Skip to content

genpolicy sync with upstream [1/3] #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 9, 2024
Merged

genpolicy sync with upstream [1/3] #171

merged 4 commits into from
Apr 9, 2024

Conversation

@Redent0r
Copy link

@Redent0r Redent0r commented Apr 9, 2024
edited
Loading

Merge Checklist
  • Followed patch format from upstream recommendation: https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
    • Included a single commit in a given PR - at least unless there are related commits and each makes sense as a change on its own.
  • Aware about the PR to be merged using "create a merge commit" rather than "squash and merge" (or similar)
  • genPolicy only: Ensured the tool still builds on Windows
  • genPolicy only: Updated sample YAMLs' policy annotations, if applicable
  • The upstream-missing label (or upstream-not-needed) has been set on the PR.
Summary

genpolicy sync with upstream [1/3]

Test Methodology

https://dev.azure.com/mariner-org/mariner/_build/results?buildId=547078&view=ms.vss-test-web.build-test-results-tab [pass]

danmihai1 added 2 commits April 8, 2024 14:57
@danmihai1 @Redent0r
genpolicy: optional PodTemplateSpec metadata field
9b04994 
Add metadata containing the Policy annotation if the user didn't
provide any metadata in the input yaml file.

For a simple sanity test using a Kata CI YAML file:

genpolicy -u -y job.yaml

kubectl apply -f job.yaml

kubectl get pods | grep job
job-pi-test-64dxs 0/1     Completed   0          14s

Fixes: kata-containers#8891

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1 @Redent0r
genpolicy: ignore the nodeName field
7868fdb 
Validating the node name is currently outside the scope of the CoCo
policy.

This change unblocks testing using Kata CI's test-pod-file-volume.yaml
and pv-pod.yaml.

Fixes: kata-containers#8888

Signed-off-by: Dan Mihai <[email protected]>
danmihai1
danmihai1 approved these changes Apr 9, 2024
View reviewed changes
src/tools/genpolicy/genpolicy-settings.json
},
"kata_config": {
"confidential_guest": false
"confidential_guest": true
Copy link

@danmihai1 danmihai1 Apr 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that 3cc0745 breaks the functionality of the MSFT fork, I would remove the second part of 3cc0745 (including its second commit comment) instead of adding d2df449.

But, it's OK with me in case you prefer to keep this additional commit.

@Redent0r Redent0r force-pushed the saulparedes/genpolicy_sync_1 branch from d2df449 to 152db54 Compare April 9, 2024 16:28
danmihai1 added 2 commits April 9, 2024 09:37
@danmihai1 @Redent0r
genpolicy: fix ConfigMap volume mount paths
c3dc031 
Allow Kata CI's pod-nested-configmap-secret.yaml to work with
genpolicy and current cbl-mariner images:

1. Ignore the optional type field of Secret input YAML files.

   It's possible that CoCo will need a more sophisticated Policy
   for Secrets, but this change at least unblocks CI testing for
   already-existing genpolicy features.

Simple sanity testing for these changes:

genpolicy -u -y pod-nested-configmap-secret.yaml

kubectl apply -f pod-nested-configmap-secret.yaml

kubectl get pods | grep config
nested-configmap-secret-pod 1/1     Running   0          26s

Fixes: kata-containers#8892

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1 @Redent0r
genpolicy: ignore volume configMap optional field
a3d481f 
The auto-generated Policy already allows these volumes to be mounted,
regardless if they are:
- Present, or
- Missing and optional

Fixes: kata-containers#8893

Signed-off-by: Dan Mihai <[email protected]>
@Redent0r Redent0r force-pushed the saulparedes/genpolicy_sync_1 branch from 152db54 to a3d481f Compare April 9, 2024 16:41
@Redent0r Redent0r mentioned this pull request Apr 9, 2024
Closed
6 tasks
@Redent0r Redent0r added the upstream/not-needed PRs that will not be upstreamed (e.g. internal) label Apr 9, 2024
@Redent0r Redent0r changed the title Saulparedes/genpolicy sync [1/3] genpolicy sync with upstream [1/3] Apr 9, 2024
@Redent0r Redent0r marked this pull request as ready for review April 9, 2024 17:07
@Redent0r Redent0r requested review from a team as code owners April 9, 2024 17:07
@Redent0r
Copy link
Author

Redent0r commented Apr 9, 2024

Good for merge once required checks pass

@Redent0r Redent0r merged commit 04bdb2f into msft-main Apr 9, 2024
@Redent0r Redent0r deleted the saulparedes/genpolicy_sync_1 branch April 9, 2024 19:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danmihai1 danmihai1 danmihai1 approved these changes

Assignees

No one assigned

Labels

upstream/not-needed PRs that will not be upstreamed (e.g. internal)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Redent0r @danmihai1