From f5a372c64784e289547f298b4553e4a644ee99b7 Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 28 Nov 2024 12:02:08 +0100 Subject: [PATCH] kata-msft: support images with VOLUME directives (#996) --- e2e/regression/testdata/mongodb.yml | 13 - e2e/regression/testdata/prometheus.yml | 8 - e2e/regression/testdata/redis.yml | 8 - ...dd-rules-and-types-for-volumeDevices.patch | 19 +- ...ility-to-filter-for-runtimeClassName.patch | 23 +- ...cy-allow-specifying-layer-cache-file.patch | 13 +- ...check-contrast-specific-layer-src-pr.patch | 9 +- ...opagate-mount_options-for-empty-dirs.patch | 9 +- ...rt-HostToContainer-mount-propagation.patch | 9 +- ...t-for-VOLUME-definition-in-container.patch | 519 ++++++++++++++++++ .../genpolicy_msft_settings_coordinator.patch | 11 +- .../genpolicy_msft_settings_dev.patch | 12 +- .../by-name/microsoft/genpolicy/package.nix | 4 + 13 files changed, 562 insertions(+), 95 deletions(-) create mode 100644 packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch diff --git a/e2e/regression/testdata/mongodb.yml b/e2e/regression/testdata/mongodb.yml index a5c9a470ad..338caae255 100644 --- a/e2e/regression/testdata/mongodb.yml +++ b/e2e/regression/testdata/mongodb.yml @@ -18,11 +18,6 @@ spec: securityContext: runAsUser: 101 image: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11 - volumeMounts: - - mountPath: /data/db - name: db - - mountPath: /data/configdb - name: configdb ports: - containerPort: 27017 # The memory limit is chosen to allow guest pull of the image (1.2G). @@ -31,12 +26,4 @@ spec: memory: 1500Mi requests: memory: 1500Mi - # TODO(miampf): Remove this after https://github.com/kata-containers/kata-containers/pull/10136/files is merged - volumes: - - name: db - emptyDir: - sizeLimit: 350Mi - - name: configdb - emptyDir: - sizeLimit: 10Mi runtimeClassName: contrast-cc diff --git a/e2e/regression/testdata/prometheus.yml b/e2e/regression/testdata/prometheus.yml index 91d9ae4ffc..b9a2cc15a9 100644 --- a/e2e/regression/testdata/prometheus.yml +++ b/e2e/regression/testdata/prometheus.yml @@ -16,16 +16,8 @@ spec: containers: - name: prometheus image: quay.io/prometheus/prometheus@sha256:f20d3127bf2876f4a1df76246fca576b41ddf1125ed1c546fbd8b16ea55117e6 - volumeMounts: - - mountPath: /prometheus - name: prometheus ports: - containerPort: 9090 securityContext: runAsUser: 65534 - # TODO(miampf): Remove this after https://github.com/kata-containers/kata-containers/pull/10136/files is merged - volumes: - - name: prometheus - emptyDir: - sizeLimit: 10Mi runtimeClassName: contrast-cc diff --git a/e2e/regression/testdata/redis.yml b/e2e/regression/testdata/redis.yml index 403ba6d649..c6e7de2f49 100644 --- a/e2e/regression/testdata/redis.yml +++ b/e2e/regression/testdata/redis.yml @@ -16,14 +16,6 @@ spec: containers: - name: redis image: ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d - volumeMounts: - - mountPath: /data - name: data ports: - containerPort: 6379 - # TODO(miampf): Remove this after https://github.com/kata-containers/kata-containers/pull/10136/files is merged - volumes: - - name: data - emptyDir: - sizeLimit: 10Mi runtimeClassName: contrast-cc diff --git a/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch b/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch index a4e909b7b0..9cafb0e877 100644 --- a/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch +++ b/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch @@ -1,7 +1,7 @@ -From 41f26a5803fa50abf3bd0d6cfebc8106ae9dcbc8 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Thu, 23 May 2024 09:20:20 +0200 -Subject: [PATCH 1/6] genpolicy: add rules and types for volumeDevices +Subject: [PATCH] genpolicy: add rules and types for volumeDevices Signed-off-by: Markus Rudy --- @@ -14,7 +14,7 @@ Signed-off-by: Markus Rudy 6 files