From 49f53d3dc9a104d643dbf84df9dc4f11b901bb82 Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 14 Nov 2024 12:55:18 +0100 Subject: [PATCH] add genpolicy patch --- ...dd-rules-and-types-for-volumeDevices.patch | 19 +- ...ility-to-filter-for-runtimeClassName.patch | 23 +- ...cy-allow-specifying-layer-cache-file.patch | 13 +- ...check-contrast-specific-layer-src-pr.patch | 9 +- ...opagate-mount_options-for-empty-dirs.patch | 9 +- ...rt-HostToContainer-mount-propagation.patch | 9 +- ...t-for-VOLUME-definition-in-container.patch | 641 ++++++++++++++++++ .../by-name/microsoft/genpolicy/package.nix | 4 + 8 files changed, 677 insertions(+), 50 deletions(-) create mode 100644 packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch diff --git a/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch b/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch index a4e909b7b0..9cafb0e877 100644 --- a/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch +++ b/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch @@ -1,7 +1,7 @@ -From 41f26a5803fa50abf3bd0d6cfebc8106ae9dcbc8 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Thu, 23 May 2024 09:20:20 +0200 -Subject: [PATCH 1/6] genpolicy: add rules and types for volumeDevices +Subject: [PATCH] genpolicy: add rules and types for volumeDevices Signed-off-by: Markus Rudy --- @@ -14,7 +14,7 @@ Signed-off-by: Markus Rudy 6 files changed, 85 insertions(+) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego -index c3eb33461..25c16bada 100644 +index c3eb334612fc0ff05c49031e7b305fd10297896a..25c16badaddea436539c9ec8b8bd210461cda615 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -54,6 +54,7 @@ default AllowRequestsFailingPolicy := false @@ -75,7 +75,7 @@ index c3eb33461..25c16bada 100644 # and io.kubernetes.cri.sandbox-id" values with other fields. allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { diff --git a/src/tools/genpolicy/src/agent.rs b/src/tools/genpolicy/src/agent.rs -index 19a934d81..f3f398b0e 100644 +index 19a934d81995ece42a148e733b41e96474921b3a..f3f398b0ee052ba02a3b5ecae884fed646b38cc3 100644 --- a/src/tools/genpolicy/src/agent.rs +++ b/src/tools/genpolicy/src/agent.rs @@ -16,3 +16,12 @@ pub struct SerializedFsGroup { @@ -92,7 +92,7 @@ index 19a934d81..f3f398b0e 100644 + pub options: Vec, +} diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs -index 2b826a51a..075fced5b 100644 +index 2b826a51a4f587e2ca45f0b304b0eed29046b104..075fced5bfec11b27e529f0b1d2dba5e6271ba82 100644 --- a/src/tools/genpolicy/src/containerd.rs +++ b/src/tools/genpolicy/src/containerd.rs @@ -152,12 +152,14 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux { @@ -111,7 +111,7 @@ index 2b826a51a..075fced5b 100644 } } diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs -index 2ea8fdb9b..da2a47ee2 100644 +index 2ea8fdb9be848c8c00f634ec813475ebaf3d55bb..da2a47ee2d6affc43dc9246670675e3367d73bfe 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -120,6 +120,9 @@ pub struct Container { @@ -139,7 +139,7 @@ index 2ea8fdb9b..da2a47ee2 100644 #[derive(Clone, Debug, Serialize, Deserialize)] struct ResourceRequirements { diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs -index baa382b76..7c1479d57 100644 +index baa382b7646a11cd1fa18274801616eb36f04db6..7c1479d571dc163e4fe0bacef15cf60e8dd85920 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -198,6 +198,10 @@ pub struct KataLinux { @@ -217,7 +217,7 @@ index baa382b76..7c1479d57 100644 exec_commands, } diff --git a/src/tools/genpolicy/src/pvc.rs b/src/tools/genpolicy/src/pvc.rs -index 0a768ed8e..61d0ce3f0 100644 +index 0a768ed8e0e16965270be44f94b8d60d0eb4381c..61d0ce3f08686843ce1095e7e108636e5bd34ad9 100644 --- a/src/tools/genpolicy/src/pvc.rs +++ b/src/tools/genpolicy/src/pvc.rs @@ -34,6 +34,9 @@ pub struct PersistentVolumeClaimSpec { @@ -230,6 +230,3 @@ index 0a768ed8e..61d0ce3f0 100644 // TODO: additional fields. } --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch b/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch index 72956c23bc..18b6c3b0ae 100644 --- a/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch +++ b/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch @@ -1,7 +1,7 @@ -From c890911981a072a14c69d92f82ece28e5d55d7fa Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Tue, 9 Jul 2024 16:07:09 +0200 -Subject: [PATCH 2/6] genpolicy: add ability to filter for runtimeClassName +Subject: [PATCH] genpolicy: add ability to filter for runtimeClassName Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- @@ -15,7 +15,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 7 files changed, 59 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs -index 5b18d96d9..90ea48597 100644 +index 5b18d96d9415a99556226b50bf67b1106b393d70..90ea48597605f056250424ff0d8758017d20220f 100644 --- a/src/tools/genpolicy/src/daemon_set.rs +++ b/src/tools/genpolicy/src/daemon_set.rs @@ -143,4 +143,13 @@ impl yaml::K8sResource for DaemonSet { @@ -33,7 +33,7 @@ index 5b18d96d9..90ea48597 100644 + } } diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs -index f1b8e8d80..890579cdf 100644 +index f1b8e8d80f497d275a571125374fd77fa5490f24..890579cdfbd67cd7f5949c817dbd9391043b1cf0 100644 --- a/src/tools/genpolicy/src/deployment.rs +++ b/src/tools/genpolicy/src/deployment.rs @@ -141,4 +141,13 @@ impl yaml::K8sResource for Deployment { @@ -51,7 +51,7 @@ index f1b8e8d80..890579cdf 100644 + } } diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs -index da2a47ee2..4a40c9570 100644 +index da2a47ee2d6affc43dc9246670675e3367d73bfe..4a40c957042e73ba584b66bc681469458a7f18f4 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -47,7 +47,7 @@ pub struct PodSpec { @@ -78,7 +78,7 @@ index da2a47ee2..4a40c9570 100644 if let Some(context) = &self.spec.securityContext { if let Some(uid) = context.runAsUser { diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs -index 7c1479d57..a1affda77 100644 +index 7c1479d571dc163e4fe0bacef15cf60e8dd85920..a1affda77ef87fb7fd09d875ec8779324b47e3fb 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -10,6 +10,7 @@ use crate::agent; @@ -108,10 +108,10 @@ index 7c1479d57..a1affda77 100644 // ConfigMap and Secret documents contain additional input for policy generation. diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs -index 096cafbeb..73f0b0a30 100644 +index 4c55f59ec3e88b324c25c5065d5b4c898a0db804..d25398358f526116f5b766ffba6db2e287e0f8e9 100644 --- a/src/tools/genpolicy/src/stateful_set.rs +++ b/src/tools/genpolicy/src/stateful_set.rs -@@ -187,6 +187,15 @@ impl yaml::K8sResource for StatefulSet { +@@ -194,6 +194,15 @@ impl yaml::K8sResource for StatefulSet { } false } @@ -128,7 +128,7 @@ index 096cafbeb..73f0b0a30 100644 impl StatefulSet { diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs -index e45b188d4..2402c2ed2 100644 +index e45b188d40a82a32547290ccdfd4a263e193e1c2..2402c2ed213e45b89c47b2b6a94d54f8d200edb1 100644 --- a/src/tools/genpolicy/src/utils.rs +++ b/src/tools/genpolicy/src/utils.rs @@ -72,6 +72,12 @@ struct CommandLineOptions { @@ -161,7 +161,7 @@ index e45b188d4..2402c2ed2 100644 rego_rules_path: args.rego_rules_path, json_settings_path: args.json_settings_path, diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs -index 8f06d291e..c898240af 100644 +index 8f06d291e97b6955f2970b05c5987678362602eb..c898240af337f3cb7cfc34fa1398cb5a6bd828a5 100644 --- a/src/tools/genpolicy/src/yaml.rs +++ b/src/tools/genpolicy/src/yaml.rs @@ -75,6 +75,10 @@ pub trait K8sResource { @@ -175,6 +175,3 @@ index 8f06d291e..c898240af 100644 } /// See Reference / Kubernetes API / Common Definitions / LabelSelector. --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch b/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch index b25c9fc8e8..35accfdf71 100644 --- a/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch +++ b/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch @@ -1,7 +1,7 @@ -From cf495b76fe64e56b3c18a7175cb4e01d27d02dc7 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Tue, 9 Jul 2024 16:14:46 +0200 -Subject: [PATCH 3/6] genpolicy: allow specifying layer cache file +Subject: [PATCH] genpolicy: allow specifying layer cache file Add --layers-cache-file-path flag to allow the user to specify where the cache file for the container layers @@ -23,7 +23,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 3 files changed, 52 insertions(+), 26 deletions(-) diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs -index 97e35ee60..b212eeb8b 100644 +index 97e35ee601beed99929e36661dadfd6ed15dfc5f..b212eeb8bca209d9916249fe8e01351f5943823c 100644 --- a/src/tools/genpolicy/src/registry.rs +++ b/src/tools/genpolicy/src/registry.rs @@ -66,7 +66,7 @@ pub struct ImageLayer { @@ -130,7 +130,7 @@ index 97e35ee60..b212eeb8b 100644 #[cfg(target_os = "windows")] diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs -index fcc51ad78..333a4dd33 100644 +index fcc51ad783afb392e706e92a63efed0fe3f416a1..333a4dd33032c4842e70d5e618b4660fa2ffb6c5 100644 --- a/src/tools/genpolicy/src/registry_containerd.rs +++ b/src/tools/genpolicy/src/registry_containerd.rs @@ -28,7 +28,7 @@ use tower::service_fn; @@ -219,7 +219,7 @@ index fcc51ad78..333a4dd33 100644 warn!("{error_message}"); } diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs -index 2402c2ed2..7579d74bf 100644 +index 2402c2ed213e45b89c47b2b6a94d54f8d200edb1..7579d74bf5a488bf6f577949862e6f976fa14ac5 100644 --- a/src/tools/genpolicy/src/utils.rs +++ b/src/tools/genpolicy/src/utils.rs @@ -78,6 +78,14 @@ struct CommandLineOptions { @@ -266,6 +266,3 @@ index 2402c2ed2..7579d74bf 100644 version: args.version, } } --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch b/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch index 01441a2358..a696338291 100644 --- a/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch +++ b/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch @@ -1,7 +1,7 @@ -From 3b444c242de3bc130f0cf73d1a89ab540690c9f0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Thu, 11 Jul 2024 12:05:00 +0200 -Subject: [PATCH 4/6] genpolicy: regex check contrast specific layer-src-prefix +Subject: [PATCH] genpolicy: regex check contrast specific layer-src-prefix Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- @@ -9,7 +9,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego -index 25c16bada..d933b928d 100644 +index 25c16badaddea436539c9ec8b8bd210461cda615..d933b928d21b549ef7c315a9e0c5cbb4bbbe88b3 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -887,7 +887,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { @@ -21,6 +21,3 @@ index 25c16bada..d933b928d 100644 print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch b/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch index eb90b5c8c1..b8c24803f3 100644 --- a/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch +++ b/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch @@ -1,7 +1,7 @@ -From e60354b386c9b50ee5f3a0804be66152fe0849d7 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Thu, 29 Aug 2024 03:45:24 +0200 -Subject: [PATCH 5/6] genpolicy: propagate mount_options for empty dirs +Subject: [PATCH] genpolicy: propagate