-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
kata-msft: support images with VOLUME directives (#996)
- Loading branch information
Showing
13 changed files
with
562 additions
and
95 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
From 41f26a5803fa50abf3bd0d6cfebc8106ae9dcbc8 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Markus Rudy <[email protected]> | ||
Date: Thu, 23 May 2024 09:20:20 +0200 | ||
Subject: [PATCH 1/6] genpolicy: add rules and types for volumeDevices | ||
Subject: [PATCH] genpolicy: add rules and types for volumeDevices | ||
|
||
Signed-off-by: Markus Rudy <[email protected]> | ||
--- | ||
|
@@ -14,7 +14,7 @@ Signed-off-by: Markus Rudy <[email protected]> | |
6 files changed, 85 insertions(+) | ||
|
||
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego | ||
index c3eb33461..25c16bada 100644 | ||
index c3eb334612fc0ff05c49031e7b305fd10297896a..25c16badaddea436539c9ec8b8bd210461cda615 100644 | ||
--- a/src/tools/genpolicy/rules.rego | ||
+++ b/src/tools/genpolicy/rules.rego | ||
@@ -54,6 +54,7 @@ default AllowRequestsFailingPolicy := false | ||
|
@@ -75,7 +75,7 @@ index c3eb33461..25c16bada 100644 | |
# and io.kubernetes.cri.sandbox-id" values with other fields. | ||
allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { | ||
diff --git a/src/tools/genpolicy/src/agent.rs b/src/tools/genpolicy/src/agent.rs | ||
index 19a934d81..f3f398b0e 100644 | ||
index 19a934d81995ece42a148e733b41e96474921b3a..f3f398b0ee052ba02a3b5ecae884fed646b38cc3 100644 | ||
--- a/src/tools/genpolicy/src/agent.rs | ||
+++ b/src/tools/genpolicy/src/agent.rs | ||
@@ -16,3 +16,12 @@ pub struct SerializedFsGroup { | ||
|
@@ -92,7 +92,7 @@ index 19a934d81..f3f398b0e 100644 | |
+ pub options: Vec<String>, | ||
+} | ||
diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs | ||
index 2b826a51a..075fced5b 100644 | ||
index 2b826a51a4f587e2ca45f0b304b0eed29046b104..075fced5bfec11b27e529f0b1d2dba5e6271ba82 100644 | ||
--- a/src/tools/genpolicy/src/containerd.rs | ||
+++ b/src/tools/genpolicy/src/containerd.rs | ||
@@ -152,12 +152,14 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux { | ||
|
@@ -111,7 +111,7 @@ index 2b826a51a..075fced5b 100644 | |
} | ||
} | ||
diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs | ||
index 2ea8fdb9b..da2a47ee2 100644 | ||
index 2ea8fdb9be848c8c00f634ec813475ebaf3d55bb..da2a47ee2d6affc43dc9246670675e3367d73bfe 100644 | ||
--- a/src/tools/genpolicy/src/pod.rs | ||
+++ b/src/tools/genpolicy/src/pod.rs | ||
@@ -120,6 +120,9 @@ pub struct Container { | ||
|
@@ -139,7 +139,7 @@ index 2ea8fdb9b..da2a47ee2 100644 | |
#[derive(Clone, Debug, Serialize, Deserialize)] | ||
struct ResourceRequirements { | ||
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs | ||
index baa382b76..7c1479d57 100644 | ||
index baa382b7646a11cd1fa18274801616eb36f04db6..7c1479d571dc163e4fe0bacef15cf60e8dd85920 100644 | ||
--- a/src/tools/genpolicy/src/policy.rs | ||
+++ b/src/tools/genpolicy/src/policy.rs | ||
@@ -198,6 +198,10 @@ pub struct KataLinux { | ||
|
@@ -217,7 +217,7 @@ index baa382b76..7c1479d57 100644 | |
exec_commands, | ||
} | ||
diff --git a/src/tools/genpolicy/src/pvc.rs b/src/tools/genpolicy/src/pvc.rs | ||
