github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-05 18:14:55 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: use CoCo settings by default

Browse Source 
- "confidential_emptyDir" becomes "emptyDir" in the settings file.
- "confidential_configMap" becomes "configMap" in settings.
- "mount_source_cpath" becomes "cpath".
- The new "root_path" gets used instead of the old "cpath" to point to
  the container root path..
- "confidential_guest" is no longer used. By default it gets replaced
  by "enable_configmap_secret_storages"=false, because CoCo is using
  CopyFileRequest instead of the Storage data structures for ConfigMap
  and/or Secret volume mounts during CreateContainerRequest.
- The value of "guest_pull" becomes true by default.
- "image_layer_verification" is no longer used - just CoCo's guest pull
  is supported.
- The Request input files from unit tests are changing to reflect the
  new default settings values described above.
- tests/integration/kubernetes/tests_common.sh adjusts the settings for
  platforms that are not set-up for CoCo during CI (i.e., platforms
  other than SNP, TDX, and CoCo Dev).

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai 2025-07-10 15:59:38 +00:00
parent 94995d7102
commit 30bfa2dfcc
17 changed files with 119 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
src/tools/genpolicy/genpolicy-settings.json
View File

@ -1,7 +1,7 @@
{ {
"pause_container": { "pause_container": {
"Root": { "Root": {
"Path": "$(cpath)/$(bundle-id)/rootfs", "Path": "$(root_path)",
"Readonly": true "Readonly": true
}, },
"Mounts": [ "Mounts": [
@ -73,7 +73,7 @@
}, },
"other_container": { "other_container": {
"Root": { "Root": {
"Path": "$(cpath)/$(bundle-id)/rootfs" "Path": "$(root_path)"
}, },
"Mounts": [ "Mounts": [
{ {
@ -163,17 +163,6 @@
"mode=0777" "mode=0777"
] ]
}, },
"confidential_emptyDir": {
"mount_type": "local",
"mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/",
"mount_point": "^$(cpath)/$(sandbox-id)/rootfs/local/",
"driver": "local",
"source": "local",
"fstype": "local",
"options": [
"mode=0777"
]
},
"emptyDir_memory": { "emptyDir_memory": {
"mount_type": "bind", "mount_type": "bind",
"mount_source": "^/run/kata-containers/sandbox/ephemeral/", "mount_source": "^/run/kata-containers/sandbox/ephemeral/",
@ -184,18 +173,6 @@
"options": [] "options": []
}, },
"configMap": { "configMap": {
"mount_type": "bind",
"mount_source": "$(sfprefix)",
"mount_point": "^$(cpath)/watchable/$(bundle-id)-[a-z0-9]{16}-",
"driver": "watchable-bind",
"fstype": "bind",
"options": [
"rbind",
"rprivate",
"ro"
]
},
"confidential_configMap": {
"mount_type": "bind", "mount_type": "bind",
"mount_source": "$(sfprefix)", "mount_source": "$(sfprefix)",
"mount_point": "$(sfprefix)", "mount_point": "$(sfprefix)",
@ -251,7 +228,7 @@
}, },
"common": { "common": {
"cpath": "/run/kata-containers/shared/containers", "cpath": "/run/kata-containers/shared/containers",
"mount_source_cpath": "/run/kata-containers/shared/containers", "root_path": "/run/kata-containers/$(bundle-id)/rootfs",
"sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-",
"ip_p": "[0-9]{1,5}", "ip_p": "[0-9]{1,5}",
"ipv4_a": "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])", "ipv4_a": "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])",
@ -319,12 +296,12 @@
"image_layer_verification" : "none" "image_layer_verification" : "none"
}, },
"kata_config": { "kata_config": {
"confidential_guest": false, "oci_version": "1.1.0",
"oci_version": "1.1.0" "enable_configmap_secret_storages": false
}, },
"cluster_config": { "cluster_config": {
"pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6", "pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6",
"guest_pull": false "guest_pull": true
}, },
"request_defaults": { "request_defaults": {
"CreateContainerRequest": { "CreateContainerRequest": {

