ci: embed prod policy settings on release #164

burgerdev · 2024-02-15T14:34:59Z

This commit blesses the Microsoft fork of the Kata Containers policy and settings.

Why not ours?

Any divergence from upstream configs risks security relevant divergence and would need continuous justification.
We can contribute missing policy features upstream, if needed.

Why not kata-containers/kata-containers?

We assume that the Microsoft fork is customized to the AKS environment that we're targeting, and we want to stay compatible with that.
The genpolicy tool and its config are not compatible across minor versions (e.g., a policy generated from Kata head today is not accepted by the Kata Agent available in the AKS preview today).

malt3 · 2024-02-15T15:03:30Z

I think that's a good idea.
Just a conceptual question: shouldn't we also use this policy during our e2e tests? Otherwise we might build features that are not compatible with the msft policies (and not notice until we release a new version).

burgerdev · 2024-02-15T15:12:46Z

I think that's a good idea. Just a conceptual question: shouldn't we also use this policy during our e2e tests? Otherwise we might build features that are not compatible with the msft policies (and not notice until we release a new version).

Excellent suggestion, let me add that to the proposal.

justfile

This commit blesses the Microsoft fork of the Kata Containers policy and settings. Why not ours? * Any divergence from upstream configs risks security relevant divergence and would need continuous justification. * We can contribute missing policy features upstream, if needed. Why not kata-containers/kata-containers? * We assume that the Microsoft fork is customized to the AKS environment that we're targeting, and we want to stay compatible with that. * The genpolicy tool and its config are not compatible across minor versions (e.g., a policy generated from Kata head today is not accepted by the Kata Agent available in the AKS preview today).

Introduces a new parameter for some just targets that allows overriding the nix rule used to build the cli. The dev variant stays the default, while the release variant is used for e2e testing.

Base automatically changed from burgerdev/policy to main February 19, 2024 13:20

burgerdev force-pushed the burgerdev/release-policy branch from c75eda4 to 54e3bfd Compare February 20, 2024 11:28

burgerdev marked this pull request as ready for review February 20, 2024 13:49

burgerdev requested a review from katexochen as a code owner February 20, 2024 13:49

burgerdev requested a review from malt3 February 20, 2024 13:51

katexochen reviewed Feb 20, 2024

View reviewed changes

justfile Outdated Show resolved Hide resolved

malt3 approved these changes Feb 21, 2024

View reviewed changes

burgerdev force-pushed the burgerdev/release-policy branch 3 times, most recently from d995ef8 to 2771f54 Compare February 21, 2024 15:25

burgerdev added 3 commits February 21, 2024 18:27

nix: recover lost cli-release rule

99a0c23

just: make cli variant configurable

49dc9af

Introduces a new parameter for some just targets that allows overriding the nix rule used to build the cli. The dev variant stays the default, while the release variant is used for e2e testing.

burgerdev force-pushed the burgerdev/release-policy branch from 2771f54 to 49dc9af Compare February 21, 2024 17:27

burgerdev merged commit c620ebd into main Feb 22, 2024
5 checks passed

burgerdev deleted the burgerdev/release-policy branch February 22, 2024 07:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: embed prod policy settings on release #164

ci: embed prod policy settings on release #164

burgerdev commented Feb 15, 2024

malt3 commented Feb 15, 2024

burgerdev commented Feb 15, 2024

ci: embed prod policy settings on release #164

ci: embed prod policy settings on release #164

Conversation

burgerdev commented Feb 15, 2024

malt3 commented Feb 15, 2024

burgerdev commented Feb 15, 2024