changed, 85 insertions(+) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego -index c3eb33461..25c16bada 100644 +index c3eb334612fc0ff05c49031e7b305fd10297896a..25c16badaddea436539c9ec8b8bd210461cda615 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -54,6 +54,7 @@ default AllowRequestsFailingPolicy := false @@ -75,7 +75,7 @@ index c3eb33461..25c16bada 100644 # and io.kubernetes.cri.sandbox-id" values with other fields. allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { diff --git a/src/tools/genpolicy/src/agent.rs b/src/tools/genpolicy/src/agent.rs -index 19a934d81..f3f398b0e 100644 +index 19a934d81995ece42a148e733b41e96474921b3a..f3f398b0ee052ba02a3b5ecae884fed646b38cc3 100644 --- a/src/tools/genpolicy/src/agent.rs +++ b/src/tools/genpolicy/src/agent.rs @@ -16,3 +16,12 @@ pub struct SerializedFsGroup { @@ -92,7 +92,7 @@ index 19a934d81..f3f398b0e 100644 + pub options: Vec, +} diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs -index 2b826a51a..075fced5b 100644 +index 2b826a51a4f587e2ca45f0b304b0eed29046b104..075fced5bfec11b27e529f0b1d2dba5e6271ba82 100644 --- a/src/tools/genpolicy/src/containerd.rs +++ b/src/tools/genpolicy/src/containerd.rs @@ -152,12 +152,14 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux { @@ -111,7 +111,7 @@ index 2b826a51a..075fced5b 100644 } } diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs -index 2ea8fdb9b..da2a47ee2 100644 +index 2ea8fdb9be848c8c00f634ec813475ebaf3d55bb..da2a47ee2d6affc43dc9246670675e3367d73bfe 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -120,6 +120,9 @@ pub struct Container { @@ -139,7 +139,7 @@ index 2ea8fdb9b..da2a47ee2 100644 #[derive(Clone, Debug, Serialize, Deserialize)] struct ResourceRequirements { diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs -index baa382b76..7c1479d57 100644 +index baa382b7646a11cd1fa18274801616eb36f04db6..7c1479d571dc163e4fe0bacef15cf60e8dd85920 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -198,6 +198,10 @@ pub struct KataLinux { @@ -217,7 +217,7 @@ index baa382b76..7c1479d57 100644 exec_commands, } diff --git a/src/tools/genpolicy/src/pvc.rs b/src/tools/genpolicy/src/pvc.rs -index 0a768ed8e..61d0ce3f0 100644 +index 0a768ed8e0e16965270be44f94b8d60d0eb4381c..61d0ce3f08686843ce1095e7e108636e5bd34ad9 100644 --- a/src/tools/genpolicy/src/pvc.rs +++ b/src/tools/genpolicy/src/pvc.rs @@ -34,6 +34,9 @@ pub struct PersistentVolumeClaimSpec { @@ -230,6 +230,3 @@ index 0a768ed8e..61d0ce3f0 100644 // TODO: additional fields. } --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch b/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch index 72956c23bc..18b6c3b0ae 100644 --- a/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch +++ b/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch @@ -1,7 +1,7 @@ -From c890911981a072a14c69d92f82ece28e5d55d7fa Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Tue, 9 Jul 2024 16:07:09 +0200 -Subject: [PATCH 2/6] genpolicy: add ability to filter for runtimeClassName +Subject: [PATCH] genpolicy: add ability to filter for runtimeClassName Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- @@ -15,7 +15,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 7 files changed, 59 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs -index 5b18d96d9..90ea48597 100644 +index 5b18d96d9415a99556226b50bf67b1106b393d70..90ea48597605f056250424ff0d8758017d20220f 100644 --- a/src/tools/genpolicy/src/daemon_set.rs +++ b/src/tools/genpolicy/src/daemon_set.rs @@ -143,4 +143,13 @@ impl yaml::K8sResource for DaemonSet { @@ -33,7 +33,7 @@ index 5b18d96d9..90ea48597 100644 + } } diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs -index f1b8e8d80..890579cdf 100644 +index f1b8e8d80f497d275a571125374fd77fa5490f24..890579cdfbd67cd7f5949c817dbd9391043b1cf0 100644 --- a/src/tools/genpolicy/src/deployment.rs +++ b/src/tools/genpolicy/src/deployment.rs @@ -141,4 +141,13 @@ impl yaml::K8sResource for Deployment { @@ -51,7 +51,7 @@ index f1b8e8d80..890579cdf 100644 + } } diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs -index da2a47ee2..4a40c9570 100644 +index da2a47ee2d6affc43dc9246670675e3367d73bfe..4a40c957042e73ba584b66bc681469458a7f18f4 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -47,7 +47,7 @@ pub struct PodSpec { @@ -78,7 +78,7 @@ index da2a47ee2..4a40c9570 100644 if let Some(context) = &self.spec.securityContext { if let Some(uid) = context.runAsUser { diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs -index 7c1479d57..a1affda77 100644 +index 7c1479d571dc163e4fe0bacef15cf60e8dd85920..a1affda77ef87fb7fd09d875ec8779324b47e3fb 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -10,6 +10,7 @@ use crate::agent; @@ -108,10 +108,10 @@ index 7c1479d57..a1affda77 100644 // ConfigMap and Secret documents contain additional input for policy generation. diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs -index 096cafbeb..73f0b0a30 100644 +index 4c55f59ec3e88b324c25c5065d5b4c898a0db804..d25398358f526116f5b766ffba6db2e287e0f8e9 100644 --- a/src/tools/genpolicy/src/stateful_set.rs +++ b/src/tools/genpolicy/src/stateful_set.rs -@@ -187,6 +187,15 @@ impl yaml::K8sResource for StatefulSet { +@@ -194,6 +194,15 @@ impl yaml::K8sResource for StatefulSet { } false } @@ -128,7 +128,7 @@ index 096cafbeb..73f0b0a30 100644 impl StatefulSet { diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs -index e45b188d4..2402c2ed2 100644 +index e45b188d40a82a32547290ccdfd4a263e193e1c2..2402c2ed213e45b89c47b2b6a94d54f8d200edb1 100644 --- a/src/tools/genpolicy/src/utils.rs +++ b/src/tools/genpolicy/src/utils.rs @@ -72,6 +72,12 @@ struct CommandLineOptions { @@ -161,7 +161,7 @@ index e45b188d4..2402c2ed2 100644 rego_rules_path: args.rego_rules_path, json_settings_path: args.json_settings_path, diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs -index 8f06d291e..c898240af 100644 +index 8f06d291e97b6955f2970b05c5987678362602eb..c898240af337f3cb7cfc34fa1398cb5a6bd828a5 100644 --- a/src/tools/genpolicy/src/yaml.rs +++ b/src/tools/genpolicy/src/yaml.rs @@ -75,6 +75,10 @@ pub trait K8sResource { @@ -175,6 +175,3 @@ index 8f06d291e..c898240af 100644 } /// See Reference / Kubernetes API / Common Definitions / LabelSelector. --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch b/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch index b25c9fc8e8..35accfdf71 100644 --- a/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch +++ b/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch @@ -1,7 +1,7 @@ -From cf495b76fe64e56b3c18a7175cb4e01d27d02dc7 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Tue, 9 Jul 2024 16:14:46 +0200 -Subject: [PATCH 3/6] genpolicy: allow specifying layer cache file +Subject: [PATCH] genpolicy: allow specifying layer cache file Add --layers-cache-file-path flag to allow the user to specify where the cache file for the container layers @@ -23,7 +23,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 3 files changed, 52 insertions(+), 26 deletions(-) diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs -index 97e35ee60..b212eeb8b 100644 +index 97e35ee601beed99929e36661dadfd6ed15dfc5f..b212eeb8bca209d9916249fe8e01351f5943823c 100644 --- a/src/tools/genpolicy/src/registry.rs +++ b/src/tools/genpolicy/src/registry.rs @@ -66,7 +66,7 @@ pub struct ImageLayer { @@ -130,7 +130,7 @@ index 97e35ee60..b212eeb8b 100644 #[cfg(target_os = "windows")] diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs -index fcc51ad78..333a4dd33 100644 +index fcc51ad783afb392e706e92a63efed0fe3f416a1..333a4dd33032c4842e70d5e618b4660fa2ffb6c5 100644 --- a/src/tools/genpolicy/src/registry_containerd.rs +++ b/src/tools/genpolicy/src/registry_containerd.rs @@ -28,7 +28,7 @@ use tower::service_fn; @@ -219,7 +219,7 @@ index fcc51ad78..333a4dd33 100644 warn!