15
src/tools/genpolicy/rules.rego
View File

@ -669,6 +669,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) if {
# Reject possible attempts to match multiple input mounts with a single Policy mount. # Reject possible attempts to match multiple input mounts with a single Policy mount.
p_matches := { p_index | some i_index; p_index = allow_mount(p_oci, input.OCI.Mounts[i_index], bundle_id, sandbox_id) } p_matches := { p_index | some i_index; p_index = allow_mount(p_oci, input.OCI.Mounts[i_index], bundle_id, sandbox_id) }
print("allow_by_bundle_or_sandbox_id: p_matches =", p_matches)
count(p_matches) == count(input.OCI.Mounts) count(p_matches) == count(input.OCI.Mounts)
allow_storages(p_storages, i_storages, bundle_id, sandbox_id) allow_storages(p_storages, i_storages, bundle_id, sandbox_id)
@ -967,7 +968,7 @@ allow_root_path(p_oci, i_oci, bundle_id) if {
p_path1 := p_oci.Root.Path p_path1 := p_oci.Root.Path
print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1)
p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) p_path2 := replace(p_path1, "$(root_path)", policy_data.common.root_path)
print("allow_root_path: p_path2 =", p_path2) print("allow_root_path: p_path2 =", p_path2)
p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) p_path3 := replace(p_path2, "$(bundle-id)", bundle_id)
@ -983,8 +984,8 @@ allow_root_path(p_oci, i_oci, bundle_id) if {
allow_mount(p_oci, i_mount, bundle_id, sandbox_id):= p_index if { allow_mount(p_oci, i_mount, bundle_id, sandbox_id):= p_index if {
print("allow_mount: i_mount =", i_mount) print("allow_mount: i_mount =", i_mount)
p_mount := p_oci.Mounts[p_index] some p_index, p_mount in p_oci.Mounts
print("allow_mount: p_mount =", p_mount) print("allow_mount: p_index =", p_index, "p_mount =", p_mount)
check_mount(p_mount, i_mount, bundle_id, sandbox_id) check_mount(p_mount, i_mount, bundle_id, sandbox_id)
print("allow_mount: true, p_index =", p_index) print("allow_mount: true, p_index =", p_index)
@ -1007,7 +1008,7 @@ check_mount(p_mount, i_mount, bundle_id, sandbox_id) if {
mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if { mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if {
regex1 := p_mount.source regex1 := p_mount.source
regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath) regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
regex4 := replace(regex3, "$(bundle-id)", bundle_id) regex4 := replace(regex3, "$(bundle-id)", bundle_id)
print("mount_source_allows 1: regex4 =", regex4) print("mount_source_allows 1: regex4 =", regex4)
@ -1018,7 +1019,7 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if {
mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if { mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if {
regex1 := p_mount.source regex1 := p_mount.source
regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath) regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) regex4 := replace(regex3, "$(sandbox-id)", sandbox_id)
print("mount_source_allows 2: regex4 =", regex4) print("mount_source_allows 2: regex4 =", regex4)
@ -1117,7 +1118,7 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id) if {
mount1 := p_storage.mount_point mount1 := p_storage.mount_point
print("allow_mount_point 3: mount1 =", mount1) print("allow_mount_point 3: mount1 =", mount1)
mount2 := replace(mount1, "$(cpath)", policy_data.common.mount_source_cpath) mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath)
print("allow_mount_point 1: mount2 =", mount2) print("allow_mount_point 1: mount2 =", mount2)
mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) mount3 := replace(mount2, "$(sandbox-id)", sandbox_id)
@ -1250,7 +1251,7 @@ CopyFileRequest if {
some regex1 in policy_data.request_defaults.CopyFileRequest some regex1 in policy_data.request_defaults.CopyFileRequest
regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath) regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}")
print("CopyFileRequest: regex4 =", regex4) print("CopyFileRequest: regex4 =", regex4)

