mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-02 07:02:16 +00:00
genpolicy: model block-plain emptyDirs
Replace the encrypted-emptyDir boolean setting with an emptydir_type setting that can describe shared-fs, block-encrypted, and block-plain emptyDirs. Add policy storage templates for block encrypted and block plain emptyDirs with the create-filesystem driver option. Plain block emptyDirs also carry the discard mount option. The block storage source pattern is relaxed to match the runtime-rs values observed for block devices. Signed-off-by: Manuel Huber <manuelh@nvidia.com> Assisted-by: OpenAI Codex <codex@openai.com>
This commit is contained in:
@@ -6,8 +6,8 @@
|
||||
},
|
||||
{
|
||||
"op": "replace",
|
||||
"path": "/cluster_config/encrypted_emptydir",
|
||||
"value": false
|
||||
"path": "/cluster_config/emptydir_type",
|
||||
"value": "shared-fs"
|
||||
},
|
||||
{
|
||||
"op": "replace",
|
||||
|
||||
@@ -6,8 +6,8 @@
|
||||
},
|
||||
{
|
||||
"op": "replace",
|
||||
"path": "/cluster_config/encrypted_emptydir",
|
||||
"value": false
|
||||
"path": "/cluster_config/emptydir_type",
|
||||
"value": "shared-fs"
|
||||
},
|
||||
{
|
||||
"op": "replace",
|
||||
|
||||
@@ -6,8 +6,8 @@
|
||||
},
|
||||
{
|
||||
"op": "replace",
|
||||
"path": "/cluster_config/encrypted_emptydir",
|
||||
"value": false
|
||||
"path": "/cluster_config/emptydir_type",
|
||||
"value": "shared-fs"
|
||||
},
|
||||
{
|
||||
"op": "replace",
|
||||
|
||||
@@ -170,7 +170,8 @@
|
||||
"mount_type": "bind",
|
||||
"driver": "",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"source": "",
|
||||
"mount_point": "$(spath)/$(b64_device_id)",
|
||||
@@ -178,6 +179,21 @@
|
||||
"options": [],
|
||||
"shared": true
|
||||
},
|
||||
"emptyDir_plain": {
|
||||
"mount_source": "",
|
||||
"mount_type": "bind",
|
||||
"driver": "",
|
||||
"driver_options": [
|
||||
"create_filesystem"
|
||||
],
|
||||
"source": "",
|
||||
"mount_point": "$(spath)/$(b64_device_id)",
|
||||
"fstype": "ext4",
|
||||
"options": [
|
||||
"discard"
|
||||
],
|
||||
"shared": true
|
||||
},
|
||||
"emptyDir_memory": {
|
||||
"mount_type": "bind",
|
||||
"mount_source": "^/run/kata-containers/sandbox/ephemeral/",
|
||||
@@ -335,7 +351,7 @@
|
||||
"pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6",
|
||||
"guest_pull": true,
|
||||
"pause_container_id_policy": "v1",
|
||||
"encrypted_emptydir": true,
|
||||
"emptydir_type": "block-encrypted",
|
||||
"cgroup_mount_extras_allowed": [
|
||||
"nsdelegate",
|
||||
"memory_recursiveprot"
|
||||
|
||||
@@ -1274,7 +1274,7 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id) if {
|
||||
print("allow_storage with blk: start")
|
||||
|
||||
i_storage.driver == "blk"
|
||||
regex.match("^[0-9]{2}/[0-9]{2}$", i_storage.source)
|
||||
regex.match("^[0-9a-f]{2}(/[0-9a-f]{2})?$", i_storage.source)
|
||||
|
||||
allow_block_storage(p_storages, i_storage, bundle_id, sandbox_id)
|
||||
|
||||
|
||||
@@ -17,6 +17,10 @@ use std::ffi::OsString;
|
||||
use std::path::Path;
|
||||
use std::str;
|
||||
|
||||
const EMPTYDIR_TYPE_SHARED_FS: &str = "shared-fs";
|
||||
const EMPTYDIR_TYPE_BLOCK_ENCRYPTED: &str = "block-encrypted";
|
||||
const EMPTYDIR_TYPE_BLOCK_PLAIN: &str = "block-plain";
|
||||
|
||||
pub fn get_policy_mounts(
|
||||
settings: &settings::Settings,
|
||||
p_mounts: &mut Vec<policy::KataMount>,
|
||||
@@ -145,15 +149,24 @@ fn get_empty_dir_mount(
|
||||
pod_security_context: &Option<pod::PodSecurityContext>,
|
||||
) {
|
||||
let settings_volumes = &settings.volumes;
|
||||
let (volume, block_encrypted_emptydir) = match emptyDir.medium.as_deref() {
|
||||
let (volume, block_emptydir) = match emptyDir.medium.as_deref() {
|
||||
Some("Memory") => (&settings_volumes.emptyDir_memory, false),
|
||||
_ if settings.cluster_config.encrypted_emptydir => {
|
||||
_ if settings.cluster_config.emptydir_type == EMPTYDIR_TYPE_BLOCK_ENCRYPTED => {
|
||||
(&settings_volumes.emptyDir_encrypted, true)
|
||||
}
|
||||
_ => (&settings_volumes.emptyDir, false),
|
||||
_ if settings.cluster_config.emptydir_type == EMPTYDIR_TYPE_BLOCK_PLAIN => {
|
||||
(&settings_volumes.emptyDir_plain, true)
|
||||
}
|
||||
_ if settings.cluster_config.emptydir_type == EMPTYDIR_TYPE_SHARED_FS => {
|
||||
(&settings_volumes.emptyDir, false)
|
||||
}
|
||||
_ => panic!(
|
||||
"Unsupported emptydir_type {:?}",
|
||||
settings.cluster_config.emptydir_type
|
||||
),
|
||||
};
|
||||
|
||||
if emptyDir.medium.as_deref() == Some("Memory") || block_encrypted_emptydir {
|
||||
if emptyDir.medium.as_deref() == Some("Memory") || block_emptydir {
|
||||
get_guest_empty_dir_mount_and_storage(
|
||||
settings,
|
||||
p_mounts,
|
||||
@@ -161,7 +174,7 @@ fn get_empty_dir_mount(
|
||||
yaml_mount,
|
||||
volume,
|
||||
pod_security_context,
|
||||
block_encrypted_emptydir,
|
||||
block_emptydir,
|
||||
);
|
