kata: support large ConfigMaps

edgelesssys · Dec 13, 2024 · 0ccbff1 · 0ccbff1
1 parent 8b6d35c
commit 0ccbff1
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/packages/by-name/kata/kata-runtime/0019-genpolicy-allow-non-watchable-ConfigMaps.patch b/packages/by-name/kata/kata-runtime/0019-genpolicy-allow-non-watchable-ConfigMaps.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Markus Rudy <[email protected]>
+Date: Thu, 21 Nov 2024 19:54:09 +0100
+Subject: [PATCH] genpolicy: allow non-watchable ConfigMaps
+
+If a ConfigMap has more than 8 files it will not be mounted watchable
+[1]. However, genpolicy assumes that ConfigMaps are always mounted at a
+watchable path, so containers with large ConfigMap mounts fail
+verification.
+
+This commit allows mounting ConfigMaps from watchable and non-watchable
+directories. ConfigMap mounts can't be meaningfully verified anyway, so
+the exact location of the data does not matter, except that we stay in
+the sandbox data dirs.
+
+[1]: https://github.com/kata-containers/kata-containers/blob/0ce3f5fc6fd86c53d8b5e197d12887b712ce57d4/docs/design/inotify.md?plain=1#L11-L21
+
+Signed-off-by: Markus Rudy <[email protected]>
+---
+ src/tools/genpolicy/genpolicy-settings.json | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
+index ef20413eacc029d4fcb0b1d2f538a13314a25670..a218a4d9c4717e4dd2abdc3fd4b0d1a6d8171661 100644
+--- a/src/tools/genpolicy/genpolicy-settings.json
++++ b/src/tools/genpolicy/genpolicy-settings.json
+@@ -179,7 +179,7 @@
+         "configMap": {
+             "mount_type": "bind",
+             "mount_source": "$(sfprefix)",
+-            "mount_point": "^$(cpath)/watchable/$(bundle-id)-[a-z0-9]{16}-",
++            "mount_point": "^$(cpath)/(watchable/)?$(bundle-id)-[a-z0-9]{16}-",
+             "driver": "watchable-bind",
+             "fstype": "bind",
+             "options": [
diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix
@@ -107,6 +107,13 @@ buildGoModule rec {
       # This avoids printing the entire annotation on log level debug, which resulted in errors of the logtranslator.go
       # TODO(jmxnzo): remove when upstream patch is merged: https://github.com/kata-containers/kata-containers/pull/10647
       ./0018-genpolicy-do-not-log-policy-annotation-in-debug.patch
+
+      # Fixes a bug with ConfigMaps exceeding 8 entries, see description.
+      # The situation upstream is complicated, because the paths relevant for genpolicy differ
+      # between different CI systems and TEE configurations. This makes it hard to reproduce in a
+      # vanilla Kata setting.
+      # Relevant discussion: https://github.com/kata-containers/kata-containers/pull/10614.
+      ./0019-genpolicy-allow-non-watchable-ConfigMaps.patch
     ];
   };