> String; fn get_sandbox_name(&self) -> Option; - fn get_namespace(&self) -> String; + fn get_namespace(&self) -> Option { + panic!("Unsupported"); + } fn get_container_mounts_and_storages( &self, From 6c947704a1b60c8c5d2227ee428e680c7784eae4 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 30 Jan 2024 17:24:05 +0000 Subject: [PATCH 07/15] genpolicy: ignore empty YAML as input Kata CI's pod-sandbox-vcpus-allocation.yaml ends with "---", so the empty YAML document following that line should be ignored. To test this fix: genpolicy -u -y pod-sandbox-vcpus-allocation.yaml Fixes: #8895 Signed-off-by: Dan Mihai --- src/tools/genpolicy/src/policy.rs | 43 ++++++++++++++++--------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 70ec3a2a9005..2e9978606d2a 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -386,28 +386,29 @@ impl AgentPolicy { for document in serde_yaml::Deserializer::from_str(&yaml_contents) { let doc_mapping = Value::deserialize(document)?; - let yaml_string = serde_yaml::to_string(&doc_mapping)?; - - let silent = config.silent_unsupported_fields; - let (mut resource, kind) = yaml::new_k8s_resource(&yaml_string, silent)?; - resource.init(config.use_cache, &doc_mapping, silent).await; - - // ConfigMap and Secret documents contain additional input for policy generation. - if kind.eq("ConfigMap") { - let config_map: config_map::ConfigMap = serde_yaml::from_str(&yaml_string)?; - debug!("{:#?}", &config_map); - config_maps.push(config_map); - } else if kind.eq("Secret") { - let secret: secret::Secret = serde_yaml::from_str(&yaml_string)?; - debug!("{:#?}", &secret); - secrets.push(secret); - } + if doc_mapping != Value::Null { + let yaml_string = serde_yaml::to_string(&doc_mapping)?; + let silent = config.silent_unsupported_fields; + let (mut resource, kind) = yaml::new_k8s_resource(&yaml_string, silent)?; + resource.init(config.use_cache, &doc_mapping, silent).await; + + // ConfigMap and Secret documents contain additional input for policy generation. + if kind.eq("ConfigMap") { + let config_map: config_map::ConfigMap = serde_yaml::from_str(&yaml_string)?; + debug!("{:#?}", &config_map); + config_maps.push(config_map); + } else if kind.eq("Secret") { + let secret: secret::Secret = serde_yaml::from_str(&yaml_string)?; + debug!("{:#?}", &secret); + secrets.push(secret); + } - // Although copies of ConfigMap and Secret resources get created above, - // those resources still have to be present in the resources vector, because - // the elements of this vector will eventually be used to create the output - // YAML file. - resources.push(resource); + // Although copies of ConfigMap and Secret resources get created above, + // those resources still have to be present in the resources vector, because + // the elements of this vector will eventually be used to create the output + // YAML file. + resources.push(resource); + } } let settings = settings::Settings::new(&config.json_settings_path); From 57aca5b782ee5647392f722120bcca385c00f257 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 6 Feb 2024 00:46:19 +0000 Subject: [PATCH 08/15] genpolicy: mount source for non-confidential guest The emergent Kata CI tests for Policy use confidential_guest = false in genpolicy-settings.json. That value is inconsistent with the following mount settings: "emptyDir": { "mount_type": "local", "mount_source": "^$(cpath)/$(sandbox-id)/local/", "mount_point": "^$(cpath)/$(sandbox-id)/local/", "driver": "local", "source": "local", "fstype": "local", "options": [ "mode=0777" ] }, We need to keep those settings for confidential_guest = true, and change confidential_guest = false to use: "emptyDir": { "mount_type": "local", "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/", "mount_point": "^$(cpath)/$(sandbox-id)/local/", "driver": "local", "source": "local", "fstype": "local", "options": [ "mode=0777" ] }, The value of the mount_source field is different. This change unblocks testing using Kata CI's pod-empty-dir.yaml: genpolicy -u -y pod-empty-dir.yaml kubectl apply -f pod-empty-dir.yaml k get pod sharevol-kata NAME READY STATUS RESTARTS AGE sharevol-kata 1/1 Running 0 53s Fixes: #8887 Signed-off-by: Dan Mihai --- src/tools/genpolicy/genpolicy-settings.json | 11 +++++++ src/tools/genpolicy/src/mount_and_storage.rs | 34 ++++++++++++-------- src/tools/genpolicy/src/settings.rs | 1 + 3 files changed, 32 insertions(+), 14 deletions(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index bc3079c3c2cb..5502db492f8f 