index 0a768ed8e..61d0ce3f0 100644 | ||
index 0a768ed8e0e16965270be44f94b8d60d0eb4381c..61d0ce3f08686843ce1095e7e108636e5bd34ad9 100644 | ||
--- a/src/tools/genpolicy/src/pvc.rs | ||
+++ b/src/tools/genpolicy/src/pvc.rs | ||
@@ -34,6 +34,9 @@ pub struct PersistentVolumeClaimSpec { | ||
|
@@ -230,6 +230,3 @@ index 0a768ed8e..61d0ce3f0 100644 | |
// TODO: additional fields. | ||
} | ||
|
||
-- | ||
2.34.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
From c890911981a072a14c69d92f82ece28e5d55d7fa Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Paul Meyer <[email protected]> | ||
Date: Tue, 9 Jul 2024 16:07:09 +0200 | ||
Subject: [PATCH 2/6] genpolicy: add ability to filter for runtimeClassName | ||
Subject: [PATCH] genpolicy: add ability to filter for runtimeClassName | ||
|
||
Signed-off-by: Paul Meyer <[email protected]> | ||
--- | ||
|
@@ -15,7 +15,7 @@ Signed-off-by: Paul Meyer <[email protected]> | |
7 files changed, 59 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs | ||
index 5b18d96d9..90ea48597 100644 | ||
index 5b18d96d9415a99556226b50bf67b1106b393d70..90ea48597605f056250424ff0d8758017d20220f 100644 | ||
--- a/src/tools/genpolicy/src/daemon_set.rs | ||
+++ b/src/tools/genpolicy/src/daemon_set.rs | ||
@@ -143,4 +143,13 @@ impl yaml::K8sResource for DaemonSet { | ||
|
@@ -33,7 +33,7 @@ index 5b18d96d9..90ea48597 100644 | |
+ } | ||
} | ||
diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs | ||
index f1b8e8d80..890579cdf 100644 | ||
index f1b8e8d80f497d275a571125374fd77fa5490f24..890579cdfbd67cd7f5949c817dbd9391043b1cf0 100644 | ||
--- a/src/tools/genpolicy/src/deployment.rs | ||
+++ b/src/tools/genpolicy/src/deployment.rs | ||
@@ -141,4 +141,13 @@ impl yaml::K8sResource for Deployment { | ||
|
@@ -51,7 +51,7 @@ index f1b8e8d80..890579cdf 100644 | |
+ } | ||
} | ||
diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs | ||
index da2a47ee2..4a40c9570 100644 | ||
index da2a47ee2d6affc43dc9246670675e3367d73bfe..4a40c957042e73ba584b66bc681469458a7f18f4 100644 | ||
--- a/src/tools/genpolicy/src/pod.rs | ||
+++ b/src/tools/genpolicy/src/pod.rs | ||
@@ -47,7 +47,7 @@ pub struct PodSpec { | ||
|
@@ -78,7 +78,7 @@ index da2a47ee2..4a40c9570 100644 | |
if let Some(context) = &self.spec.securityContext { | ||
if let Some(uid) = context.runAsUser { | ||
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs | ||
index 7c1479d57..a1affda77 100644 | ||
index 7c1479d571dc163e4fe0bacef15cf60e8dd85920..a1affda77ef87fb7fd09d875ec8779324b47e3fb 100644 | ||
--- a/src/tools/genpolicy/src/policy.rs | ||
+++ b/src/tools/genpolicy/src/policy.rs | ||
@@ -10,6 +10,7 @@ use crate::agent; | ||
|
@@ -108,10 +108,10 @@ index 7c1479d57..a1affda77 100644 | |
|
||
// ConfigMap and Secret documents contain additional input for policy generation. | ||
diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs | ||
index 096cafbeb..73f0b0a30 100644 | ||
index 4c55f59ec3e88b324c25c5065d5b4c898a0db804..d25398358f526116f5b766ffba6db2e287e0f8e9 100644 | ||
--- a/src/tools/genpolicy/src/stateful_set.rs | ||
+++ b/src/tools/genpolicy/src/stateful_set.rs | ||
@@ -187,6 +187,15 @@ impl yaml::K8sResource for StatefulSet { | ||
@@ -194,6 +194,15 @@ impl yaml::K8sResource for StatefulSet { | ||