("{error_message}"); } diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs -index 2402c2ed2..7579d74bf 100644 +index 2402c2ed213e45b89c47b2b6a94d54f8d200edb1..7579d74bf5a488bf6f577949862e6f976fa14ac5 100644 --- a/src/tools/genpolicy/src/utils.rs +++ b/src/tools/genpolicy/src/utils.rs @@ -78,6 +78,14 @@ struct CommandLineOptions { @@ -266,6 +266,3 @@ index 2402c2ed2..7579d74bf 100644 version: args.version, } } --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch b/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch index 01441a2358..a696338291 100644 --- a/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch +++ b/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch @@ -1,7 +1,7 @@ -From 3b444c242de3bc130f0cf73d1a89ab540690c9f0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Thu, 11 Jul 2024 12:05:00 +0200 -Subject: [PATCH 4/6] genpolicy: regex check contrast specific layer-src-prefix +Subject: [PATCH] genpolicy: regex check contrast specific layer-src-prefix Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- @@ -9,7 +9,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego -index 25c16bada..d933b928d 100644 +index 25c16badaddea436539c9ec8b8bd210461cda615..d933b928d21b549ef7c315a9e0c5cbb4bbbe88b3 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -887,7 +887,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { @@ -21,6 +21,3 @@ index 25c16bada..d933b928d 100644 print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch b/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch index eb90b5c8c1..b8c24803f3 100644 --- a/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch +++ b/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch @@ -1,7 +1,7 @@ -From e60354b386c9b50ee5f3a0804be66152fe0849d7 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Thu, 29 Aug 2024 03:45:24 +0200 -Subject: [PATCH 5/6] genpolicy: propagate mount_options for empty dirs +Subject: [PATCH] genpolicy: propagate mount_options for empty dirs In order to mount empty dirs e.g., with mount propagation "Bidirectional", we need the yaml value to the policy --- @@ -9,7 +9,7 @@ In order to mount empty dirs e.g., with mount propagation "Bidirectional", we ne 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs -index 520d3a8cb..05a4521f0 100644 +index ecb8bf5776ffb946bdab3b594a1f5bcb43799e84..327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -127,7 +127,14 @@ pub fn get_mount_and_storage( @@ -55,6 +55,3 @@ index 520d3a8cb..05a4521f0 100644 ], }); } --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch b/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch index 57a71ce381..6bc7b9b22d 100644 --- a/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch +++ b/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch @@ -1,14 +1,14 @@ -From 8255b303a8d1c21ed22f2d9f7166101de151a9f4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Fri, 30 Aug 2024 00:30:57 +0200 -Subject: [PATCH 6/6] genpolicy: support HostToContainer mount propagation +Subject: [PATCH] genpolicy: support HostToContainer mount propagation --- src/tools/genpolicy/src/mount_and_storage.