microsoft · Redent0r · Mar 18, 2025 · Mar 10, 2025 · Mar 17, 2025 · Mar 17, 2025
@@ -21,6 +21,7 @@ clap = { version = "4.1.8", features = ["derive"] }
 # YAML file serialization/deserialization.
 base64 = "0.21.0"
 serde = { version = "1.0.159", features = ["derive"] }
+regex = "1.10.5"
 
 # Newer serde_yaml versions are using unsafe-libyaml instead of yaml-rust,
 # and incorrectly change on serialization:
@@ -51,8 +52,6 @@ tokio = {version = "1.33.0", features = ["rt-multi-thread"]}
 # OCI container specs.
 oci = { path = "../../libs/oci" }
 
-# Kata Agent protocol.
-protocols = { path = "../../libs/protocols", features = ["with-serde"] }
 
 # dm-verity root hash support
 generic-array = "0.14.6"
@@ -70,3 +69,5 @@ containerd-client = "0.4.0"
 [dev-dependencies]
 kata-agent-policy = { path = "../../agent/policy" }
 slog = "2.5.2"
+# Kata Agent protocol.
+protocols = { path = "../../libs/protocols", features = ["with-serde"] }
@@ -462,19 +462,10 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name, s_namespace)
 }
 
 allow_sandbox_name(p_s_name, i_s_name) {
-    print("allow_sandbox_name 1: start")
+    print("allow_sandbox_name: start")
+    regex.match(p_s_name, i_s_name)
 
-    p_s_name == i_s_name
-
-    print("allow_sandbox_name 1: true")
-}
-allow_sandbox_name(p_s_name, i_s_name) {
-    print("allow_sandbox_name 2: start")
-
-    # TODO: should generated names be handled differently?
-    contains(p_s_name, "$(generated-name)")
-
-    print("allow_sandbox_name 2: true")
+    print("allow_sandbox_name: true")
 }
 
 # Check that the "io.kubernetes.cri.container-type" and
@@ -889,10 +880,18 @@ allow_var(p_process, i_process, i_var, s_name, s_namespace) {
 # Match input with one of the policy variables, after substituting $(sandbox-name).
 allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     some p_var in p_process.Env
-    p_var2 := replace(p_var, "$(sandbox-name)", s_name)
+    print("allow_var 2: p_var =", p_var)
 
-    print("allow_var 2: p_var2 =", p_var2)
-    p_var2 == i_var
+    p_var_split := split(p_var, "=")
+    count(p_var_split) == 2
+
+    p_var_split[1] == "$(sandbox-name)"
+
+    i_var_split := split(i_var, "=")
+    count(i_var_split) == 2
+
+    i_var_split[0] == p_var_split[0]
+    regex.match(s_name, i_var_split[1])
 
     print("allow_var 2: true")
 }

@@ -34,9 +34,10 @@ pub struct ObjectMeta {
 impl ObjectMeta {
     pub fn get_name(&self) -> String {
         if let Some(name) = &self.name {
-            name.clone()
-        } else if self.generateName.is_some() {
-            "$(generated-name)".to_string()
+            format!("^{}$", regex::escape(name))
+        } else if let Some(generateName) = &self.generateName {
+            // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
+            format!("^{}[a-z0-9.-]*[a-z0-9]$", regex::escape(generateName))
         } else {
             String::new()
         }

@@ -166,4 +166,9 @@ mod tests {
     async fn test_basic_create_container() {
         runtests::<PolicyCreateContainerRequest>("createContainer/basic").await;
     }
+
+    #[tokio::test]
+    async fn test_create_container_generate_name() {
+        runtests::<PolicyCreateContainerRequest>("createcontainer/generate_name").await;
+    }
 }
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  generateName: dummy
+spec:
+  runtimeClassName: kata-cc
+  containers:
+    - name: dummy
+      image: "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db"