genpolicy: Refactor tests to add different request types in testcases json #335
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
samples: introduce incomplete_init category
Cherry-pick upstream PR kata-containers#9825: osbuilder: allow rootfs builds w/o git or version file deps
- Support for Mariner 3 builds using OS_VERSION variable - Improvements to IGVM build process and flow as described in README - Adoption of using only cloud-hypervisor-cvm on CBL-Mariner Signed-off-by: Manuel Huber <[email protected]>
tools: Improve igvm-builder and node-builder/azure-linux scripting
At the moment, we have circular dependencies between tardev-snapshotter.service and containerd.service. Specifically, containerd.service needs tardev-snapshotter.service to run any CC pods, while tardev-snapshotter.service needs containerd.service to download image layers. This dependency will be eliminated once we switch to using remote-snapshotter. Currently, tardev-snapshotter.service's binding to containerd.service gets delayed, and we won't be able to run any CC pods until the boot process is completed. It doesn't matter which service starts first. Based on the current logic, it makes more sense to use WantedBy=kubelet.service in tardev-snapshotter.service, as we won't be able to start any CC pods without kubelet. In the future, once tardev-snapshotter becomes a remote snapshotter again, it will make more sense to use WantedBy=containerd.service. Signed-off-by: Mitch Zhu <[email protected]>
tardev: update tardev-snapshotter.service
Use container image sources from ACR/MCR. Signed-off-by: Manuel Huber <[email protected]>
samples: reduce dependencies to docker hub
1. Use the new value of AllowRequestsFailingPolicy after setting up a new Policy. Before this change, the only way to enable AllowRequestsFailingPolicy was to change the default Policy file, built into the Guest rootfs image. 2. Ignore errors returned by regorus while evaluating Policy rules, if AllowRequestsFailingPolicy was enabled. For example, trying to evaluate the UpdateInterfaceRequest rules using a policy that didn't define any UpdateInterfaceRequest rules results in a "not found" error from regorus. Allow AllowRequestsFailingPolicy := true to bypass that error. 3. Add simple CI test for AllowRequestsFailingPolicy. These changes are restoring functionality that was broken recently by commmit 11f78ae. Signed-off-by: Dan Mihai <[email protected]>
agent: fix the AllowRequestsFailingPolicy functionality
This adds a public guide on how to install and test the new storage CSI drivers for AKS confidential pods. Signed-off-by: Aurélien Bombo <[email protected]>
docs: add guide to install new CSI drivers
Add support for cron jobs Signed-off-by: Saul Paredes <[email protected]>
Use up-to-date AzL references Signed-off-by: Manuel Huber <[email protected]>
samples: update image references
genpolicy: add support for cron jobs
Reject CreateContainerRequest field values that are not tested by
Kata CI and that might impact the confidentiality of CoCo Guests.
This change uses a "better safe than sorry" approach to untested
fields. It is very possible that in the future we'll encounter
reasonable use cases that will either:
- Show that some of these fields are benign and don't have to be
verified by Policy, or
- Show that Policy should verify legitimate values of these fields
These are the new CreateContainerRequest Policy rules:
count(input.shared_mounts) == 0
is_null(input.string_user)
i_oci := input.OCI
is_null(i_oci.Hooks)
is_null(i_oci.Linux.Seccomp)
is_null(i_oci.Solaris)
is_null(i_oci.Windows)
i_linux := i_oci.Linux
count(i_linux.GIDMappings) == 0
count(i_linux.MountLabel) == 0
count(i_linux.Resources.Devices) == 0
count(i_linux.RootfsPropagation) == 0
count(i_linux.UIDMappings) == 0
is_null(i_linux.IntelRdt)
is_null(i_linux.Resources.BlockIO)
is_null(i_linux.Resources.Network)
is_null(i_linux.Resources.Pids)
is_null(i_linux.Seccomp)
i_linux.Sysctl == {}
i_process := i_oci.Process
count(i_process.SelinuxLabel) == 0
count(i_process.User.Username) == 0
Signed-off-by: Dan Mihai <[email protected]>
Update annotations after reject untested CreateContainer field values Signed-off-by: Saul Paredes <[email protected]>