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs -index 05a4521f0..c81dc0c52 100644 +index 327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e..09bc89fdf7e6eb239428adbb093c9cb5962da8a7 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -108,8 +108,9 @@ pub fn get_mount_and_storage( @@ -23,6 +23,3 @@ index 05a4521f0..c81dc0c52 100644 _ => "rprivate", }; --- -2.34.1 - diff --git a/packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch b/packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch new file mode 100644 index 0000000000..a066ef4271 --- /dev/null +++ b/packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch @@ -0,0 +1,519 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: miampf +Date: Tue, 26 Nov 2024 11:29:14 +0100 +Subject: [PATCH] genpolicy: support for VOLUME definition in container image + +--- + src/tools/genpolicy/genpolicy-settings.json | 14 +++++- + src/tools/genpolicy/src/daemon_set.rs | 18 ++++--- + src/tools/genpolicy/src/deployment.rs | 18 ++++--- + src/tools/genpolicy/src/job.rs | 18 ++++--- + src/tools/genpolicy/src/mount_and_storage.rs | 48 +++++++++++++++++++ + src/tools/genpolicy/src/pod.rs | 18 ++++--- + src/tools/genpolicy/src/registry.rs | 21 ++++++-- + .../genpolicy/src/registry_containerd.rs | 4 +- + src/tools/genpolicy/src/replica_set.rs | 18 ++++--- + .../genpolicy/src/replication_controller.rs | 18 ++++--- + src/tools/genpolicy/src/settings.rs | 12 +++++ + src/tools/genpolicy/src/stateful_set.rs | 20 ++++---- + src/tools/genpolicy/src/yaml.rs | 43 ++++++++++++----- + 13 files changed, 181 insertions(+), 89 deletions(-) + +diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json +index 7d35862afa73e9f4c9004189d3ec50ebd3e8855d..fd998a41be8978b85928d12101c7ff4fdc38e4eb 100644 +--- a/src/tools/genpolicy/genpolicy-settings.json ++++ b/src/tools/genpolicy/genpolicy-settings.json +@@ -178,6 +178,18 @@ + "rprivate", + "ro" + ] ++ }, ++ "image_volume": { ++ "mount_type": "bind", ++ "mount_source": "$(sfprefix)", ++ "driver": "local", ++ "source": "local", ++ "fstype": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] + } + }, + "mount_destinations": [ +@@ -322,4 +334,4 @@ + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +-} +\ No newline at end of file ++} +diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs +index 90ea48597605f056250424ff0d8758017d20220f..d5a159c318f65339a9044a85a08bfae91f839e01 100644 +--- a/src/tools/genpolicy/src/daemon_set.rs ++++ b/src/tools/genpolicy/src/daemon_set.rs +@@ -98,16 +98,14 @@ impl yaml::K8sResource for DaemonSet { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ) +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs +index 890579cdfbd67cd7f5949c817dbd9391043b1cf0..65db6937e874ce13d655498b441e5c71913fca97 100644 +--- a/src/tools/genpolicy/src/deployment.rs ++++ b/src/tools/genpolicy/src/deployment.rs +@@ -96,16 +96,14 @@ impl yaml::K8sResource for Deployment { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/job.rs b/src/tools/genpolicy/src/job.rs +index bca1463017bb7359fb59d1ebbf1ae801c0f17190..32c1048f6b979b38e598169892c75adbb725a983 100644 +--- a/src/tools/genpolicy/src/job.rs ++++ b/src/tools/genpolicy/src/job.rs +@@ -70,16 +70,14 @@ impl yaml::K8sResource for Job { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs +index 09bc89fdf7e6eb239428adbb093c9cb5962da8a7..070824f1fabce743e69f6822e70dc1aed0811cda 100644 +--- a/src/tools/genpolicy/src/mount_and_storage.rs ++++ b/src/tools/genpolicy/src/mount_and_storage.rs +@@ -108,6 +108,10 @@ pub fn get_mount_and_storage( + yaml_volume: &volume::Volume, + yaml_mount: &pod::VolumeMount, + ) { ++ debug!( ++ "get_mount_and_storage: adding mount and storage for: {:?}", ++ &yaml_volume ++ ); + let propagation = match yaml_mount.mountPropagation.as_deref() { + Some("Bidirectional") => "rshared", + Some("HostToContainer") => "rslave", +@@ -422,6 +426,50 @@ fn get_downward_api_mount(yaml_mount: &pod::VolumeMount, p_mounts: &mut Vec, ++ storages: &mut Vec, ++ destination: &str, ++) { ++ // https://github.com/kubernetes/examples/blob/master/cassandra/image/Dockerfile ++ // has a volume mount starting with two '/' characters: ++ // ++ // CASSANDRA_DATA=/cassandra_data ++ // VOLUME ["/$CASSANDRA_DATA"] ++ let mut destination_string = destination.to_string(); ++ while destination_string.contains("//") { ++ destination_string = destination_string.replace("//", "/"); ++ } ++ debug!