14
src/tools/genpolicy/src/mount_and_storage.rs
View File

@ -122,11 +122,7 @@ pub fn get_mount_and_storage(
} }
if volume.is_none() { if volume.is_none() {
volume = if settings.kata_config.confidential_guest { volume = Some(&settings_volumes.emptyDir);
Some(&settings_volumes.confidential_emptyDir)
} else {
Some(&settings_volumes.emptyDir)
}
} }
get_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount, volume.unwrap()); get_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount, volume.unwrap());
@ -270,14 +266,10 @@ fn get_config_map_mount_and_storage(
yaml_mount: &pod::VolumeMount, yaml_mount: &pod::VolumeMount,
) { ) {
let settings_volumes = &settings.volumes; let settings_volumes = &settings.volumes;
let settings_config_map = if settings.kata_config.confidential_guest { let settings_config_map = &settings_volumes.configMap;
&settings_volumes.confidential_configMap
} else {
&settings_volumes.configMap
};
debug!("Settings configMap: {:?}", settings_config_map); debug!("Settings configMap: {:?}", settings_config_map);
if !settings.kata_config.confidential_guest { if settings.kata_config.enable_configmap_secret_storages {
let mount_path = Path::new(&yaml_mount.mountPath).file_name().unwrap(); let mount_path = Path::new(&yaml_mount.mountPath).file_name().unwrap();
let mount_path_str = OsString::from(mount_path).into_string().unwrap(); let mount_path_str = OsString::from(mount_path).into_string().unwrap();

4
src/tools/genpolicy/src/policy.rs
View File

@ -393,8 +393,8 @@ pub struct CommonData {
/// Path to the shared container files - e.g., "/run/kata-containers/shared/containers". /// Path to the shared container files - e.g., "/run/kata-containers/shared/containers".
pub cpath: String, pub cpath: String,
/// Path to the shared container files for mount sources - e.g., "/run/kata-containers/shared/containers". /// Path to the container root - e.g., "/run/kata-containers/$(bundle-id)/rootfs".
pub mount_source_cpath: String, pub root_path: String,
/// Regex prefix for shared file paths - e.g., "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-". /// Regex prefix for shared file paths - e.g., "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-".
pub sfprefix: String, pub sfprefix: String,

4
src/tools/genpolicy/src/settings.rs
View File

@ -31,10 +31,8 @@ pub struct Settings {
#[derive(Clone, Debug, Serialize, Deserialize)] #[derive(Clone, Debug, Serialize, Deserialize)]
pub struct Volumes { pub struct Volumes {
pub emptyDir: EmptyDirVolume, pub emptyDir: EmptyDirVolume,
pub confidential_emptyDir: EmptyDirVolume,
pub emptyDir_memory: EmptyDirVolume, pub emptyDir_memory: EmptyDirVolume,
pub configMap: ConfigMapVolume, pub configMap: ConfigMapVolume,
pub confidential_configMap: ConfigMapVolume,
pub image_volume: ImageVolume, pub image_volume: ImageVolume,
} }
@ -76,8 +74,8 @@ pub struct ImageVolume {
/// genpolicy-settings.json. /// genpolicy-settings.json.
#[derive(Clone, Debug, Serialize, Deserialize)] #[derive(Clone, Debug, Serialize, Deserialize)]
pub struct KataConfig { pub struct KataConfig {
pub confidential_guest: bool,
pub oci_version: String, pub oci_version: String,
pub enable_configmap_secret_storages: bool,
} }
impl Settings { impl Settings {

4
src/tools/genpolicy/tests/policy/testdata/createcontainer/generate_name/testcases.json vendored
View File

@ -130,7 +130,7 @@
}, },
"Root": { "Root": {
"Readonly": true, "Readonly": true,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
} }
} }
} }
@ -266,7 +266,7 @@
}, },
"Root": { "Root": {
"Readonly": true, "Readonly": true,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
} }
} }
} }

15
src/tools/genpolicy/tests/policy/testdata/createcontainer/gid/testcases.json vendored
View File

