From 30bfa2dfccec01aa84dcb8e07f8f77c72f91b126 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Thu, 10 Jul 2025 15:59:38 +0000 Subject: [PATCH] genpolicy: use CoCo settings by default - "confidential_emptyDir" becomes "emptyDir" in the settings file. - "confidential_configMap" becomes "configMap" in settings. - "mount_source_cpath" becomes "cpath". - The new "root_path" gets used instead of the old "cpath" to point to the container root path.. - "confidential_guest" is no longer used. By default it gets replaced by "enable_configmap_secret_storages"=false, because CoCo is using CopyFileRequest instead of the Storage data structures for ConfigMap and/or Secret volume mounts during CreateContainerRequest. - The value of "guest_pull" becomes true by default. - "image_layer_verification" is no longer used - just CoCo's guest pull is supported. - The Request input files from unit tests are changing to reflect the new default settings values described above. - tests/integration/kubernetes/tests_common.sh adjusts the settings for platforms that are not set-up for CoCo during CI (i.e., platforms other than SNP, TDX, and CoCo Dev). Signed-off-by: Dan Mihai --- src/tools/genpolicy/genpolicy-settings.json | 35 ++------ src/tools/genpolicy/rules.rego | 15 ++-- src/tools/genpolicy/src/mount_and_storage.rs | 14 +-- src/tools/genpolicy/src/policy.rs | 4 +- src/tools/genpolicy/src/settings.rs | 4 +- .../generate_name/testcases.json | 4 +- .../createcontainer/gid/testcases.json | 15 ++-- .../network_namespace/testcases.json | 8 +- .../security_context/runas/testcases.json | 8 +- .../supplemental_groups/testcases.json | 4 +- .../createcontainer/sysctls/testcases.json | 8 +- .../volumes/config_map/testcases.json | 18 +--- .../volumes/container_image/testcases.json | 6 +- .../volumes/emptydir/testcases.json | 18 ++-- .../state/createcontainer/testcases.json | 4 +- .../testdata/state/execprocess/testcases.json | 55 ++++++------ tests/integration/kubernetes/tests_common.sh | 85 ++++++++----------- 17 files changed, 119 insertions(+), 186 deletions(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index 1b9321d49c..75a4463cc1 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -1,7 +1,7 @@ { "pause_container": { "Root": { - "Path": "$(cpath)/$(bundle-id)/rootfs", + "Path": "$(root_path)", "Readonly": true }, "Mounts": [ @@ -73,7 +73,7 @@ }, "other_container": { "Root": { - "Path": "$(cpath)/$(bundle-id)/rootfs" + "Path": "$(root_path)" }, "Mounts": [ { @@ -163,17 +163,6 @@ "mode=0777" ] }, - "confidential_emptyDir": { - "mount_type": "local", - "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/", - "mount_point": "^$(cpath)/$(sandbox-id)/rootfs/local/", - "driver": "local", - "source": "local", - "fstype": "local", - "options": [ - "mode=0777" - ] - }, "emptyDir_memory": { "mount_type": "bind", "mount_source": "^/run/kata-containers/sandbox/ephemeral/", @@ -184,18 +173,6 @@ "options": [] }, "configMap": { - "mount_type": "bind", - "mount_source": "$(sfprefix)", - "mount_point": "^$(cpath)/watchable/$(bundle-id)-[a-z0-9]{16}-", - "driver": "watchable-bind", - "fstype": "bind", - "options": [ - "rbind", - "rprivate", - "ro" - ] - }, - "confidential_configMap": { "mount_type": "bind", "mount_source": "$(sfprefix)", "mount_point": "$(sfprefix)", @@ -251,7 +228,7 @@ }, "common": { "cpath": "/run/kata-containers/shared/containers", - "mount_source_cpath": "/run/kata-containers/shared/containers", + "root_path": "/run/kata-containers/$(bundle-id)/rootfs", "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", "ip_p": "[0-9]{1,5}", "ipv4_a": "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])", @@ -319,12 +296,12 @@ "image_layer_verification" : "none" }, "kata_config": { - "confidential_guest": false, - "oci_version": "1.1.0" + "oci_version": "1.1.0", + "enable_configmap_secret_storages": false }, "cluster_config": { "pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6", - "guest_pull": false + "guest_pull": true }, "request_defaults": { "CreateContainerRequest": { diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 44b1bc0aae..b402b1c5ec 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -669,6 +669,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) if { # Reject possible attempts to match multiple input mounts with a single Policy mount. p_matches := { p_index | some i_index; p_index = allow_mount(p_oci, input.OCI.Mounts[i_index], bundle_id, sandbox_id) } + print("allow_by_bundle_or_sandbox_id: p_matches =", p_matches) count(p_matches) == count(input.OCI.Mounts) allow_storages(p_storages, i_storages, bundle_id, sandbox_id) @@ -967,7 +968,7 @@ allow_root_path(p_oci, i_oci, bundle_id) if { p_path1 := p_oci.Root.Path print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) - p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + p_path2 := replace(p_path1, "$(root_path)", policy_data.common.root_path) print("allow_root_path: p_path2 =", p_path2) p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) @@ -983,8 +984,8 @@ allow_root_path(p_oci, i_oci, bundle_id) if { allow_mount(p_oci, i_mount, bundle_id, sandbox_id):= p_index if { print("allow_mount: i_mount =", i_mount) - p_mount := p_oci.Mounts[p_index] - print("allow_mount: p_mount =", p_mount) + some p_index, p_mount in p_oci.Mounts + print("allow_mount: p_index =", p_index, "p_mount =", p_mount) check_mount(p_mount, i_mount, bundle_id, sandbox_id) print("allow_mount: true, p_index =", p_index) @@ -1007,7 +1008,7 @@ check_mount(p_mount, i_mount, bundle_id, sandbox_id) if { mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if { regex1 := p_mount.source regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) - regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) regex4 := replace(regex3, "$(bundle-id)", bundle_id) print("mount_source_allows 1: regex4 =", regex4) @@ -1018,7 +1019,7 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if { mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if { regex1 := p_mount.source regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) - regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) print("mount_source_allows 2: regex4 =", regex4) @@ -1117,7 +1118,7 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id) if { mount1 := p_storage.mount_point print("allow_mount_point 3: mount1 =", mount1) - mount2 := replace(mount1, "$(cpath)", policy_data.common.mount_source_cpath) + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) print("allow_mount_point 1: mount2 =", mount2) mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) @@ -1250,7 +1251,7 @@ CopyFileRequest if { some regex1 in policy_data.request_defaults.CopyFileRequest regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) - regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") print("CopyFileRequest: regex4 =", regex4) diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs index f12714ec44..bb93261f76 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -122,11 +122,7 @@ pub fn get_mount_and_storage( } if volume.is_none() { - volume = if settings.kata_config.confidential_guest { - Some(&settings_volumes.confidential_emptyDir) - } else { - Some(&settings_volumes.emptyDir) - } + volume = Some(&settings_volumes.emptyDir); } get_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount, volume.unwrap()); @@ -270,14 +266,10 @@ fn get_config_map_mount_and_storage( yaml_mount: &pod::VolumeMount, ) { let settings_volumes = &settings.volumes; - let settings_config_map = if settings.kata_config.confidential_guest { - &settings_volumes.confidential_configMap - } else { - &settings_volumes.configMap - }; + let settings_config_map = &settings_volumes.configMap; debug!("Settings configMap: {:?}", settings_config_map); - if !settings.kata_config.confidential_guest { + if settings.kata_config.enable_configmap_secret_storages { let mount_path = Path::new(&yaml_mount.mountPath).file_name().unwrap(); let mount_path_str = OsString::from(mount_path).into_string().unwrap(); diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index af0ef00d33..d029acd0a2 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -393,8 +393,8 @@ pub struct CommonData { /// Path to the shared container files - e.g., "/run/kata-containers/shared/containers". pub cpath: String, - /// Path to the shared container files for mount sources - e.g., "/run/kata-containers/shared/containers". - pub mount_source_cpath: String, + /// Path to the container root - e.g., "/run/kata-containers/$(bundle-id)/rootfs". + pub root_path: String, /// Regex prefix for shared file paths - e.g., "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-". pub sfprefix: String, diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs index b7f0515d17..e3bab1e9b6 100644 --- a/src/tools/genpolicy/src/settings.rs +++ b/src/tools/genpolicy/src/settings.rs @@ -31,10 +31,8 @@ pub struct Settings { #[derive(Clone, Debug, Serialize, Deserialize)] pub struct Volumes { pub emptyDir: EmptyDirVolume, - pub confidential_emptyDir: EmptyDirVolume, pub emptyDir_memory: EmptyDirVolume, pub configMap: ConfigMapVolume, - pub confidential_configMap: ConfigMapVolume, pub image_volume: ImageVolume, } @@ -76,8 +74,8 @@ pub struct ImageVolume { /// genpolicy-settings.json. #[derive(Clone, Debug, Serialize, Deserialize)] pub struct KataConfig { - pub confidential_guest: bool, pub oci_version: String, + pub enable_configmap_secret_storages: bool, } impl Settings { diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/generate_name/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/generate_name/testcases.json index cc09bdc119..2f4c53142d 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/generate_name/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/generate_name/testcases.json @@ -130,7 +130,7 @@ }, "Root": { "Readonly": true, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" } } } @@ -266,7 +266,7 @@ }, "Root": { "Readonly": true, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" } } } diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/gid/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/gid/testcases.json index 1fe8fa72a8..e847a2384c 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/gid/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/gid/testcases.json @@ -293,15 +293,15 @@ "Terminal": false, "User": { "AdditionalGids": [ - 1 + 0 ], - "GID": 1, - "UID": 2, + "GID": 0, + "UID": 0, "Username": "" } }, "Root": { - "Path": "/run/kata-containers/shared/containers/gid/rootfs", + "Path": "/run/kata-containers/gid/rootfs", "Readonly": false }, "Solaris": null, @@ -626,11 +626,10 @@ "Terminal": false, "User": { "AdditionalGids": [ - 1, - 123 + 0 ], - "GID": 1, - "UID": 2, + "GID": 0, + "UID": 0, "Username": "" } }, diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/network_namespace/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/network_namespace/testcases.json index bb4d97dd4f..a21b2e430f 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/network_namespace/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/network_namespace/testcases.json @@ -130,7 +130,7 @@ }, "Root": { "Readonly": true, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" } } } @@ -266,7 +266,7 @@ }, "Root": { "Readonly": true, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" } } } @@ -398,7 +398,7 @@ }, "Root": { "Readonly": true, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" } } } @@ -534,7 +534,7 @@ }, "Root": { "Readonly": true, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" } } } diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/runas/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/runas/testcases.json index cbe0a7f392..6a1e03c5d1 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/runas/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/runas/testcases.json @@ -238,7 +238,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", + "Path": "/run/kata-containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", "Readonly": true }, "Solaris": null, @@ -570,7 +570,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/dummy/rootfs", + "Path": "/run/kata-containers/dummy/rootfs", "Readonly": false }, "Solaris": null, @@ -819,7 +819,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", + "Path": "/run/kata-containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", "Readonly": true }, "Solaris": null, @@ -1067,7 +1067,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", + "Path": "/run/kata-containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", "Readonly": true }, "Solaris": null, diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/supplemental_groups/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/supplemental_groups/testcases.json index 617e1028e3..de4b394720 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/supplemental_groups/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/supplemental_groups/testcases.json @@ -324,7 +324,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/dummy/rootfs", + "Path": "/run/kata-containers/dummy/rootfs", "Readonly": false }, "Solaris": null, @@ -659,7 +659,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/dummy/rootfs", + "Path": "/run/kata-containers/dummy/rootfs", "Readonly": false }, "Solaris": null, diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/sysctls/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/sysctls/testcases.json index 82c7c51bfe..665eff28f1 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/sysctls/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/sysctls/testcases.json @@ -246,7 +246,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", + "Path": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "Readonly": true }, "Solaris": null, @@ -269,7 +269,7 @@ ], "fs_group": null, "fstype": "overlay", - "mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", + "mount_point": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "options": [], "source": "pause" } @@ -524,7 +524,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", + "Path": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "Readonly": true }, "Solaris": null, @@ -547,7 +547,7 @@ ], "fs_group": null, "fstype": "overlay", - "mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", + "mount_point": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "options": [], "source": "pause" } diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json index 88cdfd2838..d0aee15b5e 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json @@ -128,24 +128,10 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" } }, - "storages": [ - { - "driver": "watchable-bind", - "driver_options": [], - "source": "/run/kata-containers/shared/containers/bundle-id-a1b2c3d4e5f6g7h8-config", - "fstype": "bind", - "options": [ - "rbind", - "rprivate", - "ro" - ], - "mount_point": "/run/kata-containers/shared/containers/watchable/bundle-id-a1b2c3d4e5f6g7h8-config", - "fs_group": null - } - ] + "storages": [] } } ] diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json index 44705c1f81..508b24ea44 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json @@ -87,16 +87,16 @@ "Terminal": false, "User": { "AdditionalGids": [ - 1000 + 0 ], - "GID": 1000, + "GID": 0, "UID": 1000, "Username": "" } }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json index 8460c9d542..fbf4719cdf 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json @@ -129,7 +129,7 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { @@ -342,7 +342,7 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { @@ -535,7 +535,7 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { @@ -738,7 +738,7 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { @@ -925,7 +925,7 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { @@ -1082,7 +1082,7 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { @@ -1239,7 +1239,7 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { @@ -1472,7 +1472,7 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { @@ -1665,7 +1665,7 @@ }, "Root": { "Readonly": false, - "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + "Path": "/run/kata-containers/bundle-id/rootfs" }, "Mounts": [ { diff --git a/src/tools/genpolicy/tests/policy/testdata/state/createcontainer/testcases.json b/src/tools/genpolicy/tests/policy/testdata/state/createcontainer/testcases.json index 7f8635ed8a..b3d5fce8de 100644 --- a/src/tools/genpolicy/tests/policy/testdata/state/createcontainer/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/state/createcontainer/testcases.json @@ -239,7 +239,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", + "Path": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "Readonly": true }, "Solaris": null, @@ -262,7 +262,7 @@ ], "fs_group": null, "fstype": "overlay", - "mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", + "mount_point": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "options": [], "source": "pause" } diff --git a/src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json b/src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json index 1d15ebbe9b..634fcf6a7f 100644 --- a/src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json @@ -278,8 +278,7 @@ "Terminal": false, "User": { "AdditionalGids": [ - 0, - 10 + 0 ], "GID": 0, "UID": 0, @@ -287,7 +286,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs", + "Path": "/run/kata-containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs", "Readonly": false }, "Solaris": null, @@ -582,8 +581,7 @@ "Terminal": false, "User": { "AdditionalGids": [ - 0, - 10 + 0 ], "GID": 0, "UID": 0, @@ -591,7 +589,7 @@ } }, "Root": { - "Path": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs", + "Path": "/run/kata-containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs", "Readonly": false }, "Solaris": null, @@ -622,8 +620,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -658,8 +655,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -694,8 +690,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -730,8 +725,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -774,8 +768,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -810,8 +803,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -879,8 +871,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -916,11 +907,18 @@ "User": { "UID": 0, "GID": 0, - "AdditionalGids": [0, 10], + "AdditionalGids": [ + 0 + ], "Username": "" }, - "Args": ["test1", "--flag"], - "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"], + "Args": [ + "test1", + "--flag" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], "Cwd": "/", "Capabilities": null, "Rlimits": [], @@ -1033,8 +1031,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -1069,8 +1066,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -1114,8 +1110,7 @@ "UID": 0, "GID": 0, "AdditionalGids": [ - 0, - 10 + 0 ], "Username": "" }, @@ -1135,4 +1130,4 @@ } } } -] +] \ No newline at end of file diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index b12e93c4c3..473358a579 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -85,68 +85,53 @@ auto_generate_policy_enabled() { [[ "${AUTO_GENERATE_POLICY}" == "yes" ]] } -# adapt common policy settings for tdx or snp -adapt_common_policy_settings_for_tdx() { - local settings_dir=$1 - - info "Adapting common policy settings for TDX, SNP, or the non-TEE development environment" - jq '.kata_config.confidential_guest = true | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" +is_coco_platform() { + case "${KATA_HYPERVISOR}" in + "qemu-tdx"|"qemu-snp"|"qemu-coco-dev") + return 0 + ;; + *) + return 1 + esac } -# adapt common policy settings for pod VMs using "shared_fs = virtio-fs" (https://github.com/kata-containers/kata-containers/issues/10189) -adapt_common_policy_settings_for_virtio_fs() { +adapt_common_policy_settings_for_non_coco() { local settings_dir=$1 - info "Adapting common policy settings for shared_fs=virtio-fs" - jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" + info "Adapting common policy settings from ${settings_dir} for non-CoCo guest" + + # Using UpdateEphemeralMountsRequest - instead of CopyFileRequest. + jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json + sudo mv temp.json "${settings_dir}/genpolicy-settings.json" + + # Using a different path to container container root. + jq '.common.root_path = "/run/kata-containers/shared/containers/$(bundle-id)/rootfs"' "${settings_dir}/genpolicy-settings.json" > temp.json + sudo mv temp.json "${settings_dir}/genpolicy-settings.json" + + # Using CreateContainer Storage input structs for configMap & secret volumes - instead of using CopyFile like CoCo. + jq '.kata_config.enable_configmap_secret_storages = true' "${settings_dir}/genpolicy-settings.json" > temp.json + sudo mv temp.json "${settings_dir}/genpolicy-settings.json" + + # Using watchable binds for configMap volumes - instead of CopyFileRequest. + jq '.volumes.configMap.mount_point = "^$(cpath)/watchable/$(bundle-id)-[a-z0-9]{16}-" | .volumes.configMap.driver = "watchable-bind"' \ + "${settings_dir}/genpolicy-settings.json" > temp.json + sudo mv temp.json "${settings_dir}/genpolicy-settings.json" + + # Using a Storage input struct for paths shared with the Host using virtio-fs. jq '.sandbox.storages += [{"driver":"virtio-fs","driver_options":[],"fs_group":null,"fstype":"virtiofs","mount_point":"/run/kata-containers/shared/containers/","options":[],"source":"kataShared"}]' \ - "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" -} + "${settings_dir}/genpolicy-settings.json" > temp.json + sudo mv temp.json "${settings_dir}/genpolicy-settings.json" -# adapt common policy settings for CBL-Mariner Hosts -adapt_common_policy_settings_for_cbl_mariner() { - true -} - -# adapt common policy settings for guest-pull Hosts -# see issue https://github.com/kata-containers/kata-containers/issues/11162 -adapt_common_policy_settings_for_guest_pull() { - local settings_dir=$1 - - info "Adapting common policy settings for guest-pull environment" - jq '.cluster_config.guest_pull = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" + # Disable guest pull. + jq '.cluster_config.guest_pull = false' "${settings_dir}/genpolicy-settings.json" > temp.json + sudo mv temp.json "${settings_dir}/genpolicy-settings.json" } # adapt common policy settings for various platforms adapt_common_policy_settings() { local settings_dir=$1 - case "${KATA_HYPERVISOR}" in - "qemu-tdx"|"qemu-snp"|"qemu-coco-dev") - adapt_common_policy_settings_for_tdx "${settings_dir}" - ;; - *) - # AUTO_GENERATE_POLICY=yes is currently supported by this script when testing: - # - The SNP or TDX platforms above, that are using "shared_fs = none". - # - Other platforms that are using "shared_fs = virtio-fs". - # Attempting to test using AUTO_GENERATE_POLICY=yes on platforms that are not - # supported yet is likely to result in test failures due to incorrectly auto- - # generated policies. - adapt_common_policy_settings_for_virtio_fs "${settings_dir}" - ;; - esac - - case "${KATA_HOST_OS}" in - "cbl-mariner") - adapt_common_policy_settings_for_cbl_mariner "${settings_dir}" - ;; - esac - - case "${PULL_TYPE}" in - "guest-pull") - adapt_common_policy_settings_for_guest_pull "${settings_dir}" - ;; - esac + is_coco_platform || adapt_common_policy_settings_for_non_coco "${settings_dir}" } # If auto-generated policy testing is enabled, make a copy of the genpolicy settings,