("get_image_mount_and_storage: image dest = {destination}, dest = {destination_string}"); ++ ++ for mount in &mut *p_mounts { ++ if mount.destination == destination_string { ++ debug!( ++ "get_image_mount_and_storage: mount {destination_string} already defined by YAML" ++ ); ++ return; ++ } ++ } ++ ++ let settings_image = &settings.volumes.image_volume; ++ debug!( ++ "get_image_mount_and_storage: settings for container image volumes: {:?}", ++ settings_image ++ ); ++ ++ let file_name = Path::new(&destination_string).file_name().unwrap(); ++ let name = OsString::from(file_name).into_string().unwrap(); ++ let source = format!("{}{name}$", &settings_image.mount_source); ++ ++ p_mounts.push(policy::KataMount { ++ destination: destination_string, ++ type_: settings_image.fstype.clone(), ++ source, ++ options: settings_image.options.clone(), ++ }); ++} ++ + fn get_ephemeral_mount( + settings: &settings::Settings, + yaml_mount: &pod::VolumeMount, +diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs +index 4a40c957042e73ba584b66bc681469458a7f18f4..f5bf61bec420ed7ee642818e10ecdca80f710ad8 100644 +--- a/src/tools/genpolicy/src/pod.rs ++++ b/src/tools/genpolicy/src/pod.rs +@@ -846,16 +846,14 @@ impl yaml::K8sResource for Pod { + container: &Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs +index b212eeb8bca209d9916249fe8e01351f5943823c..bdce2d40e3a7c3ec34137ceb3685fcc94aedcb39 100644 +--- a/src/tools/genpolicy/src/registry.rs ++++ b/src/tools/genpolicy/src/registry.rs +@@ -23,11 +23,13 @@ use sha2::{digest::typenum::Unsigned, digest::OutputSizeUser, Sha256}; + use std::fs::OpenOptions; + use std::io::BufWriter; + use std::{io, io::Seek, io::Write, path::Path}; ++use std::collections::BTreeMap; + use tokio::io::AsyncWriteExt; + + /// Container image properties obtained from an OCI repository. + #[derive(Clone, Debug, Default)] + pub struct Container { ++ pub image: String, + pub config_layer: DockerConfigLayer, + pub image_layers: Vec, + } +@@ -36,19 +38,20 @@ pub struct Container { + #[derive(Clone, Debug, Default, Deserialize, Serialize)] + pub struct DockerConfigLayer { + architecture: String, +- config: DockerImageConfig, ++ pub config: DockerImageConfig, + pub rootfs: DockerRootfs, + } + +-/// Image config properties. ++/// See: https://docs.docker.com/reference/dockerfile/. + #[derive(Clone, Debug, Default, Deserialize, Serialize)] +-struct DockerImageConfig { ++pub struct DockerImageConfig { + User: Option, + Tty: Option, + Env: Option>, + Cmd: Option>, + WorkingDir: Option, + Entrypoint: Option>, ++ pub Volumes: Option> + } + + /// Container rootfs information. +@@ -65,10 +68,20 @@ pub struct ImageLayer { + pub verity_hash: String, + } + ++/// See https://docs.docker.com/reference/dockerfile/#volume. ++#[derive(Clone, Debug, Serialize, Deserialize)] ++pub struct DockerVolumeHostDirectory { ++ // This struct is empty because, according to the documentation: ++ // "The VOLUME instruction does not support specifying a host-dir ++ // parameter. You must specify the mountpoint when you create or ++ // run the container." ++} ++ + impl Container { + pub async fn new(layers_cache_file_path: Option, image: &str) -> Result { + info!("============================================"); + info!("Pulling manifest and config for {:?}", image); ++ let image_string = image.to_string(); + let reference: Reference = image.to_string().parse().unwrap(); + let auth = build_auth(&reference); + +@@ -94,6 +107,7 @@ impl Container { + + let config_layer: DockerConfigLayer = + serde_json::from_str(&config_layer_str).unwrap(); ++ debug!("config_layer: {:?