Merge pull request #10098 from microsoft/danmihai1/allow-failing

agent: fix the AllowRequestsFailingPolicy functionality
2025-04-28 03:42:09 +00:00 · 2024-08-02 08:42:47 -07:00 · 2024-08-02 08:42:47 -07:00 · 2628b34435
commit 2628b34435
parent 8da5f7a72f c2a55552b2
2 changed files with 51 additions and 6 deletions
--- a/src/agent/src/policy.rs
+++ b/src/agent/src/policy.rs
@ -100,11 +100,7 @@ impl AgentPolicy {
        }

        self.engine.add_policy_from_file(default_policy_file)?;
-        self.engine.set_input_json("{}")?;
-        self.allow_failures = match self.allow_request("AllowRequestsFailingPolicy", "{}").await {
-            Ok((allowed, _prints)) => allowed,
-            Err(_) => false,
-        };
+        self.update_allow_failures_flag().await?;
        Ok(())
    }

@ -116,8 +112,18 @@ impl AgentPolicy {
        let query = format!("data.agent_policy.{ep}");
        self.engine.set_input_json(ep_input)?;

-        let mut allow = self.engine.eval_bool_query(query, false)?;
+        let mut allow = match self.engine.eval_bool_query(query, false) {
+            Ok(a) => a,
+            Err(e) => {
+                if !self.allow_failures {
+                    return Err(e);
+                }
+                false
+            }
+        };
+
        if !allow && self.allow_failures {
+            warn!(sl!(), "policy: ignoring error for {ep}");
            allow = true;
        }

@ -134,6 +140,7 @@ impl AgentPolicy {
        self.engine = Self::new_engine();
        self.engine
            .add_policy("agent_policy".to_string(), policy.to_string())?;
+        self.update_allow_failures_flag().await?;
        Ok(())
    }

@ -160,4 +167,20 @@ impl AgentPolicy {
            }
        }
    }
+
+    async fn update_allow_failures_flag(&mut self) -> Result<()> {
+        self.allow_failures = match self.allow_request("AllowRequestsFailingPolicy", "{}").await {
+            Ok((allowed, _prints)) => {
+                if allowed {
+                    warn!(
+                        sl!(),
+                        "policy: AllowRequestsFailingPolicy is enabled - will ignore errors"
+                    );
+                }
+                allowed
+            }
+            Err(_) => false,
+        };
+        Ok(())
+    }
 }
--- a/tests/integration/kubernetes/k8s-policy-hard-coded.bats
+++ b/tests/integration/kubernetes/k8s-policy-hard-coded.bats
@ -37,6 +37,28 @@ setup() {
 	echo "$exec_output" | grep "ExecProcessRequest is blocked by policy"
 }

+@test "AllowRequestsFailingPolicy := true" {
+	# Add to the YAML file a policy using just AllowRequestsFailingPolicy := true. Evaluating the rules
+	# for any Kata Agent request will return false, but AllowRequestsFailingPolicy := true will allow
+	# those request to be executed.
+	#
+	# Warning: this is an insecure policy that shouldn't be used when protecting the confidentiality
+	#          of a pod is important. However, this policy could be useful while debugging a pod.
+	policy_text=$(printf "package agent_policy\ndefault AllowRequestsFailingPolicy := true")
+	policy_base64=$(echo "${policy_text}" | base64 -w 0 -)
+
+	yq -i \
+		".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${policy_base64}\"" \
+		"${pod_yaml}"
+
+	# Create the pod
+	kubectl create -f "${pod_yaml}"
+
+	# Wait for pod to start
+	echo "timeout=${timeout}"
+	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
+}
+
 teardown() {
 	hard_coded_policy_tests_enabled || skip "Policy tests are disabled."