mount_options for empty dirs In order to mount empty dirs e.g., with mount propagation "Bidirectional", we need the yaml value to the policy --- @@ -9,7 +9,7 @@ In order to mount empty dirs e.g., with mount propagation "Bidirectional", we ne 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs -index 520d3a8cb..05a4521f0 100644 +index ecb8bf5776ffb946bdab3b594a1f5bcb43799e84..327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -127,7 +127,14 @@ pub fn get_mount_and_storage( @@ -55,6 +55,3 @@ index 520d3a8cb..05a4521f0 100644 ], }); } --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch b/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch index 57a71ce381..6bc7b9b22d 100644 --- a/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch +++ b/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch @@ -1,14 +1,14 @@ -From 8255b303a8d1c21ed22f2d9f7166101de151a9f4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Fri, 30 Aug 2024 00:30:57 +0200 -Subject: [PATCH 6/6] genpolicy: support HostToContainer mount propagation +Subject: [PATCH] genpolicy: support HostToContainer mount propagation --- src/tools/genpolicy/src/mount_and_storage.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs -index 05a4521f0..c81dc0c52 100644 +index 327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e..09bc89fdf7e6eb239428adbb093c9cb5962da8a7 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -108,8 +108,9 @@ pub fn get_mount_and_storage( @@ -23,6 +23,3 @@ index 05a4521f0..c81dc0c52 100644 _ => "rprivate", }; --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch b/packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch new file mode 100644 index 0000000000..5013f0a13a --- /dev/null +++ b/packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch @@ -0,0 +1,641 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: miampf +Date: Thu, 14 Nov 2024 12:34:56 +0100 +Subject: [PATCH] genpolicy: support for VOLUME definition in container image + +--- + src/tools/genpolicy/genpolicy-settings.json | 14 ++++- + src/tools/genpolicy/src/daemon_set.rs | 18 +++--- + src/tools/genpolicy/src/deployment.rs | 18 +++--- + src/tools/genpolicy/src/job.rs | 18 +++--- + src/tools/genpolicy/src/mount_and_storage.rs | 58 +++++++++++++++++++ + src/tools/genpolicy/src/pod.rs | 18 +++--- + src/tools/genpolicy/src/registry.rs | 21 ++++++- + .../genpolicy/src/registry_containerd.rs | 4 +- + src/tools/genpolicy/src/replica_set.rs | 18 +++--- + .../genpolicy/src/replication_controller.rs | 18 +++--- + src/tools/genpolicy/src/settings.rs | 12 ++++ + src/tools/genpolicy/src/stateful_set.rs | 20 +++---- + src/tools/genpolicy/src/yaml.rs | 43 +++++++++----- + .../kubernetes/k8s-policy-deployments.bats | 47 +++++++++++++++ + .../kubernetes/run_kubernetes_tests.sh | 1 + + .../k8s-policy-deployment.yaml | 36 ++++++++++++ + 16 files changed, 275 insertions(+), 89 deletions(-) + create mode 100644 tests/integration/kubernetes/k8s-policy-deployments.bats + create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml + +diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json +index 7d35862afa73e9f4c9004189d3ec50ebd3e8855d..fd998a41be8978b85928d12101c7ff4fdc38e4eb 100644 +--- a/src/tools/genpolicy/genpolicy-settings.json ++++ b/src/tools/genpolicy/genpolicy-settings.json +@@ -178,6 +178,18 @@ + "rprivate", + "ro" + ] ++ }, ++ "image_volume": { ++ "mount_type": "bind", ++ "mount_source": "$(sfprefix)", ++ "driver": "local", ++ "source": "local", ++ "fstype": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] + } + }, + "mount_destinations": [ +@@ -322,4 +334,4 @@ + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +-} +\ No newline at end of file ++} +diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs +index 90ea48597605f056250424ff0d8758017d20220f..d5a159c318f65339a9044a85a08bfae91f839e01 100644 +--- a/src/tools/genpolicy/src/daemon_set.rs ++++ b/src/tools/genpolicy/src/daemon_set.rs +@@ -98,16 +98,14 @@ impl yaml::K8sResource for DaemonSet { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ) +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs +index 890579cdfbd67cd7f5949c817dbd9391043b1cf0..65db6937e874ce13d655498b441e5c71913fca97 100644 +--- a/src/tools/genpolicy/src/deployment.rs ++++ b/src/tools/genpolicy/src/deployment.rs +@@ -96,16 +96,14 @@ impl yaml::K8sResource for Deployment { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/job.rs b/src/tools/genpolicy/src/job.rs +index bca1463017bb7359fb59d1ebbf1ae801c0f17190..32c1048f6b979b38e598169892c75adbb725a983 100644 +--- a/src/tools/genpolicy/src/job.rs ++++ b/src/tools/genpolicy/src/job.rs +@@ -70,16 +70,14 @@ impl yaml::K8sResource for Job { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs +index 09bc89fdf7e6eb239428adbb093c9cb5962da8a7..0c2b5e58a45317d4d614ac51b7e0b5f035c8f11f 100644 +--- a/src/tools/genpolicy/src/mount_and_storage.rs ++++ b/src/tools/genpolicy/src/mount_and_storage.rs +@@ -108,6 +108,10 @@ pub fn get_mount_and_storage( + yaml_volume: &volume::Volume, + yaml_mount: &pod::VolumeMount, + ) { ++ debug!( ++ "get_mount_and_storage: adding mount and storage for: {:?}", ++ &yaml_volume ++ ); + let propagation = match yaml_mount.mountPropagation.as_deref() { + Some("Bidirectional") => "rshared", + Some("HostToContainer") => "rslave", +@@ -422,6 +426,60 @@ fn get_downward_api_mount(yaml_mount: &pod::VolumeMount, p_mounts: &mut Vec, ++ storages: &mut Vec, ++ destination: &str, ++) { ++ // https://github.com/kubernetes/examples/blob/master/cassandra/image/Dockerfile ++ // has a volume mount starting with two '/' characters: ++ // ++ // CASSANDRA_DATA=/cassandra_data ++ // VOLUME ["/$CASSANDRA_DATA"] ++ let mut destination_string = destination.to_string(); ++ while destination_string.contains("//") { ++ destination_string = destination_string.replace("//", "/"); ++ } ++ debug!("get_image_mount_and_storage: image dest = {destination}, dest = {destination_string}"); ++ ++ for mount in &mut *p_mounts { ++ if mount.destination == destination_string { ++ debug!( ++ "get_image_mount_and_storage: mount {destination_string} already defined by YAML" ++ ); ++ return; ++ } ++ } ++ ++ let settings_image = &settings.volumes.image_volume; ++ debug!( ++ "get_image_mount_and_storage: settings for container image volumes: {:?}", ++ settings_image ++ ); ++ ++ storages.push(agent::Storage { ++ driver: settings_image.driver.clone(), ++ driver_options: Vec::new(), ++ source: settings_image.source.clone(), ++ fstype: settings_image.fstype.clone(), ++ options: settings_image.options.clone(), ++ mount_point: destination_string.clone(), ++ fs_group: None, ++ }); ++ ++ let file_name = Path::new(&destination_string).file_name().unwrap(); ++ let name = OsString::from(file_name).into_string().unwrap(); ++ let source = format!("{}{name}$", &settings_image.mount_source); ++ ++ p_mounts.push(policy::KataMount { ++ destination: destination_string, ++ type_: settings_image.fstype.clone(), ++ source, ++ options: settings_image.options.clone(), ++ }); ++} ++ + fn get_ephemeral_mount( + settings: &settings::Settings, + yaml_mount: &pod::VolumeMount, +diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs +index 4a40c957042e73ba584b66bc681469458a7f18f4..f5bf61bec420ed7ee642818e10ecdca80f710ad8 100644 +--- a/src/tools/genpolicy/src/pod.rs ++++ b/src/tools/genpolicy/src/pod.rs +@@ -846,16 +846,14 @@ impl yaml::K8sResource for Pod { + container: &Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs +index b212eeb8bca209d9916249fe8e01351f5943823c..bdce2d40e3a7c3ec34137ceb3685fcc94aedcb39 100644 +--- a/src/tools/genpolicy/src/registry.rs ++++ b/src/tools/genpolicy/src/registry.rs +@@ -23,11 +23,13 @@ use sha2::{digest::typenum::Unsigned, digest::OutputSizeUser, Sha256}; + use std::fs::OpenOptions; + use std::io::BufWriter; + use std::{io, io::Seek, io::Write, path::Path}; ++use std::collections::BTreeMap; + use tokio::io::AsyncWriteExt; + + /// Container image properties obtained from an OCI repository. + #[derive(Clone, Debug, Default)] + pub struct Container { ++ pub image: String, + pub config_layer: DockerConfigLayer, + pub image_layers: Vec, + } +@@ -36,19 +38,20 @@ pub struct Container { + #[derive(Clone, Debug, Default, Deserialize, Serialize)] + pub struct DockerConfigLayer { + architecture: String, +- config: DockerImageConfig, ++ pub config: DockerImageConfig, + pub rootfs: DockerRootfs, + } + +-/// Image config properties. ++/// See: https://docs.docker.com/reference/dockerfile/. + #[derive(Clone, Debug, Default, Deserialize, Serialize)] +-struct DockerImageConfig { ++pub struct DockerImageConfig { + User: Option, + Tty: Option, + Env: Option>, + Cmd: Option>, + WorkingDir: Option, + Entrypoint: Option>, ++ pub Volumes: Option> + } + + /// Container rootfs information. +@@ -65,10 +68,20 @@ pub struct ImageLayer { + pub verity_hash: String, + } + ++/// See https://docs.docker.com/reference/dockerfile/#volume. ++#[derive(Clone, Debug, Serialize, Deserialize)] ++pub struct DockerVolumeHostDirectory { ++ // This struct is empty because, according to the documentation: ++ // "The VOLUME instruction does not support specifying a host-dir ++ // parameter. You must specify the mountpoint when you create or ++ // run the container." ++} ++ + impl Container { + pub async fn new(layers_cache_file_path: Option, image: &str) -> Result { + info!("============================================"); + info!("Pulling manifest and config for {:?}", image); ++ let image_string = image.to_string(); + let reference: Reference = image.to_string().parse().unwrap(); + let auth = build_auth(&reference); + +@@ -94,6 +107,7 @@ impl Container { + + let config_layer: DockerConfigLayer = + serde_json::from_str(&config_layer_str).unwrap(); ++ debug!("config_layer: {:?}", &config_layer); + let image_layers = get_image_layers( + layers_cache_file_path, + &mut client, +@@ -105,6 +119,7 @@ impl Container { + .unwrap(); + + Ok(Container { ++ image: image_string, + config_layer, + image_layers, + }) +diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs +index 333a4dd33032c4842e70d5e618b4660fa2ffb6c5..793137224b88d4a562ea214bbc8d93316563f863 100644 +--- a/src/tools/genpolicy/src/registry_containerd.rs ++++ b/src/tools/genpolicy/src/registry_containerd.rs +@@ -46,7 +46,8 @@ impl Container { + let ctrd_client = containerd_client::Client::from(containerd_channel.clone()); + let k8_cri_image_client = ImageServiceClient::new(containerd_channel); + +- let image_ref: Reference = image.to_string().parse().unwrap(); ++ let image_str = image.to_string(); ++ let image_ref: Reference = image_str.parse().unwrap(); + + info!("Pulling image: {:?