} | ||
false | ||
} | ||
|
@@ -128,7 +128,7 @@ index 096cafbeb..73f0b0a30 100644 | |
|
||
impl StatefulSet { | ||
diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs | ||
index e45b188d4..2402c2ed2 100644 | ||
index e45b188d40a82a32547290ccdfd4a263e193e1c2..2402c2ed213e45b89c47b2b6a94d54f8d200edb1 100644 | ||
--- a/src/tools/genpolicy/src/utils.rs | ||
+++ b/src/tools/genpolicy/src/utils.rs | ||
@@ -72,6 +72,12 @@ struct CommandLineOptions { | ||
|
@@ -161,7 +161,7 @@ index e45b188d4..2402c2ed2 100644 | |
rego_rules_path: args.rego_rules_path, | ||
json_settings_path: args.json_settings_path, | ||
diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs | ||
index 8f06d291e..c898240af 100644 | ||
index 8f06d291e97b6955f2970b05c5987678362602eb..c898240af337f3cb7cfc34fa1398cb5a6bd828a5 100644 | ||
--- a/src/tools/genpolicy/src/yaml.rs | ||
+++ b/src/tools/genpolicy/src/yaml.rs | ||
@@ -75,6 +75,10 @@ pub trait K8sResource { | ||
|
@@ -175,6 +175,3 @@ index 8f06d291e..c898240af 100644 | |
} | ||
|
||
/// See Reference / Kubernetes API / Common Definitions / LabelSelector. | ||
-- | ||
2.34.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
From cf495b76fe64e56b3c18a7175cb4e01d27d02dc7 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Paul Meyer <[email protected]> | ||
Date: Tue, 9 Jul 2024 16:14:46 +0200 | ||
Subject: [PATCH 3/6] genpolicy: allow specifying layer cache file | ||
Subject: [PATCH] genpolicy: allow specifying layer cache file | ||
|
||
Add --layers-cache-file-path flag to allow the user to | ||
specify where the cache file for the container layers | ||
|
@@ -23,7 +23,7 @@ Signed-off-by: Paul Meyer <[email protected]> | |
3 files changed, 52 insertions(+), 26 deletions(-) | ||
|
||
diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs | ||
index 97e35ee60..b212eeb8b 100644 | ||
index 97e35ee601beed99929e36661dadfd6ed15dfc5f..b212eeb8bca209d9916249fe8e01351f5943823c 100644 | ||
--- a/src/tools/genpolicy/src/registry.rs | ||
+++ b/src/tools/genpolicy/src/registry.rs | ||
@@ -66,7 +66,7 @@ pub struct ImageLayer { | ||
|
@@ -130,7 +130,7 @@ index 97e35ee60..b212eeb8b 100644 | |
|
||
#[cfg(target_os = "windows")] | ||
diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs | ||
index fcc51ad78..333a4dd33 100644 | ||
index fcc51ad783afb392e706e92a63efed0fe3f416a1..333a4dd33032c4842e70d5e618b4660fa2ffb6c5 100644 | ||
--- a/src/tools/genpolicy/src/registry_containerd.rs | ||
+++ b/src/tools/genpolicy/src/registry_containerd.rs | ||
@@ -28,7 +28,7 @@ use tower::service_fn; | ||
|
@@ -219,7 +219,7 @@ index fcc51ad78..333a4dd33 100644 | |
warn!("{error_message}"); | ||
} | ||
diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs | ||
index 2402c2ed2..7579d74bf 100644 | ||
index 2402c2ed213e45b89c47b2b6a94d54f8d200edb1..7579d74bf5a488bf6f577949862e6f976fa14ac5 100644 | ||
--- a/src/tools/genpolicy/src/utils.rs | ||
+++ b/src/tools/genpolicy/src/utils.rs | ||
@@ -78,6 +78,14 @@ struct CommandLineOptions { | ||
|
@@ -266,6 +266,3 @@ index 2402c2ed2..7579d74bf 100644 | |
version: args.version, | ||
} | ||
} | ||
-- | ||
2.34.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,15 @@ | ||
