Skip to content

agent: fix the AllowRequestsFailingPolicy functionality #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 5, 2024
+51 −6
Merged

agent: fix the AllowRequestsFailingPolicy functionality #212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 29 additions & 6 deletions src/agent/src/policy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,11 +152,7 @@ impl AgentPolicy {
}

self.engine.add_policy_from_file(default_policy_file)?;
self.engine.set_input_json("{}")?;
self.allow_failures = match self.allow_request("AllowRequestsFailingPolicy", "{}").await {
Ok((allowed, _prints)) => allowed,
Err(_) => false,
};
self.update_allow_failures_flag().await?;
Ok(())
}

Expand All @@ -168,8 +164,18 @@ impl AgentPolicy {
let query = format!("data.agent_policy.{ep}");
self.engine.set_input_json(ep_input)?;

let mut allow = self.engine.eval_bool_query(query, false)?;
let mut allow = match self.engine.eval_bool_query(query, false) {
Ok(a) => a,
Err(e) => {
if !self.allow_failures {
return Err(e);
}
false
}
};

if !allow && self.allow_failures {
warn!(sl!(), "policy: ignoring error for {ep}");
allow = true;
}

Expand All @@ -187,6 +193,7 @@ impl AgentPolicy {
self.engine = Self::new_engine();
self.engine
.add_policy("agent_policy".to_string(), policy.to_string())?;
self.update_allow_failures_flag().await?;
Ok(())
}

Expand All @@ -213,6 +220,22 @@ impl AgentPolicy {
}
}
}

async fn update_allow_failures_flag(&mut self) -> Result<()> {
self.allow_failures = match self.allow_request("AllowRequestsFailingPolicy", "{}").await {
Ok((allowed, _prints)) => {
if allowed {
warn!(
sl!(),
"policy: AllowRequestsFailingPolicy is enabled - will ignore errors"
);
}
allowed
}
Err(_) => false,
};
Ok(())
}
}

pub fn check_policy_hash(policy: &str) -> Result<()> {
Expand Down
22 changes: 22 additions & 0 deletions tests/integration/kubernetes/k8s-exec-rejected.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,28 @@ setup() {
kubectl exec "$pod_name" -- date 2>&1 | grep "ExecProcessRequest is blocked by policy"
}

@test "AllowRequestsFailingPolicy := true" {
# Add to the YAML file a policy using just AllowRequestsFailingPolicy := true. Evaluating the rules
# for any Kata Agent request will return false, but AllowRequestsFailingPolicy := true will allow
# those request to be executed.
#
# Warning: this is an insecure policy that shouldn't be used when protecting the confidentiality
# of a pod is important. However, this policy could be useful while debugging a pod.
policy_text=$(printf "package agent_policy\ndefault AllowRequestsFailingPolicy := true")
policy_base64=$(echo "${policy_text}" | base64 -w 0 -)

yq -i \
".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${policy_base64}\"" \
"${pod_yaml}"

# Create the pod
kubectl create -f "${pod_yaml}"

# Wait for pod to start
echo "timeout=${timeout}"
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
}

teardown() {
# Debugging information
kubectl describe "pod/$pod_name"
Expand Down