From 54e3bfd24488ca703a88cf0dea25bcba312f371c Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Thu, 15 Feb 2024 15:22:45 +0100 Subject: [PATCH] ci: embed prod policy settings on release This commit blesses the Microsoft fork of the Kata Containers policy and settings. Why not ours? * Any divergence from upstream configs risks security relevant divergence and would need continuous justification. * We can contribute missing policy features upstream, if needed. Why not kata-containers/kata-containers? * We assume that the Microsoft fork is customized to the AKS environment that we're targeting, and we want to stay compatible with that. * The genpolicy tool and its config are not compatible across minor versions (e.g., a policy generated from Kata head today is not accepted by the Kata Agent available in the AKS preview today). --- packages/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/packages/default.nix b/packages/default.nix index 1528364121..c5062c115b 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -78,6 +78,12 @@ rec { inherit (nunki) cli; cli-release = (nunki.override (prevArgs: { + prePatch = '' + install -D ${lib.getExe genpolicy} cli/assets/genpolicy + install -D ${genpolicy.settings}/genpolicy-settings.json cli/assets/genpolicy-settings.json + install -D ${genpolicy.rules}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego + ''; + ldflags = prevArgs.ldflags ++ [ "-X main.DefaultCoordinatorPolicyHash=${builtins.readFile ../cli/assets/coordinator-policy-hash}" ];