Skip to content

Commit

Permalink
kata-msft: support images with VOLUME directives (#996)
Browse files Browse the repository at this point in the history
  • Loading branch information
miampf authored Nov 28, 2024
1 parent c375309 commit f5a372c
Show file tree
Hide file tree
Showing 13 changed files with 562 additions and 95 deletions.
13 changes: 0 additions & 13 deletions e2e/regression/testdata/mongodb.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,6 @@ spec:
securityContext:
runAsUser: 101
image: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11
volumeMounts:
- mountPath: /data/db
name: db
- mountPath: /data/configdb
name: configdb
ports:
- containerPort: 27017
# The memory limit is chosen to allow guest pull of the image (1.2G).
Expand All @@ -31,12 +26,4 @@ spec:
memory: 1500Mi
requests:
memory: 1500Mi
# TODO(miampf): Remove this after https://github.com/kata-containers/kata-containers/pull/10136/files is merged
volumes:
- name: db
emptyDir:
sizeLimit: 350Mi
- name: configdb
emptyDir:
sizeLimit: 10Mi
runtimeClassName: contrast-cc
8 changes: 0 additions & 8 deletions e2e/regression/testdata/prometheus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,8 @@ spec:
containers:
- name: prometheus
image: quay.io/prometheus/prometheus@sha256:f20d3127bf2876f4a1df76246fca576b41ddf1125ed1c546fbd8b16ea55117e6
volumeMounts:
- mountPath: /prometheus
name: prometheus
ports:
- containerPort: 9090
securityContext:
runAsUser: 65534
# TODO(miampf): Remove this after https://github.com/kata-containers/kata-containers/pull/10136/files is merged
volumes:
- name: prometheus
emptyDir:
sizeLimit: 10Mi
runtimeClassName: contrast-cc
8 changes: 0 additions & 8 deletions e2e/regression/testdata/redis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,6 @@ spec:
containers:
- name: redis
image: ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d
volumeMounts:
- mountPath: /data
name: data
ports:
- containerPort: 6379
# TODO(miampf): Remove this after https://github.com/kata-containers/kata-containers/pull/10136/files is merged
volumes:
- name: data
emptyDir:
sizeLimit: 10Mi
runtimeClassName: contrast-cc
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From 41f26a5803fa50abf3bd0d6cfebc8106ae9dcbc8 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Markus Rudy <[email protected]>
Date: Thu, 23 May 2024 09:20:20 +0200
Subject: [PATCH 1/6] genpolicy: add rules and types for volumeDevices
Subject: [PATCH] genpolicy: add rules and types for volumeDevices

Signed-off-by: Markus Rudy <[email protected]>
---
Expand All @@ -14,7 +14,7 @@ Signed-off-by: Markus Rudy <[email protected]>
6 files changed, 85 insertions(+)

diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index c3eb33461..25c16bada 100644
index c3eb334612fc0ff05c49031e7b305fd10297896a..25c16badaddea436539c9ec8b8bd210461cda615 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -54,6 +54,7 @@ default AllowRequestsFailingPolicy := false
Expand Down Expand Up @@ -75,7 +75,7 @@ index c3eb33461..25c16bada 100644
# and io.kubernetes.cri.sandbox-id" values with other fields.
allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
diff --git a/src/tools/genpolicy/src/agent.rs b/src/tools/genpolicy/src/agent.rs
index 19a934d81..f3f398b0e 100644
index 19a934d81995ece42a148e733b41e96474921b3a..f3f398b0ee052ba02a3b5ecae884fed646b38cc3 100644
--- a/src/tools/genpolicy/src/agent.rs
+++ b/src/tools/genpolicy/src/agent.rs
@@ -16,3 +16,12 @@ pub struct SerializedFsGroup {
Expand All @@ -92,7 +92,7 @@ index 19a934d81..f3f398b0e 100644
+ pub options: Vec<String>,
+}
diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs
index 2b826a51a..075fced5b 100644
index 2b826a51a4f587e2ca45f0b304b0eed29046b104..075fced5bfec11b27e529f0b1d2dba5e6271ba82 100644
--- a/src/tools/genpolicy/src/containerd.rs
+++ b/src/tools/genpolicy/src/containerd.rs
@@ -152,12 +152,14 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux {
Expand All @@ -111,7 +111,7 @@ index 2b826a51a..075fced5b 100644
}
}
diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
index 2ea8fdb9b..da2a47ee2 100644
index 2ea8fdb9be848c8c00f634ec813475ebaf3d55bb..da2a47ee2d6affc43dc9246670675e3367d73bfe 100644
--- a/src/tools/genpolicy/src/pod.rs
+++ b/src/tools/genpolicy/src/pod.rs
@@ -120,6 +120,9 @@ pub struct Container {
Expand Down Expand Up @@ -139,7 +139,7 @@ index 2ea8fdb9b..da2a47ee2 100644
#[derive(Clone, Debug, Serialize, Deserialize)]
struct ResourceRequirements {
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
index baa382b76..7c1479d57 100644
index baa382b7646a11cd1fa18274801616eb36f04db6..7c1479d571dc163e4fe0bacef15cf60e8dd85920 100644
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@@ -198,6 +198,10 @@ pub struct KataLinux {
Expand Down Expand Up @@ -217,7 +217,7 @@ index baa382b76..7c1479d57 100644
exec_commands,
}
diff --git a/src/tools/genpolicy/src/pvc.rs b/src/tools/genpolicy/src/pvc.rs
index 0a768ed8e..61d0ce3f0 100644
index 0a768ed8e0e16965270be44f94b8d60d0eb4381c..61d0ce3f08686843ce1095e7e108636e5bd34ad9 100644
--- a/src/tools/genpolicy/src/pvc.rs
+++ b/src/tools/genpolicy/src/pvc.rs
@@ -34,6 +34,9 @@ pub struct PersistentVolumeClaimSpec {
Expand All @@ -230,6 +230,3 @@ index 0a768ed8e..61d0ce3f0 100644
// TODO: additional fields.
}

--
2.34.1

Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From c890911981a072a14c69d92f82ece28e5d55d7fa Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Paul Meyer <[email protected]>
Date: Tue, 9 Jul 2024 16:07:09 +0200
Subject: [PATCH 2/6] genpolicy: add ability to filter for runtimeClassName
Subject: [PATCH] genpolicy: add ability to filter for runtimeClassName

Signed-off-by: Paul Meyer <[email protected]>
---
Expand All @@ -15,7 +15,7 @@ Signed-off-by: Paul Meyer <[email protected]>
7 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs
index 5b18d96d9..90ea48597 100644
index 5b18d96d9415a99556226b50bf67b1106b393d70..90ea48597605f056250424ff0d8758017d20220f 100644
--- a/src/tools/genpolicy/src/daemon_set.rs
+++ b/src/tools/genpolicy/src/daemon_set.rs
@@ -143,4 +143,13 @@ impl yaml::K8sResource for DaemonSet {
Expand All @@ -33,7 +33,7 @@ index 5b18d96d9..90ea48597 100644
+ }
}
diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs
index f1b8e8d80..890579cdf 100644
index f1b8e8d80f497d275a571125374fd77fa5490f24..890579cdfbd67cd7f5949c817dbd9391043b1cf0 100644
--- a/src/tools/genpolicy/src/deployment.rs
+++ b/src/tools/genpolicy/src/deployment.rs
@@ -141,4 +141,13 @@ impl yaml::K8sResource for Deployment {
Expand All @@ -51,7 +51,7 @@ index f1b8e8d80..890579cdf 100644
+ }
}
diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
index da2a47ee2..4a40c9570 100644
index da2a47ee2d6affc43dc9246670675e3367d73bfe..4a40c957042e73ba584b66bc681469458a7f18f4 100644
--- a/src/tools/genpolicy/src/pod.rs
+++ b/src/tools/genpolicy/src/pod.rs
@@ -47,7 +47,7 @@ pub struct PodSpec {
Expand All @@ -78,7 +78,7 @@ index da2a47ee2..4a40c9570 100644
if let Some(context) = &self.spec.securityContext {
if let Some(uid) = context.runAsUser {
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
index 7c1479d57..a1affda77 100644
index 7c1479d571dc163e4fe0bacef15cf60e8dd85920..a1affda77ef87fb7fd09d875ec8779324b47e3fb 100644
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@@ -10,6 +10,7 @@ use crate::agent;
Expand Down Expand Up @@ -108,10 +108,10 @@ index 7c1479d57..a1affda77 100644