||||
} else {
|
||||
let access = if yaml_mount.readOnly == Some(true) {
|
||||
@@ -181,21 +194,21 @@ fn get_guest_empty_dir_mount_and_storage(
|
||||
yaml_mount: &pod::VolumeMount,
|
||||
settings_empty_dir: &settings::EmptyDirVolume,
|
||||
pod_security_context: &Option<pod::PodSecurityContext>,
|
||||
block_encrypted_emptydir: bool,
|
||||
block_emptydir: bool,
|
||||
) {
|
||||
debug!("Settings emptyDir: {:?}", settings_empty_dir);
|
||||
|
||||
if yaml_mount.subPathExpr.is_none() {
|
||||
let mut options = settings_empty_dir.options.clone();
|
||||
// Pod fsGroup in policy must mirror how the shim encodes it on Storage:
|
||||
// - block-encrypted host emptyDirs become virtio-blk/scsi volumes; the runtime sets
|
||||
// - block host emptyDirs become virtio-blk/scsi volumes; the runtime sets
|
||||
// Storage.fs_group from mount metadata (handleDeviceBlockVolume in kata_agent.go).
|
||||
// - shared-fs / guest-local emptyDirs use Storage.options: the runtime appends
|
||||
// fsgid=<host GID> when the volume is not root-owned (handleEphemeralStorage and
|
||||
// handleLocalStorage in kata_agent.go). Genpolicy uses pod fsGroup when non-zero as
|
||||
// the usual kubelet-applied GID for that stat.
|
||||
let pod_gid = pod_security_context.as_ref().and_then(|sc| sc.fsGroup);
|
||||
let fs_group = if block_encrypted_emptydir {
|
||||
let fs_group = if block_emptydir {
|
||||
match pod_gid {
|
||||
Some(gid) if gid > 0 => protobuf::MessageField::some(agent::FSGroup {
|
||||
group_id: u32::try_from(gid).unwrap_or_else(|_| {
|
||||
|
||||
@@ -476,9 +476,9 @@ pub struct ClusterConfig {
|
||||
/// as the only value* in AdditionalGids.
|
||||
pub pause_container_id_policy: String,
|
||||
|
||||
/// Whether emptyDirs are encrypted with modified metadata in the
|
||||
/// mount and a storage object for the block device.
|
||||
pub encrypted_emptydir: bool,
|
||||
/// How emptyDirs are represented in the policy.
|
||||
/// Supported values are "shared-fs", "block-encrypted", and "block-plain".
|
||||
pub emptydir_type: String,
|
||||
|
||||
/// Cgroup v2 mount options that may appear beyond what genpolicy embeds
|
||||
/// (e.g. "nsdelegate", "memory_recursiveprot" on newer kernels).
|
||||
|
||||
@@ -35,6 +35,7 @@ pub struct Settings {
|
||||
pub struct Volumes {
|
||||
pub emptyDir: EmptyDirVolume,
|
||||
pub emptyDir_encrypted: EmptyDirVolume,
|
||||
pub emptyDir_plain: EmptyDirVolume,
|
||||
pub emptyDir_memory: EmptyDirVolume,
|
||||
pub configMap: ConfigMapVolume,
|
||||
pub image_volume: ImageVolume,
|
||||
|
||||
@@ -343,7 +343,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": {
|
||||
"group_id": 1000
|
||||
|
||||
@@ -168,7 +168,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -180,7 +181,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -192,7 +194,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -204,7 +207,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -365,7 +369,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -377,7 +382,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -389,7 +395,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -401,7 +408,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -572,7 +580,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -584,7 +593,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -596,7 +606,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -608,7 +619,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -764,7 +776,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -776,7 +789,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -788,7 +802,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -800,7 +815,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -1315,7 +1331,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -1327,7 +1344,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -1339,7 +1357,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -1351,7 +1370,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -1512,7 +1532,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -1526,7 +1547,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -1540,7 +1562,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -1554,7 +1577,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "ext4",
|
||||
@@ -1717,7 +1741,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "invalid_fstype",
|
||||
@@ -1729,7 +1754,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "invalid_fstype",
|
||||
@@ -1741,7 +1767,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "invalid_fstype",
|
||||
@@ -1753,7 +1780,8 @@
|
||||
{
|
||||
"driver": "blk",
|
||||
"driver_options": [
|
||||
"encryption_key=ephemeral"
|
||||
"encryption_key=ephemeral",
|
||||
"create_filesystem"
|
||||
],
|
||||
"fs_group": null,
|
||||
"fstype": "invalid_fstype",
|
||||
|
||||
Reference in New Issue
Block a user