@ -293,15 +293,15 @@
"Terminal": false, "Terminal": false,
"User": { "User": {
"AdditionalGids": [ "AdditionalGids": [
1 0
], ],
"GID": 1, "GID": 0,
"UID": 2, "UID": 0,
"Username": "" "Username": ""
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/gid/rootfs", "Path": "/run/kata-containers/gid/rootfs",
"Readonly": false "Readonly": false
}, },
"Solaris": null, "Solaris": null,
@ -626,11 +626,10 @@
"Terminal": false, "Terminal": false,
"User": { "User": {
"AdditionalGids": [ "AdditionalGids": [
1, 0
123
], ],
"GID": 1, "GID": 0,
"UID": 2, "UID": 0,
"Username": "" "Username": ""
} }
}, },

8
src/tools/genpolicy/tests/policy/testdata/createcontainer/network_namespace/testcases.json vendored
View File

@ -130,7 +130,7 @@
}, },
"Root": { "Root": {
"Readonly": true, "Readonly": true,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
} }
} }
} }
@ -266,7 +266,7 @@
}, },
"Root": { "Root": {
"Readonly": true, "Readonly": true,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
} }
} }
} }
@ -398,7 +398,7 @@
}, },
"Root": { "Root": {
"Readonly": true, "Readonly": true,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
} }
} }
} }
@ -534,7 +534,7 @@
}, },
"Root": { "Root": {
"Readonly": true, "Readonly": true,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
} }
} }
} }

8
src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/runas/testcases.json vendored
View File

@ -238,7 +238,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", "Path": "/run/kata-containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs",
"Readonly": true "Readonly": true
}, },
"Solaris": null, "Solaris": null,
@ -570,7 +570,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/dummy/rootfs", "Path": "/run/kata-containers/dummy/rootfs",
"Readonly": false "Readonly": false
}, },
"Solaris": null, "Solaris": null,
@ -819,7 +819,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", "Path": "/run/kata-containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs",
"Readonly": true "Readonly": true
}, },
"Solaris": null, "Solaris": null,
@ -1067,7 +1067,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs", "Path": "/run/kata-containers/a10abe57d2a2e47c30d5bd2427170e019fddc587a59d173544d87842f1905da4/rootfs",
"Readonly": true "Readonly": true
}, },
"Solaris": null, "Solaris": null,

4
src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/supplemental_groups/testcases.json vendored
View File

@ -324,7 +324,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/dummy/rootfs", "Path": "/run/kata-containers/dummy/rootfs",
"Readonly": false "Readonly": false
}, },
"Solaris": null, "Solaris": null,
@ -659,7 +659,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/dummy/rootfs", "Path": "/run/kata-containers/dummy/rootfs",
"Readonly": false "Readonly": false
}, },
"Solaris": null, "Solaris": null,

8
src/tools/genpolicy/tests/policy/testdata/createcontainer/sysctls/testcases.json vendored
View File

@ -246,7 +246,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "Path": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"Readonly": true "Readonly": true
}, },
"Solaris": null, "Solaris": null,
@ -269,7 +269,7 @@
], ],
"fs_group": null, "fs_group": null,
"fstype": "overlay", "fstype": "overlay",
"mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "mount_point": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"options": [], "options": [],
"source": "pause" "source": "pause"
} }
@ -524,7 +524,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "Path": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"Readonly": true "Readonly": true
}, },
"Solaris": null, "Solaris": null,
@ -547,7 +547,7 @@
], ],
"fs_group": null, "fs_group": null,
"fstype": "overlay", "fstype": "overlay",
"mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "mount_point": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"options": [], "options": [],
"source": "pause" "source": "pause"
} }

18
src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json vendored
View File

@ -128,24 +128,10 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
} }
}, },
"storages": [ "storages": []
{
"driver": "watchable-bind",
"driver_options": [],
"source": "/run/kata-containers/shared/containers/bundle-id-a1b2c3d4e5f6g7h8-config",
"fstype": "bind",
"options": [
"rbind",
"rprivate",
"ro"
],
"mount_point": "/run/kata-containers/shared/containers/watchable/bundle-id-a1b2c3d4e5f6g7h8-config",
"fs_group": null
}
]
} }
} }
] ]