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -136,6 +136,17 @@ }, "volumes": { "emptyDir": { + "mount_type": "local", + "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/", + "mount_point": "^$(cpath)/$(sandbox-id)/local/", + "driver": "local", + "source": "local", + "fstype": "local", + "options": [ + "mode=0777" + ] + }, + "confidential_emptyDir": { "mount_type": "local", "mount_source": "^$(cpath)/$(sandbox-id)/local/", "mount_point": "^$(cpath)/$(sandbox-id)/local/", diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs index eda384883383..30717d787f16 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -99,12 +99,24 @@ pub fn get_mount_and_storage( yaml_mount: &pod::VolumeMount, ) { if let Some(emptyDir) = &yaml_volume.emptyDir { - let memory_medium = if let Some(medium) = &emptyDir.medium { - medium == "Memory" - } else { - false - }; - get_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount, memory_medium); + let settings_volumes = &settings.volumes; + let mut volume: Option<&settings::EmptyDirVolume> = None; + + if let Some(medium) = &emptyDir.medium { + if medium == "Memory" { + volume = Some(&settings_volumes.emptyDir_memory); + } + } + + if volume.is_none() { + volume = if settings.kata_config.confidential_guest { + Some(&settings_volumes.confidential_emptyDir) + } else { + Some(&settings_volumes.emptyDir) + } + } + + get_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount, volume.unwrap()); } else if yaml_volume.persistentVolumeClaim.is_some() || yaml_volume.azureFile.is_some() { get_shared_bind_mount(yaml_mount, p_mounts, "rprivate", "rw"); } else if yaml_volume.hostPath.is_some() { @@ -125,14 +137,8 @@ fn get_empty_dir_mount_and_storage( p_mounts: &mut Vec, storages: &mut Vec, yaml_mount: &pod::VolumeMount, - memory_medium: bool, + settings_empty_dir: &settings::EmptyDirVolume, ) { - let settings_volumes = &settings.volumes; - let settings_empty_dir = if memory_medium { - &settings_volumes.emptyDir_memory - } else { - &settings_volumes.emptyDir - }; debug!("Settings emptyDir: {:?}", settings_empty_dir); if yaml_mount.subPathExpr.is_none() { @@ -150,7 +156,7 @@ fn get_empty_dir_mount_and_storage( let source = if yaml_mount.subPathExpr.is_some() { let file_name = Path::new(&yaml_mount.mountPath).file_name().unwrap(); let name = OsString::from(file_name).into_string().unwrap(); - format!("{}{name}$", &settings_volumes.configMap.mount_source) + format!("{}{name}$", &settings.volumes.configMap.mount_source) } else { format!("{}{}$", &settings_empty_dir.mount_source, &yaml_mount.name) }; diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs index 3d86971914ad..a33eea4927e8 100644 --- a/src/tools/genpolicy/src/settings.rs +++ b/src/tools/genpolicy/src/settings.rs @@ -31,6 +31,7 @@ pub struct Settings { #[derive(Clone, Debug, Serialize, Deserialize)] pub struct Volumes { pub emptyDir: EmptyDirVolume, + pub confidential_emptyDir: EmptyDirVolume, pub emptyDir_memory: EmptyDirVolume, pub configMap: ConfigMapVolume, pub confidential_configMap: ConfigMapVolume, From c7c7a93267359e18db10d605262512fde6e44c7d Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 7 Feb 2024 21:50:17 +0000 Subject: [PATCH 09/15] genpolicy: update default values 1. Remove PullImageRequest because that is not used in the main branch. It was used in the CCv0 branch. 2. Add default false values for the remaining Kata Agent ttrpc requests. These changes don't change the functionality of the auto generated Policy, but they help with easier understanding the Policy text and the logging from the Rego rules. Fixes: #9049 Signed-off-by: Dan Mihai --- src/tools/genpolicy/rules.rego | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 450e36f395b9..4bb3ed39c86d 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -10,6 +10,9 @@ import future.keywords.every import input # Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false default CopyFileRequest := false default CreateContainerRequest := false default CreateSandboxRequest := false @@ -17,15 +20,25 @@ default DestroySandboxRequest := true default ExecProcessRequest := false default GetOOMEventRequest := true default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false default OnlineCPUMemRequest := true -default PullImageRequest := true +default PauseContainerRequest := false default ReadStreamRequest := false default RemoveContainerRequest := true default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false default SignalProcessRequest := true default