// ConfigMap and Secret documents contain additional input for policy generation.
diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs
index 096cafbeb..73f0b0a30 100644
index 4c55f59ec3e88b324c25c5065d5b4c898a0db804..d25398358f526116f5b766ffba6db2e287e0f8e9 100644
--- a/src/tools/genpolicy/src/stateful_set.rs
+++ b/src/tools/genpolicy/src/stateful_set.rs
@@ -187,6 +187,15 @@ impl yaml::K8sResource for StatefulSet {
@@ -194,6 +194,15 @@ impl yaml::K8sResource for StatefulSet {
}
false
}
Expand All @@ -128,7 +128,7 @@ index 096cafbeb..73f0b0a30 100644

impl StatefulSet {
diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs
index e45b188d4..2402c2ed2 100644
index e45b188d40a82a32547290ccdfd4a263e193e1c2..2402c2ed213e45b89c47b2b6a94d54f8d200edb1 100644
--- a/src/tools/genpolicy/src/utils.rs
+++ b/src/tools/genpolicy/src/utils.rs
@@ -72,6 +72,12 @@ struct CommandLineOptions {
Expand Down Expand Up @@ -161,7 +161,7 @@ index e45b188d4..2402c2ed2 100644
rego_rules_path: args.rego_rules_path,
json_settings_path: args.json_settings_path,
diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
index 8f06d291e..c898240af 100644
index 8f06d291e97b6955f2970b05c5987678362602eb..c898240af337f3cb7cfc34fa1398cb5a6bd828a5 100644
--- a/src/tools/genpolicy/src/yaml.rs
+++ b/src/tools/genpolicy/src/yaml.rs
@@ -75,6 +75,10 @@ pub trait K8sResource {
Expand All @@ -175,6 +175,3 @@ index 8f06d291e..c898240af 100644
}

/// See Reference / Kubernetes API / Common Definitions / LabelSelector.
--
2.34.1

Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From cf495b76fe64e56b3c18a7175cb4e01d27d02dc7 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Paul Meyer <[email protected]>
Date: Tue, 9 Jul 2024 16:14:46 +0200
Subject: [PATCH 3/6] genpolicy: allow specifying layer cache file
Subject: [PATCH] genpolicy: allow specifying layer cache file

Add --layers-cache-file-path flag to allow the user to
specify where the cache file for the container layers
Expand All @@ -23,7 +23,7 @@ Signed-off-by: Paul Meyer <[email protected]>
3 files changed, 52 insertions(+), 26 deletions(-)

diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
index 97e35ee60..b212eeb8b 100644
index 97e35ee601beed99929e36661dadfd6ed15dfc5f..b212eeb8bca209d9916249fe8e01351f5943823c 100644
--- a/src/tools/genpolicy/src/registry.rs
+++ b/src/tools/genpolicy/src/registry.rs
@@ -66,7 +66,7 @@ pub struct ImageLayer {
Expand Down Expand Up @@ -130,7 +130,7 @@ index 97e35ee60..b212eeb8b 100644

