From 41999f6a7ea45a5e579af02f1a72a2cf2b0cff0c Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 9 Feb 2024 11:27:05 +0100 Subject: [PATCH 1/2] genpolicy-msft: add namespace-flexible rule variant We would like to have a coordinator policy that is portable across namespaces. This is not possible with the upstream rules.rego, because the namespace annotation on the OCI spec is checked against the original namespace in the resource definition, or a default. It turns out that this check is not necessary for our coordinator, though: 1. The namespace check guarantees a specific pattern of the log path. As there's only one container in the VM, we don't care about potential conflicts and only need to ensure that we're not writing into a totally unrelated directory. 2. The namespace check guarantees that the Kubernetes downward API is resolved correctly. We're not using that, so we don't need the check. A minimally invasive change that still addresses (1) is to relax the check so that it only guarantees namespace validity [1]. [1]: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns --- packages/genpolicy_msft.nix | 5 +++++ packages/genpolicy_msft_rules_coordinator.patch | 15 +++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 packages/genpolicy_msft_rules_coordinator.patch diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix index 25713848a..f0d239e87 100644 --- a/packages/genpolicy_msft.nix +++ b/packages/genpolicy_msft.nix @@ -62,6 +62,11 @@ rustPlatform.buildRustPackage rec { recursiveHash = true; postFetch = "install -D $downloadedFile $out/genpolicy-rules.rego"; }; + + rules-coordinator = applyPatches { + src = rules; + patches = [ ./genpolicy_msft_rules_coordinator.patch ]; + }; }; meta = { diff --git a/packages/genpolicy_msft_rules_coordinator.patch b/packages/genpolicy_msft_rules_coordinator.patch new file mode 100644 index 000000000..7ae9baf0e --- /dev/null +++ b/packages/genpolicy_msft_rules_coordinator.patch @@ -0,0 +1,15 @@ +diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego +index e1954e9..fb508bc 100644 +--- a/genpolicy-rules.rego ++++ b/genpolicy-rules.rego +@@ -137,9 +137,9 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) +- p_namespace == i_namespace ++ regex.match("^[a-z0-9-]{1,63}$", i_namespace) + +- allow_by_container_types(p_oci, i_oci, s_name, p_namespace) ++ allow_by_container_types(p_oci, i_oci, s_name, i_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) From 58040322e3d88154aafbec66f36172c14d809cf5 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 9 Feb 2024 13:09:49 +0100 Subject: [PATCH 2/2] nix: add rule to render a coordinator deployment In order to embed a coordinator policy hash on release, we first need to establish what the default coordinator policy should be. This commit adds a nix rule that generates the canonical coordinator k8s resources, which can then be used to obtain a policy hash for inclusion in the CLI. Since the generated resources are then guaranteed to be compatible with the released CLI, we can include the resource definitions in the release and encourage users to take the coordinator from there. --- packages/default.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/packages/default.nix b/packages/default.nix index 6c7f4d199..a31f0e914 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -269,4 +269,32 @@ rec { exit 1 ''; }; + + # write-coordinator-yaml prints a Nunki Coordinator deployment including the default policy. + # It's intended for two purposes: (1) releasing a portable coordinator.yaml and (2) updating the embedded policy hash. + write-coordinator-yaml = writeShellApplication { + name = "print-coordinator-policy"; + runtimeInputs = [ + yq-go + genpolicy + ]; + text = '' + imageRef=$1:v${version} + + tmpdir=$(mktemp -d) + trap 'rm -rf $tmpdir' EXIT + + # TODO(burgerdev): consider a dedicated coordinator template instead of the simple one + yq < deployments/simple/coordinator.yml > "$tmpdir/coordinator.yml" \ + "del(.metadata.namespace) | (select(.kind == \"Deployment\") | .spec.template.spec.containers[0].image) = \"$imageRef\"" + + pushd "$tmpdir" >/dev/null + # TODO(burgerdev): this should not be dev, but there are unknown env vars + cp ${genpolicy.settings-dev}/genpolicy-settings.json . + cp ${genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego + genpolicy < "$tmpdir/coordinator.yml" + popd >/dev/null + ''; + }; + }