StartContainerRequest := true +default StartTracingRequest := false default StatsContainerRequest := true +default StopTracingRequest := false default TtyWinResizeRequest := true +default UpdateContainerRequest := false default UpdateEphemeralMountsRequest := false default UpdateInterfaceRequest := true default UpdateRoutesRequest := true From 3bea00f9e245764859df6019ed5f92f8c628bd7a Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 7 Feb 2024 21:58:13 +0000 Subject: [PATCH 10/15] genpolicy: add easy way to allow CloseStdinRequest For example, Kata CI's k8s-copy-file.bats transfers files between the Host and the Guest using "kubectl exec", and that results in CloseStdinRequest being called from the Host. Signed-off-by: Dan Mihai --- src/tools/genpolicy/genpolicy-settings.json | 3 ++- src/tools/genpolicy/rules.rego | 4 ++++ src/tools/genpolicy/src/policy.rs | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index 5502db492f8f..02609e80f2c1 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -320,6 +320,7 @@ }, "ReadStreamRequest": true, "UpdateEphemeralMountsRequest": false, + "CloseStdinRequest": false, "WriteStreamRequest": false } -} \ No newline at end of file +} diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 4bb3ed39c86d..97b210bda138 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1200,6 +1200,10 @@ ExecProcessRequest { print("ExecProcessRequest 3: true") } +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + ReadStreamRequest { policy_data.request_defaults.ReadStreamRequest == true } diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 2e9978606d2a..912101a96b31 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -327,6 +327,9 @@ pub struct RequestDefaults { /// Commands allowed to be executed by the Host in all Guest containers. pub ExecProcessRequest: ExecProcessRequestDefaults, + /// Allow the Host to close stdin for a container. Typically used with WriteStreamRequest. + pub CloseStdinRequest: bool, + /// Allow Host reading from Guest containers stdout and stderr. pub ReadStreamRequest: bool, From 8c523b162eeb241a4c76d89a50fef5d2d2f70261 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 7 Feb 2024 22:03:06 +0000 Subject: [PATCH 11/15] genpolicy: improve logging from ExecProcessRequest Additional logging from the ExecProcessRequest rules, for easier debugging. Signed-off-by: Dan Mihai --- src/tools/genpolicy/rules.rego | 1 + 1 file changed, 1 insertion(+) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 97b210bda138..e11a033ee632 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1166,6 +1166,7 @@ ExecProcessRequest { print("ExecProcessRequest 3: i_command =", i_command) some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) p_command == i_command print("ExecProcessRequest 1: true") From be8b0fffd5c04883c4aa00981f488e8cdde81553 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Sat, 10 Feb 2024 00:00:38 +0000 Subject: [PATCH 12/15] genpolicy: fix typo in policy logging Improve logging, for easier debugging. Fixes: #9072 Signed-off-by: Dan Mihai --- src/tools/genpolicy/rules.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index e11a033ee632..f01d8a782a77 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1163,7 +1163,7 @@ ExecProcessRequest { print("ExecProcessRequest 1: input =", input) i_command = concat(" ", input.process.Args) - print("ExecProcessRequest 3: i_command =", i_command) + print("ExecProcessRequest 1: i_command =", i_command) some p_command in policy_data.request_defaults.ExecProcessRequest.commands print("ExecProcessRequest 1: p_command =", p_command) From f6fb0e23f64fddd6d860da3741b62a95e867d9d8 Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Thu, 22 Feb 2024 17:53:33 -0800 Subject: [PATCH 13/15] genpolicy: panic when we see a volume mount subpath Based on https://github.com/kata-containers/runtime/issues/2812 Fixes: #9145 Signed-off-by: Saul Paredes --- src/tools/genpolicy/src/mount_and_storage.rs | 8 ++++++++ src/tools/genpolicy/src/pod.rs | 3 +++ 2 files changed, 11 insertions(+) diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs index 30717d787f16..48d27a72f15d 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -23,6 +23,14 @@ pub fn get_policy_mounts( yaml_container: &pod::Container, is_pause_container: bool, ) { + if let Some(volumeMounts) = &yaml_container.volumeMounts { + for volumeMount in volumeMounts { + if volumeMount.subPath.is_some() { + panic!