#[cfg(target_os = "windows")]
diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs
index fcc51ad78..333a4dd33 100644
index fcc51ad783afb392e706e92a63efed0fe3f416a1..333a4dd33032c4842e70d5e618b4660fa2ffb6c5 100644
--- a/src/tools/genpolicy/src/registry_containerd.rs
+++ b/src/tools/genpolicy/src/registry_containerd.rs
@@ -28,7 +28,7 @@ use tower::service_fn;
Expand Down Expand Up @@ -219,7 +219,7 @@ index fcc51ad78..333a4dd33 100644
warn!("{error_message}");
}
diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs
index 2402c2ed2..7579d74bf 100644
index 2402c2ed213e45b89c47b2b6a94d54f8d200edb1..7579d74bf5a488bf6f577949862e6f976fa14ac5 100644
--- a/src/tools/genpolicy/src/utils.rs
+++ b/src/tools/genpolicy/src/utils.rs
@@ -78,6 +78,14 @@ struct CommandLineOptions {
Expand Down Expand Up @@ -266,6 +266,3 @@ index 2402c2ed2..7579d74bf 100644
version: args.version,
}
}
--
2.34.1

Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
From 3b444c242de3bc130f0cf73d1a89ab540690c9f0 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Paul Meyer <[email protected]>
Date: Thu, 11 Jul 2024 12:05:00 +0200
Subject: [PATCH 4/6] genpolicy: regex check contrast specific layer-src-prefix
Subject: [PATCH] genpolicy: regex check contrast specific layer-src-prefix

Signed-off-by: Paul Meyer <[email protected]>
---
src/tools/genpolicy/rules.rego | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 25c16bada..d933b928d 100644
index 25c16badaddea436539c9ec8b8bd210461cda615..d933b928d21b549ef7c315a9e0c5cbb4bbbe88b3 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -887,7 +887,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
Expand All @@ -21,6 +21,3 @@ index 25c16bada..d933b928d 100644

print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2])
i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw"
--
2.34.1

Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
From e60354b386c9b50ee5f3a0804be66152fe0849d7 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leonard Cohnen <[email protected]>
Date: Thu, 29 Aug 2024 03:45:24 +0200
Subject: [PATCH 5/6] genpolicy: propagate mount_options for empty dirs
Subject: [PATCH] genpolicy: propagate mount_options for empty dirs

In order to mount empty dirs e.g., with mount propagation "Bidirectional", we need the yaml value to the policy
---
src/tools/genpolicy/src/mount_and_storage.rs | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
index 520d3a8cb..05a4521f0 100644
index ecb8bf5776ffb946bdab3b594a1f5bcb43799e84..327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e 100644
--- a/src/tools/genpolicy/src/mount_and_storage.rs
+++ b/src/tools/genpolicy/src/mount_and_storage.rs
@@ -127,7 +127,14 @@ pub fn get_mount_and_storage(
Expand Down Expand Up @@ -55,6 +55,3 @@ index 520d3a8cb..05a4521f0 100644
],
});
}
--
2.34.1

Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
From 8255b303a8d1c21ed22f2d9f7166101de151a9f4 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leonard Cohnen <[email protected]>
Date: Fri, 30 Aug 2024 00:30:57 +0200
Subject: [PATCH 6/6] genpolicy: support HostToContainer mount propagation
Subject: [PATCH] genpolicy: support HostToContainer mount propagation

---
src/tools/genpolicy/src/mount_and_storage.rs | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
index 05a4521f0..c81dc0c52 100644
index 327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e..09bc89fdf7e6eb239428adbb093c9cb5962da8a7 100644
--- a/src/tools/genpolicy/src/mount_and_storage.rs
+++ b/src/tools/genpolicy/src/mount_and_storage.rs
@@ -108,8 +108,9 @@ pub fn get_mount_and_storage(
Expand All @@ -23,6 +23,3 @@ index 05a4521f0..c81dc0c52 100644
_ => "rprivate",
};

--
2.34.1

Loading

0 comments on commit f5a372c

Please sign in to comment.