6
src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json vendored
View File

@ -87,16 +87,16 @@
"Terminal": false, "Terminal": false,
"User": { "User": {
"AdditionalGids": [ "AdditionalGids": [
1000 0
], ],
"GID": 1000, "GID": 0,
"UID": 1000, "UID": 1000,
"Username": "" "Username": ""
} }
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {

18
src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json vendored
View File

@ -129,7 +129,7 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {
@ -342,7 +342,7 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {
@ -535,7 +535,7 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {
@ -738,7 +738,7 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {
@ -925,7 +925,7 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {
@ -1082,7 +1082,7 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {
@ -1239,7 +1239,7 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {
@ -1472,7 +1472,7 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {
@ -1665,7 +1665,7 @@
}, },
"Root": { "Root": {
"Readonly": false, "Readonly": false,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" "Path": "/run/kata-containers/bundle-id/rootfs"
}, },
"Mounts": [ "Mounts": [
{ {

4
src/tools/genpolicy/tests/policy/testdata/state/createcontainer/testcases.json vendored
View File

@ -239,7 +239,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "Path": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"Readonly": true "Readonly": true
}, },
"Solaris": null, "Solaris": null,
@ -262,7 +262,7 @@
], ],
"fs_group": null, "fs_group": null,
"fstype": "overlay", "fstype": "overlay",
"mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs", "mount_point": "/run/kata-containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"options": [], "options": [],
"source": "pause" "source": "pause"
} }

55
src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json vendored
View File

@ -278,8 +278,7 @@
"Terminal": false, "Terminal": false,
"User": { "User": {
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"GID": 0, "GID": 0,
"UID": 0, "UID": 0,
@ -287,7 +286,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs", "Path": "/run/kata-containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs",
"Readonly": false "Readonly": false
}, },
"Solaris": null, "Solaris": null,
@ -582,8 +581,7 @@
"Terminal": false, "Terminal": false,
"User": { "User": {
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"GID": 0, "GID": 0,
"UID": 0, "UID": 0,
@ -591,7 +589,7 @@
} }
}, },
"Root": { "Root": {
"Path": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs", "Path": "/run/kata-containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs",
"Readonly": false "Readonly": false
}, },
"Solaris": null, "Solaris": null,
@ -622,8 +620,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -658,8 +655,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -694,8 +690,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -730,8 +725,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -774,8 +768,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -810,8 +803,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -879,8 +871,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -916,11 +907,18 @@
"User": { "User": {
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [0, 10], "AdditionalGids": [
0
],
"Username": "" "Username": ""
}, },
"Args": ["test1", "--flag"], "Args": [
"Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"], "test1",
"--flag"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cwd": "/", "Cwd": "/",
"Capabilities": null, "Capabilities": null,
"Rlimits": [], "Rlimits": [],
@ -1033,8 +1031,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -1069,8 +1066,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -1114,8 +1110,7 @@
"UID": 0, "UID": 0,
"GID": 0, "GID": 0,
"AdditionalGids": [ "AdditionalGids": [
0, 0
10
], ],
"Username": "" "Username": ""
}, },
@ -1135,4 +1130,4 @@
} }
} }
} }
] ]