}", image_ref); + +@@ -67,6 +68,7 @@ impl Container { + .await?; + + Ok(Container { ++ image: image_str, + config_layer, + image_layers, + }) +diff --git a/src/tools/genpolicy/src/replica_set.rs b/src/tools/genpolicy/src/replica_set.rs +index 094daf1da4cf2f202cfc41e76a0f693bdf84e46a..205937f0a9f1e17b5e2b1a6ab9e3d67d5263daa5 100644 +--- a/src/tools/genpolicy/src/replica_set.rs ++++ b/src/tools/genpolicy/src/replica_set.rs +@@ -68,16 +68,14 @@ impl yaml::K8sResource for ReplicaSet { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/replication_controller.rs b/src/tools/genpolicy/src/replication_controller.rs +index 55788a45c2e0ede93b5fb27349b9096d6dc706ef..049e6a1394ba4c1151f44dc56abe1392102f5582 100644 +--- a/src/tools/genpolicy/src/replication_controller.rs ++++ b/src/tools/genpolicy/src/replication_controller.rs +@@ -70,16 +70,14 @@ impl yaml::K8sResource for ReplicationController { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs +index 3d86971914ad4a659cab4bba0737ca53a183c2ba..a388f074e5168abb14c40c324c8aeef74062cdc0 100644 +--- a/src/tools/genpolicy/src/settings.rs ++++ b/src/tools/genpolicy/src/settings.rs +@@ -34,6 +34,7 @@ pub struct Volumes { + pub emptyDir_memory: EmptyDirVolume, + pub configMap: ConfigMapVolume, + pub confidential_configMap: ConfigMapVolume, ++ pub image_volume: ImageVolume + } + + /// EmptyDir volume settings loaded from genpolicy-settings.json. +@@ -59,6 +60,17 @@ pub struct ConfigMapVolume { + pub options: Vec, + } + ++/// Container image volume settings loaded from genpolicy-settings.json. ++#[derive(Clone, Debug, Serialize, Deserialize)] ++pub struct ImageVolume { ++ pub mount_type: String, ++ pub mount_source: String, ++ pub driver: String, ++ pub source: String, ++ pub fstype: String, ++ pub options: Vec, ++} ++ + /// Data corresponding to the kata runtime config file data, loaded from + /// genpolicy-settings.json. + #[derive(Clone, Debug, Serialize, Deserialize)] +diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs +index d25398358f526116f5b766ffba6db2e287e0f8e9..aa25bf5a78443dce6493fe5a2a2c3a3b6bd8c00c 100644 +--- a/src/tools/genpolicy/src/stateful_set.rs ++++ b/src/tools/genpolicy/src/stateful_set.rs +@@ -118,17 +118,6 @@ impl yaml::K8sResource for StatefulSet { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } +- + // Example: + // + // containers: +@@ -159,6 +148,15 @@ impl yaml::K8sResource for StatefulSet { + ); + } + } ++ ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs +index c898240af337f3cb7cfc34fa1398cb5a6bd828a5..07ebb32aea0ae8265c8deb8c32fb02242d1a7d84 100644 +--- a/src/tools/genpolicy/src/yaml.rs ++++ b/src/tools/genpolicy/src/yaml.rs +@@ -251,24 +251,41 @@ pub fn get_container_mounts_and_storages( + persistent_volume_claims: &[pvc::PersistentVolumeClaim], + container: &pod::Container, + settings: &settings::Settings, +- volumes: &Vec, ++ volumes_option: &Option>, + ) { +- if let Some(volume_mounts) = &container.volumeMounts { +- for volume in volumes { +- for volume_mount in volume_mounts { +- if volume_mount.name.eq(&volume.name) { +- mount_and_storage::get_mount_and_storage( +- settings, +- policy_mounts, +- storages, +- persistent_volume_claims, +- volume, +- volume_mount, +- ); ++ if let Some(volumes) = volumes_option { ++ if let Some(volume_mounts) = &container.volumeMounts { ++ for volume in volumes { ++ for volume_mount in volume_mounts { ++ if volume_mount.name.eq(&volume.name) { ++ mount_and_storage::get_mount_and_storage( ++ settings, ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ volume, ++ volume_mount, ++ ); ++ } + } + } + } + } ++ ++ // Add storage and mount for each volume defined in the docker container image ++ // configuration layer. ++ if let Some(volumes) = &container.registry.config_layer.config.Volumes { ++ for volume in volumes { ++ debug!("get_container_mounts_and_storages: {:?}", &volume); ++ ++ mount_and_storage::get_image_mount_and_storage( ++ settings, ++ policy_mounts, ++ storages, ++ volume.0, ++ ); ++ } ++ } + } + + /// Add the "io.katacontainers.config.agent.policy" annotation into +diff --git a/tests/integration/kubernetes/k8s-policy-deployments.bats b/tests/integration/kubernetes/k8s-policy-deployments.bats +new file mode 100644 +index 0000000000000000000000000000000000000000..8919c7dae1536ba62a84a8ab27370498f2a76704 +--- /dev/null ++++ b/tests/integration/kubernetes/k8s-policy-deployments.bats +@@ -0,0 +1,47 @@ ++#!