("Kata Containers doesn't support volumeMounts.subPath - see https://github.com/kata-containers/runtime/issues/2812"); + } + } + } + let c_settings = settings.get_container_settings(is_pause_container); let settings_mounts = &c_settings.Mounts; let rootfs_access = if yaml_container.read_only_root_filesystem() { diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs index ae3fb2ed0a38..e2accc085d2e 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -476,6 +476,9 @@ pub struct VolumeMount { #[serde(skip_serializing_if = "Option::is_none")] pub readOnly: Option, + + #[serde(skip_serializing_if = "Option::is_none")] + pub subPath: Option, // TODO: additional fields. } From d59cc4f089681e7453a7b02b0ad615136566437e Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Tue, 5 Mar 2024 18:33:42 +0100 Subject: [PATCH 14/15] genpolicy: add restartPolicy to container struct This adds support for sidecar container introduced in Kubernetes 1.28 Fixes: #9220 Signed-off-by: Leonard Cohnen --- src/tools/genpolicy/src/pod.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs index e2accc085d2e..e6e8844479b0 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -148,6 +148,9 @@ pub struct Container { #[serde(skip_serializing_if = "Option::is_none")] startupProbe: Option, + #[serde(skip_serializing_if = "Option::is_none")] + restartPolicy: Option, + #[serde(skip_serializing_if = "Option::is_none")] pub serviceAccountName: Option, From 33a652efc5954f2c346370b034efae79f9e088e1 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 26 Mar 2024 02:21:26 +0000 Subject: [PATCH 15/15] genpolicy: reduce policy debug prints Kata CI has full debug output enabled for the cbl-mariner k8s tests, and the test AKS node is relatively slow. So debug prints from policy are expensive during CI. Fixes: #9296 Signed-off-by: Dan Mihai --- src/tools/genpolicy/rules.rego | 67 ++++------------------------------ 1 file changed, 7 insertions(+), 60 deletions(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index f01d8a782a77..a9210efc12cc 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -553,6 +553,7 @@ allow_env(p_process, i_process, s_name) { print("allow_env: i env =", i_process.Env) every i_var in i_process.Env { + print("allow_env: i_var =", i_var) allow_var(p_process, i_process, i_var, s_name) } @@ -561,22 +562,17 @@ allow_env(p_process, i_process, s_name) { # Allow input env variables that are present in the policy data too. allow_var(p_process, i_process, i_var, s_name) { - print("allow_var 1: i_var =", i_var) - some p_var in p_process.Env p_var == i_var - print("allow_var 1: true") } # Match input with one of the policy variables, after substituting $(sandbox-name). allow_var(p_process, i_process, i_var, s_name) { - print("allow_var 2: i_var =", i_var) - some p_var in p_process.Env p_var2 := replace(p_var, "$(sandbox-name)", s_name) - print("allow_var 2: p_var2 =", p_var2) + print("allow_var 2: p_var2 =", p_var2) p_var2 == i_var print("allow_var 2: true") @@ -584,24 +580,13 @@ allow_var(p_process, i_process, i_var, s_name) { # Allow input env variables that match with a request_defaults regex. allow_var(p_process, i_process, i_var, s_name) { - print("allow_var 3: start") - some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex - print("allow_var 3: p_regex1 =", p_regex1) - p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) - print("allow_var 3: p_regex2 =", p_regex2) - p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) - print("allow_var 3: p_regex3 =", p_regex3) - p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) - print("allow_var 3: p_regex4 =", p_regex4) - p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) - print("allow_var 3: p_regex5 =", p_regex5) - print("allow_var 3: i_var =", i_var) + print("allow_var 3: p_regex5 =", p_regex5) regex.match(p_regex5, i_var) print("allow_var 3: true") @@ -609,8 +594,6 @@ allow_var(p_process, i_process, i_var, s_name) { # Allow fieldRef "fieldPath: status.podIP" values. allow_var(p_process, i_process, i_var, s_name) { - print("allow_var 4: i_var =", i_var) - name_value := split(i_var, "=") count(name_value) == 2 is_ip(name_value[1]) @@ -623,8 +606,6 @@ allow_var(p_process, i_process, i_var, s_name) { # Allow common fieldRef variables. allow_var(p_process, i_process, i_var, s_name) { - print("allow_var 5: i_var =", i_var) - name_value := split(i_var, "=") count(name_value) == 2 @@ -644,8 +625,6 @@ allow_var(p_process, i_process, i_var, s_name) { # Allow fieldRef "fieldPath: status.hostIP" values. allow_var(p_process, i_process, i_var, s_name) { - print("allow_var 