From 3b444c242de3bc130f0cf73d1a89ab540690c9f0 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Paul Meyer <[email protected]> | ||
Date: Thu, 11 Jul 2024 12:05:00 +0200 | ||
Subject: [PATCH 4/6] genpolicy: regex check contrast specific layer-src-prefix | ||
Subject: [PATCH] genpolicy: regex check contrast specific layer-src-prefix | ||
|
||
Signed-off-by: Paul Meyer <[email protected]> | ||
--- | ||
src/tools/genpolicy/rules.rego | 2 +- | ||
1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
||
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego | ||
index 25c16bada..d933b928d 100644 | ||
index 25c16badaddea436539c9ec8b8bd210461cda615..d933b928d21b549ef7c315a9e0c5cbb4bbbe88b3 100644 | ||
--- a/src/tools/genpolicy/rules.rego | ||
+++ b/src/tools/genpolicy/rules.rego | ||
@@ -887,7 +887,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { | ||
|
@@ -21,6 +21,3 @@ index 25c16bada..d933b928d 100644 | |
|
||
print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) | ||
i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" | ||
-- | ||
2.34.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,15 @@ | ||
From e60354b386c9b50ee5f3a0804be66152fe0849d7 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Leonard Cohnen <[email protected]> | ||
Date: Thu, 29 Aug 2024 03:45:24 +0200 | ||
Subject: [PATCH 5/6] genpolicy: propagate mount_options for empty dirs | ||
Subject: [PATCH] genpolicy: propagate mount_options for empty dirs | ||
|
||
In order to mount empty dirs e.g., with mount propagation "Bidirectional", we need the yaml value to the policy | ||
--- | ||
src/tools/genpolicy/src/mount_and_storage.rs | 16 +++++++++++++--- | ||
1 file changed, 13 insertions(+), 3 deletions(-) | ||
|
||
diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs | ||
index 520d3a8cb..05a4521f0 100644 | ||
index ecb8bf5776ffb946bdab3b594a1f5bcb43799e84..327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e 100644 | ||
--- a/src/tools/genpolicy/src/mount_and_storage.rs | ||
+++ b/src/tools/genpolicy/src/mount_and_storage.rs | ||
@@ -127,7 +127,14 @@ pub fn get_mount_and_storage( | ||
|
@@ -55,6 +55,3 @@ index 520d3a8cb..05a4521f0 100644 | |
], | ||
}); | ||
} | ||
-- | ||
2.34.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
From 8255b303a8d1c21ed22f2d9f7166101de151a9f4 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Leonard Cohnen <[email protected]> | ||
Date: Fri, 30 Aug 2024 00:30:57 +0200 | ||
Subject: [PATCH 6/6] genpolicy: support HostToContainer mount propagation | ||
Subject: [PATCH] genpolicy: support HostToContainer mount propagation | ||
|
||
--- | ||
src/tools/genpolicy/src/mount_and_storage.rs | 5 +++-- | ||
1 file changed, 3 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs | ||
index 05a4521f0..c81dc0c52 100644 | ||
index 327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e..09bc89fdf7e6eb239428adbb093c9cb5962da8a7 100644 | ||
--- a/src/tools/genpolicy/src/mount_and_storage.rs | ||
+++ b/src/tools/genpolicy/src/mount_and_storage.rs | ||
@@ -108,8 +108,9 @@ pub fn get_mount_and_storage( | ||
|
@@ -23,6 +23,3 @@ index 05a4521f0..c81dc0c52 100644 | |
_ => "rprivate", | ||
}; | ||
|
||
-- | ||
2.34.1 | ||
|
Oops, something went wrong.