85
tests/integration/kubernetes/tests_common.sh
View File

@ -85,68 +85,53 @@ auto_generate_policy_enabled() {
[[ "${AUTO_GENERATE_POLICY}" == "yes" ]] [[ "${AUTO_GENERATE_POLICY}" == "yes" ]]
} }
# adapt common policy settings for tdx or snp is_coco_platform() {
adapt_common_policy_settings_for_tdx() { case "${KATA_HYPERVISOR}" in
local settings_dir=$1 "qemu-tdx"|"qemu-snp"|"qemu-coco-dev")
return 0
info "Adapting common policy settings for TDX, SNP, or the non-TEE development environment" ;;
jq '.kata_config.confidential_guest = true | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" *)
return 1
esac
} }
# adapt common policy settings for pod VMs using "shared_fs = virtio-fs" (https://github.com/kata-containers/kata-containers/issues/10189) adapt_common_policy_settings_for_non_coco() {
adapt_common_policy_settings_for_virtio_fs() {
local settings_dir=$1 local settings_dir=$1
info "Adapting common policy settings for shared_fs=virtio-fs" info "Adapting common policy settings from ${settings_dir} for non-CoCo guest"
jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
# Using UpdateEphemeralMountsRequest - instead of CopyFileRequest.
jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json
sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
# Using a different path to container container root.
jq '.common.root_path = "/run/kata-containers/shared/containers/$(bundle-id)/rootfs"' "${settings_dir}/genpolicy-settings.json" > temp.json
sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
# Using CreateContainer Storage input structs for configMap & secret volumes - instead of using CopyFile like CoCo.
jq '.kata_config.enable_configmap_secret_storages = true' "${settings_dir}/genpolicy-settings.json" > temp.json
sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
# Using watchable binds for configMap volumes - instead of CopyFileRequest.
jq '.volumes.configMap.mount_point = "^$(cpath)/watchable/$(bundle-id)-[a-z0-9]{16}-" | .volumes.configMap.driver = "watchable-bind"' \
"${settings_dir}/genpolicy-settings.json" > temp.json
sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
# Using a Storage input struct for paths shared with the Host using virtio-fs.
jq '.sandbox.storages += [{"driver":"virtio-fs","driver_options":[],"fs_group":null,"fstype":"virtiofs","mount_point":"/run/kata-containers/shared/containers/","options":[],"source":"kataShared"}]' \ jq '.sandbox.storages += [{"driver":"virtio-fs","driver_options":[],"fs_group":null,"fstype":"virtiofs","mount_point":"/run/kata-containers/shared/containers/","options":[],"source":"kataShared"}]' \
"${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json" > temp.json
} sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
# adapt common policy settings for CBL-Mariner Hosts # Disable guest pull.
adapt_common_policy_settings_for_cbl_mariner() { jq '.cluster_config.guest_pull = false' "${settings_dir}/genpolicy-settings.json" > temp.json
true sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
}
# adapt common policy settings for guest-pull Hosts
# see issue https://github.com/kata-containers/kata-containers/issues/11162
adapt_common_policy_settings_for_guest_pull() {
local settings_dir=$1
info "Adapting common policy settings for guest-pull environment"
jq '.cluster_config.guest_pull = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
} }
# adapt common policy settings for various platforms # adapt common policy settings for various platforms
adapt_common_policy_settings() { adapt_common_policy_settings() {
local settings_dir=$1 local settings_dir=$1
case "${KATA_HYPERVISOR}" in is_coco_platform || adapt_common_policy_settings_for_non_coco "${settings_dir}"
"qemu-tdx"|"qemu-snp"|"qemu-coco-dev")
adapt_common_policy_settings_for_tdx "${settings_dir}"
;;
*)
# AUTO_GENERATE_POLICY=yes is currently supported by this script when testing:
# - The SNP or TDX platforms above, that are using "shared_fs = none".
# - Other platforms that are using "shared_fs = virtio-fs".
# Attempting to test using AUTO_GENERATE_POLICY=yes on platforms that are not
# supported yet is likely to result in test failures due to incorrectly auto-
# generated policies.
adapt_common_policy_settings_for_virtio_fs "${settings_dir}"
;;
esac
case "${KATA_HOST_OS}" in
"cbl-mariner")
adapt_common_policy_settings_for_cbl_mariner "${settings_dir}"
;;
esac
case "${PULL_TYPE}" in
"guest-pull")
adapt_common_policy_settings_for_guest_pull "${settings_dir}"
;;
esac
} }
# If auto-generated policy testing is enabled, make a copy of the genpolicy settings, # If auto-generated policy testing is enabled, make a copy of the genpolicy settings,