6: i_var =", i_var) - name_value := split(i_var, "=") count(name_value) == 2 is_ip(name_value[1]) @@ -658,8 +637,6 @@ allow_var(p_process, i_process, i_var, s_name) { # Allow resourceFieldRef values (e.g., "limits.cpu"). allow_var(p_process, i_process, i_var, s_name) { - print("allow_var 7: i_var =", i_var) - name_value := split(i_var, "=") count(name_value) == 2 @@ -740,9 +717,10 @@ allow_root_path(p_oci, i_oci, bundle_id) { # device mounts allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { - print("allow_mount: start") + print("allow_mount: i_mount =", i_mount) some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) check_mount(p_mount, i_mount, bundle_id, sandbox_id) # TODO: are there any other required policy checks for mounts - e.g., @@ -752,22 +730,12 @@ allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { } check_mount(p_mount, i_mount, bundle_id, sandbox_id) { - print("check_mount 1: p_mount =", p_mount) - print("check_mount 1: i_mount =", i_mount) - p_mount == i_mount - print("check_mount 1: true") } check_mount(p_mount, i_mount, bundle_id, sandbox_id) { - print("check_mount 2: i destination =", i_mount.destination, "p destination =", p_mount.destination) p_mount.destination == i_mount.destination - - print("check_mount 2: i type =", i_mount.type_, "p type =", p_mount.type_) p_mount.type_ == i_mount.type_ - - print("check_mount 2: i options =", i_mount.options) - print("check_mount 2: p options =", p_mount.options) p_mount.options == i_mount.options mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) @@ -776,39 +744,23 @@ check_mount(p_mount, i_mount, bundle_id, sandbox_id) { } mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { - print("mount_source_allows 1: i_mount.source =", i_mount.source) - regex1 := p_mount.source - print("mount_source_allows 1: regex1 =", regex1) - regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) - print("mount_source_allows 1: regex2 =", regex2) - regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) - print("mount_source_allows 1: regex3 =", regex3) - regex4 := replace(regex3, "$(bundle-id)", bundle_id) - print("mount_source_allows 1: regex4 =", regex4) + print("mount_source_allows 1: regex4 =", regex4) regex.match(regex4, i_mount.source) print("mount_source_allows 1: true") } mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { - print("mount_source_allows 2: i_mount.source=", i_mount.source) - regex1 := p_mount.source - print("mount_source_allows 2: regex1 =", regex1) - regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) - print("mount_source_allows 2: regex2 =", regex2) - regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) - print("mount_source_allows 2: regex3 =", regex3) - regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) - print("mount_source_allows 2: regex4 =", regex4) + print("mount_source_allows 2: regex4 =", regex4) regex.match(regex4, i_mount.source) print("mount_source_allows 2: true") @@ -955,7 +907,6 @@ allow_overlay_layer(policy_id, policy_hash, i_option) { } allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { - print("allow_mount_point 1: i_storage.mount_point =", i_storage.mount_point) p_storage.fstype == "tar" startswith(p_storage.mount_point, "$(layer") @@ -977,7 +928,6 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { print("allow_mount_point 1: true") } allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { - print("allow_mount_point 2: i_storage.mount_point =", i_storage.mount_point) p_storage.fstype == "fuse3.kata-overlay" mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) @@ -989,7 +939,6 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { print("allow_mount_point 2: true") } allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { - print("allow_mount_point 3: i_storage.mount_point =", i_storage.mount_point) p_storage.fstype == "local" mount1 := p_storage.mount_point @@ -1006,7 +955,6 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { print("allow_mount_point 3: true") } allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { - print("allow_mount_point 4: i_storage.mount_point =", i_storage.mount_point) p_storage.fstype == "bind" mount1 := p_storage.mount_point @@ -1023,7 +971,6 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { print("allow_mount_point 4: true") } allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { - print("allow_mount_point 5: i_storage.mount_point =", i_storage.mount_point) p_storage.fstype == "tmpfs" mount1 := p_storage.mount_point