genpolicy: reject untested CreateContainer field values
This is a more stable tag. Previous tag got updated yesterday and requires to update the annotation. Signed-off-by: Saul Paredes <[email protected]>
samples: update ubuntu sample to use 18.04
Bump release version to 3.2.0-azl1.genpolicy1 Signed-off-by: Saul Paredes <[email protected]>
chore: bump release version
- Add script to install kata-containers(-cc)-tools bits - Minor improvements in README.md - Minor fix in package_install - Remove echo outputs in package_build Signed-off-by: Manuel Huber <[email protected]>
tools: Add package-tools-install functionality
- Allow setting SVN parameter for IGVM build scripting Signed-off-by: Manuel Huber <[email protected]>
tools: Enable setting IGVM SVN
This lets developers build and deploy Kata in debug mode without having to make manual edits to the build scripts. With BUILD_TYPE=debug (default is release): * The agent is built in debug mode. * The agent is built with a permissive policy (using allow-all.rego). * The shim debug config file is used, ie. we create the symlink configuration-clh-snp-debug.toml <- configuration-clh-snp.toml. For example, building and deploying Kata-CC in debug mode is now as simple as: make BUILD_TYPE=debug all-confpods deploy-confpods Also do note that make still lets you override the other variables even after setting BUILD_TYPE. For example, you can use the production shim config with BUILD_TYPE=debug: make BUILD_TYPE=debug SHIM_USE_DEBUG_CONFIG=no all-confpods deploy-confpods Signed-off-by: Aurélien Bombo <[email protected]>
node-builder: introduce BUILD_TYPE variable
Update samples that use image: "mcr.microsoft.com/azurelinux/base/nginx:1.25". Looks like this image tag was updated in mcr on 8/27/2024. Signed-off-by: Saul Paredes <[email protected]>
Sumynwa
force-pushed
the
sumsharma/genpolicy_tests
branch
from
790e195 to
5ce3cdf
Compare
Redent0r
approved these changes
Mar 20, 2025
Camelron
reviewed
Mar 21, 2025
Camelron
approved these changes
Mar 21, 2025
manuelh-dev
suggested changes
Mar 21, 2025
Camelron
reviewed
Mar 21, 2025
We can upstream it. I'd say there's 2 parts:
I'd say let's try to upstream this first, at @Sumynwa 's convenience |
Sounds good, in the meantime, assumption is that Sumynwa can use this commit to facilitate testing of his implementation work w/o too much pain? |
|
Thanks. |
Use "cargo build --release" when BUILD_TYPE was not specified, or when BUILD_TYPE=release. The default "cargo build" behavior is to build in debug mode. Signed-off-by: Dan Mihai <[email protected]>
genpolicy: add support for BUILD_TYPE=debug
|
Merged upstream kata-containers#11074 ! @Sumynwa if it makes sense to you, I would adapt this PR to just cherry pick the refactoring changes, and keep the added test cases in your hardening feature branch for now |
Redent0r
added
upstream/merged
4 tasks
Sumynwa
force-pushed
the
sumsharma/genpolicy_tests
branch
from
5ce3cdf to
61afc56
Compare
|
Modified PR changes to cherry pick only the up-streamed changes. @Redent0r |
Sumynwa
changed the title
Sumynwa
force-pushed
the
sumsharma/genpolicy_tests
branch
2 times, most recently
from
131c2b8 to
82ab894
Compare
… json Cherry-pick upstream changes in PR kata-containers#11074 to add test data for multiple request type in a single testcases.json file. This allows for stateful testing, for ex: enable testing ExecProcessRequest using policy state set after testing a CreateContainerRequest. Signed-off-by: Sumedh Sharma <[email protected]>
Sumynwa
force-pushed
the
sumsharma/genpolicy_tests
branch
from
82ab894 to
a42f0ab
Compare
|
I vote for holding on with merging this PR into our fork and instead prioritizing upstreaming policy: improve args and env variables validation by Redent0r · Pull Request #308 · microsoft/kata-containers and along with this, adding the changes of this downstream PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
This commit introduces changes to add different request types in a single testcases.json file. This allows for testing request types, ex: ExecProcessRequest which depends on state from evaluation of CreateContainerRequest.
The changes include:
Test Methodology
Local tests using
cargo test