}", &config_layer); + let image_layers = get_image_layers( + layers_cache_file_path, + &mut client, +@@ -105,6 +119,7 @@ impl Container { + .unwrap(); + + Ok(Container { ++ image: image_string, + config_layer, + image_layers, + }) +diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs +index 333a4dd33032c4842e70d5e618b4660fa2ffb6c5..793137224b88d4a562ea214bbc8d93316563f863 100644 +--- a/src/tools/genpolicy/src/registry_containerd.rs ++++ b/src/tools/genpolicy/src/registry_containerd.rs +@@ -46,7 +46,8 @@ impl Container { + let ctrd_client = containerd_client::Client::from(containerd_channel.clone()); + let k8_cri_image_client = ImageServiceClient::new(containerd_channel); + +- let image_ref: Reference = image.to_string().parse().unwrap(); ++ let image_str = image.to_string(); ++ let image_ref: Reference = image_str.parse().unwrap(); + + info!("Pulling image: {:?}", image_ref); + +@@ -67,6 +68,7 @@ impl Container { + .await?; + + Ok(Container { ++ image: image_str, + config_layer, + image_layers, + }) +diff --git a/src/tools/genpolicy/src/replica_set.rs b/src/tools/genpolicy/src/replica_set.rs +index 094daf1da4cf2f202cfc41e76a0f693bdf84e46a..205937f0a9f1e17b5e2b1a6ab9e3d67d5263daa5 100644 +--- a/src/tools/genpolicy/src/replica_set.rs ++++ b/src/tools/genpolicy/src/replica_set.rs +@@ -68,16 +68,14 @@ impl yaml::K8sResource for ReplicaSet { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/replication_controller.rs b/src/tools/genpolicy/src/replication_controller.rs +index 55788a45c2e0ede93b5fb27349b9096d6dc706ef..049e6a1394ba4c1151f44dc56abe1392102f5582 100644 +--- a/src/tools/genpolicy/src/replication_controller.rs ++++ b/src/tools/genpolicy/src/replication_controller.rs +@@ -70,16 +70,14 @@ impl yaml::K8sResource for ReplicationController { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs +index 3d86971914ad4a659cab4bba0737ca53a183c2ba..a388f074e5168abb14c40c324c8aeef74062cdc0 100644 +--- a/src/tools/genpolicy/src/settings.rs ++++ b/src/tools/genpolicy/src/settings.rs +@@ -34,6 +34,7 @@ pub struct Volumes { + pub emptyDir_memory: EmptyDirVolume, + pub configMap: ConfigMapVolume, + pub confidential_configMap: ConfigMapVolume, ++ pub image_volume: ImageVolume + } + + /// EmptyDir volume settings loaded from genpolicy-settings.json. +@@ -59,6 +60,17 @@ pub struct ConfigMapVolume { + pub options: Vec, + } + ++/// Container image volume settings loaded from genpolicy-settings.json. ++#[derive(Clone, Debug, Serialize, Deserialize)] ++pub struct ImageVolume { ++ pub mount_type: String, ++ pub mount_source: String, ++ pub driver: String, ++ pub source: String, ++ pub fstype: String, ++ pub options: Vec, ++} ++ + /// Data corresponding to the kata runtime config file data, loaded from + /// genpolicy-settings.json. + #[derive(Clone, Debug, Serialize, Deserialize)] +diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs +index d25398358f526116f5b766ffba6db2e287e0f8e9..aa25bf5a78443dce6493fe5a2a2c3a3b6bd8c00c 100644 +--- a/src/tools/genpolicy/src/stateful_set.rs ++++ b/src/tools/genpolicy/src/stateful_set.rs +@@ -118,17 +118,6 @@ impl yaml::K8sResource for StatefulSet { + container: &pod::Container, + settings: &settings::Settings, + ) { +- if let Some(volumes) = &self.spec.template.spec.volumes { +- yaml::get_container_mounts_and_storages( +- policy_mounts, +- storages, +- persistent_volume_claims, +- container, +- settings, +- volumes, +- ); +- } +- + // Example: + // + // containers: +@@ -159,6 +148,15 @@ impl yaml::K8sResource for StatefulSet { + ); + } + } ++ ++ yaml::get_container_mounts_and_storages( ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ container, ++ settings, ++ &self.spec.template.spec.volumes, ++ ); + } + + fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String { +diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs +index c898240af337f3cb7cfc34fa1398cb5a6bd828a5..07ebb32aea0ae8265c8deb8c32fb02242d1a7d84 100644 +--- a/src/tools/genpolicy/src/yaml.rs ++++ b/src/tools/genpolicy/src/yaml.rs +@@ -251,24 +251,41 @@ pub fn get_container_mounts_and_storages( + persistent_volume_claims: &[pvc::PersistentVolumeClaim], + container: &pod::Container, + settings: &settings::Settings, +- volumes: &Vec, ++ volumes_option: &Option>, + ) { +- if let Some(volume_mounts) = &container.volumeMounts { +- for volume in volumes { +- for volume_mount in volume_mounts { +- if volume_mount.name.eq(&volume.name) { +- mount_and_storage::get_mount_and_storage( +- settings, +- policy_mounts, +- storages, +- persistent_volume_claims, +- volume, +- volume_mount, +- ); ++ if let Some(volumes) = volumes_option { ++ if let Some(volume_mounts) = &container.volumeMounts { ++ for volume in volumes { ++ for volume_mount in volume_mounts { ++ if volume_mount.name.eq(&volume.name) { ++ mount_and_storage::get_mount_and_storage( ++ settings, ++ policy_mounts, ++ storages, ++ persistent_volume_claims, ++ volume, ++ volume_mount, ++ ); ++ } + } + } + } + } ++ ++ // Add storage and mount for each volume defined in the docker container image ++ // configuration layer. ++ if let Some(volumes) = &container.registry.config_layer.config.Volumes { ++ for volume in volumes { ++ debug!("get_container_mounts_and_storages: {:?}", &volume); ++ ++ mount_and_storage::get_image_mount_and_storage( ++ settings, ++ policy_mounts, ++ storages, ++ volume.0, ++ ); ++ } ++ } + } + + /// Add the "io.katacontainers.config.agent.policy" annotation into diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch index 6f55c99e85..4df0e73cca 100644 --- a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch +++ b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch @@ -1,8 +1,8 @@ diff --git a/genpolicy-settings.json b/genpolicy-settings.json -index 7d35862a..4eacc7cd 100644 +index fd998a41b..ba362a77d 100755 --- a/genpolicy-settings.json +++ b/genpolicy-settings.json -@@ -307,7 +307,8 @@ +@@ -319,7 +319,8 @@ "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", @@ -12,10 +12,3 @@ index 7d35862a..4eacc7cd 100644 ] }, "CopyFileRequest": [ -@@ -322,4 +323,4 @@ - "UpdateEphemeralMountsRequest": false, - "WriteStreamRequest": false - } --} -\ No newline at end of file -+} diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch index 86e2b69c19..5022be6e99 100644 --- a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch +++ b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch @@ -1,8 +1,8 @@ diff --git a/genpolicy-settings.json b/genpolicy-settings.json -index 7d35862a..f469b201 100644 +index fd998a41b..17d562c8a 100755 --- a/genpolicy-settings.json +++ b/genpolicy-settings.json -@@ -307,7 +307,8 @@ +@@ -319,7 +319,8 @@ "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", @@ -12,13 +12,13 @@ index 7d35862a..f469b201 100644 ] }, "CopyFileRequest": [ -@@ -315,11 +316,13 @@ +@@ -327,11 +328,13 @@ ], "ExecProcessRequest": { "commands": [], - "regex": [] + "regex": [ -+ ".*" ++ ".*" + ] }, "CloseStdinRequest": false, @@ -27,6 +27,4 @@ index 7d35862a..f469b201 100644 - "WriteStreamRequest": false + "WriteStreamRequest": true } --} -\ No newline at end of file -+} + } diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix index 4286550cd2..b05178fe69 100644 --- a/packages/by-name/microsoft/genpolicy/package.nix +++ b/packages/by-name/microsoft/genpolicy/package.nix @@ -55,6 +55,10 @@ rustPlatform.buildRustPackage rec { # We can revisit this if microsoft upstreamed # https://github.com/microsoft/kata-containers/pull/174 ./0006-genpolicy-support-HostToContainer-mount-propagation.patch + # This patch is a port of https://github.com/kata-containers/kata-containers/pull/10136/files + # to Microsofts genpolicy. + # TODO(miampf): remove when picked up by microsoft/kata-containers fork. + ./0007-genpolicy-support-for-VOLUME-definition-in-container.patch ]; };