/usr/bin/env bats ++# ++# Copyright (c) 2024 Microsoft. ++# ++# SPDX-License-Identifier: Apache-2.0 ++# ++ ++load "${BATS_TEST_DIRNAME}/../../common.bash" ++load "${BATS_TEST_DIRNAME}/tests_common.sh" ++ ++setup() { ++ auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." ++ ++ get_pod_config_dir ++ ++ deployment_name="policy-redis-deployment" ++ deployment_yaml="${pod_config_dir}/k8s-policy-deployment.yaml" ++ ++ # Add an appropriate policy to the correct YAML file. ++ policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" ++ add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest" ++ auto_generate_policy "${policy_settings_dir}" "${deployment_yaml}" ++} ++ ++@test "Successful deployment with auto-generated policy and container image volumes" { ++ # Initiate deployment ++ kubectl apply -f "${deployment_yaml}" ++ ++ # Wait for the deployment to be created ++ cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'" ++ info "Waiting for: ${cmd}" ++ waitForProcess "${wait_time}" "${sleep_time}" "${cmd}" ++} ++ ++teardown() { ++ auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." ++ ++ # Debugging information ++ info "Deployment ${deployment_name}:" ++ kubectl describe deployment "${deployment_name}" ++ kubectl rollout status deployment/${deployment_name} ++ ++ # Clean-up ++ kubectl delete deployment "${deployment_name}" ++ ++ delete_tmp_policy_settings_dir "${policy_settings_dir}" ++} +diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh +index b16c22ae64fa23f3a42fd4915d9c1f0eee6812eb..203128f51e357b17c4a8c0e832619c08c1b35746 100644 +--- a/tests/integration/kubernetes/run_kubernetes_tests.sh ++++ b/tests/integration/kubernetes/run_kubernetes_tests.sh +@@ -45,6 +45,7 @@ else + "k8s-optional-empty-secret.bats" \ + "k8s-pid-ns.bats" \ + "k8s-pod-quota.bats" \ ++ "k8s-policy-deployments.bats" \ + "k8s-port-forward.bats" \ + "k8s-projected-volume.bats" \ + "k8s-qos-pods.bats" \ +diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml +new file mode 100644 +index 0000000000000000000000000000000000000000..407b99729061dc7e651296afcc10ce6138e481af +--- /dev/null ++++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml +@@ -0,0 +1,36 @@ ++# ++# Copyright (c) 2024 Microsoft ++# ++# SPDX-License-Identifier: Apache-2.0 ++# ++apiVersion: apps/v1 ++kind: Deployment ++metadata: ++ name: policy-redis-deployment ++ labels: ++ app: policyredis ++spec: ++ selector: ++ matchLabels: ++ app: policyredis ++ role: master ++ tier: backend ++ replicas: 1 ++ template: ++ metadata: ++ labels: ++ app: policyredis ++ role: master ++ tier: backend ++ spec: ++ terminationGracePeriodSeconds: 0 ++ runtimeClassName: kata ++ containers: ++ - name: master ++ image: quay.io/opstree/redis ++ resources: ++ requests: ++ cpu: 100m ++ memory: 100Mi ++ ports: ++ - containerPort: 6379 diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix index 4286550cd2..928e62b8e4 100644 --- a/packages/by-name/microsoft/genpolicy/package.nix +++ b/packages/by-name/microsoft/genpolicy/package.nix @@ -55,6 +55,10 @@ rustPlatform.buildRustPackage rec { # We can revisit this if microsoft upstreamed # https://github.com/microsoft/kata-containers/pull/174 ./0006-genpolicy-support-HostToContainer-mount-propagation.patch + # This patch is a port of https://github.com/kata-containers/kata-containers/pull/10136/files + # to microsofts genpolicy. + # remove when picked up by Microsoft/kata-containers fork. + ./0007-genpolicy-support-for-VOLUME-definition-in-container.patch ]; };