genpolicy: model block-plain emptyDirs

Replace the encrypted-emptyDir boolean setting with an emptydir_type
setting that can describe shared-fs, block-encrypted, and block-plain
emptyDirs.

Add policy storage templates for block encrypted and block plain emptyDirs
with the create-filesystem driver option. Plain block emptyDirs also carry
the discard mount option. The block storage source pattern is relaxed to
match the runtime-rs values observed for block devices.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
This commit is contained in:
Manuel Huber
2026-06-03 18:07:40 +00:00
parent 16404f1cd5
commit 4804a08773
10 changed files with 108 additions and 49 deletions

View File

@@ -6,8 +6,8 @@
},
{
"op": "replace",
"path": "/cluster_config/encrypted_emptydir",
"value": false
"path": "/cluster_config/emptydir_type",
"value": "shared-fs"
},
{
"op": "replace",

View File

@@ -6,8 +6,8 @@
},
{
"op": "replace",
"path": "/cluster_config/encrypted_emptydir",
"value": false
"path": "/cluster_config/emptydir_type",
"value": "shared-fs"
},
{
"op": "replace",

View File

@@ -6,8 +6,8 @@
},
{
"op": "replace",
"path": "/cluster_config/encrypted_emptydir",
"value": false
"path": "/cluster_config/emptydir_type",
"value": "shared-fs"
},
{
"op": "replace",

View File

@@ -170,7 +170,8 @@
"mount_type": "bind",
"driver": "",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"source": "",
"mount_point": "$(spath)/$(b64_device_id)",
@@ -178,6 +179,21 @@
"options": [],
"shared": true
},
"emptyDir_plain": {
"mount_source": "",
"mount_type": "bind",
"driver": "",
"driver_options": [
"create_filesystem"
],
"source": "",
"mount_point": "$(spath)/$(b64_device_id)",
"fstype": "ext4",
"options": [
"discard"
],
"shared": true
},
"emptyDir_memory": {
"mount_type": "bind",
"mount_source": "^/run/kata-containers/sandbox/ephemeral/",
@@ -335,7 +351,7 @@
"pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6",
"guest_pull": true,
"pause_container_id_policy": "v1",
"encrypted_emptydir": true,
"emptydir_type": "block-encrypted",
"cgroup_mount_extras_allowed": [
"nsdelegate",
"memory_recursiveprot"

View File

@@ -1274,7 +1274,7 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id) if {
print("allow_storage with blk: start")
i_storage.driver == "blk"
regex.match("^[0-9]{2}/[0-9]{2}$", i_storage.source)
regex.match("^[0-9a-f]{2}(/[0-9a-f]{2})?$", i_storage.source)
allow_block_storage(p_storages, i_storage, bundle_id, sandbox_id)

View File

@@ -17,6 +17,10 @@ use std::ffi::OsString;
use std::path::Path;
use std::str;
const EMPTYDIR_TYPE_SHARED_FS: &str = "shared-fs";
const EMPTYDIR_TYPE_BLOCK_ENCRYPTED: &str = "block-encrypted";
const EMPTYDIR_TYPE_BLOCK_PLAIN: &str = "block-plain";
pub fn get_policy_mounts(
settings: &settings::Settings,
p_mounts: &mut Vec<policy::KataMount>,
@@ -145,15 +149,24 @@ fn get_empty_dir_mount(
pod_security_context: &Option<pod::PodSecurityContext>,
) {
let settings_volumes = &settings.volumes;
let (volume, block_encrypted_emptydir) = match emptyDir.medium.as_deref() {
let (volume, block_emptydir) = match emptyDir.medium.as_deref() {
Some("Memory") => (&settings_volumes.emptyDir_memory, false),
_ if settings.cluster_config.encrypted_emptydir => {
_ if settings.cluster_config.emptydir_type == EMPTYDIR_TYPE_BLOCK_ENCRYPTED => {
(&settings_volumes.emptyDir_encrypted, true)
}
_ => (&settings_volumes.emptyDir, false),
_ if settings.cluster_config.emptydir_type == EMPTYDIR_TYPE_BLOCK_PLAIN => {
(&settings_volumes.emptyDir_plain, true)
}
_ if settings.cluster_config.emptydir_type == EMPTYDIR_TYPE_SHARED_FS => {
(&settings_volumes.emptyDir, false)
}
_ => panic!(
"Unsupported emptydir_type {:?}",
settings.cluster_config.emptydir_type
),
};
if emptyDir.medium.as_deref() == Some("Memory") || block_encrypted_emptydir {
if emptyDir.medium.as_deref() == Some("Memory") || block_emptydir {
get_guest_empty_dir_mount_and_storage(
settings,
p_mounts,
@@ -161,7 +174,7 @@ fn get_empty_dir_mount(
yaml_mount,
volume,
pod_security_context,
block_encrypted_emptydir,
block_emptydir,
);
} else {
let access = if yaml_mount.readOnly == Some(true) {
@@ -181,21 +194,21 @@ fn get_guest_empty_dir_mount_and_storage(
yaml_mount: &pod::VolumeMount,
settings_empty_dir: &settings::EmptyDirVolume,
pod_security_context: &Option<pod::PodSecurityContext>,
block_encrypted_emptydir: bool,
block_emptydir: bool,
) {
debug!("Settings emptyDir: {:?}", settings_empty_dir);
if yaml_mount.subPathExpr.is_none() {
let mut options = settings_empty_dir.options.clone();
// Pod fsGroup in policy must mirror how the shim encodes it on Storage:
// - block-encrypted host emptyDirs become virtio-blk/scsi volumes; the runtime sets
// - block host emptyDirs become virtio-blk/scsi volumes; the runtime sets
// Storage.fs_group from mount metadata (handleDeviceBlockVolume in kata_agent.go).
// - shared-fs / guest-local emptyDirs use Storage.options: the runtime appends
// fsgid=<host GID> when the volume is not root-owned (handleEphemeralStorage and
// handleLocalStorage in kata_agent.go). Genpolicy uses pod fsGroup when non-zero as
// the usual kubelet-applied GID for that stat.
let pod_gid = pod_security_context.as_ref().and_then(|sc| sc.fsGroup);
let fs_group = if block_encrypted_emptydir {
let fs_group = if block_emptydir {
match pod_gid {
Some(gid) if gid > 0 => protobuf::MessageField::some(agent::FSGroup {
group_id: u32::try_from(gid).unwrap_or_else(|_| {

View File

@@ -476,9 +476,9 @@ pub struct ClusterConfig {
/// as the only value* in AdditionalGids.
pub pause_container_id_policy: String,
/// Whether emptyDirs are encrypted with modified metadata in the
/// mount and a storage object for the block device.
pub encrypted_emptydir: bool,
/// How emptyDirs are represented in the policy.
/// Supported values are "shared-fs", "block-encrypted", and "block-plain".
pub emptydir_type: String,
/// Cgroup v2 mount options that may appear beyond what genpolicy embeds
/// (e.g. "nsdelegate", "memory_recursiveprot" on newer kernels).

View File

@@ -35,6 +35,7 @@ pub struct Settings {
pub struct Volumes {
pub emptyDir: EmptyDirVolume,
pub emptyDir_encrypted: EmptyDirVolume,
pub emptyDir_plain: EmptyDirVolume,
pub emptyDir_memory: EmptyDirVolume,
pub configMap: ConfigMapVolume,
pub image_volume: ImageVolume,

View File

@@ -343,7 +343,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": {
"group_id": 1000

View File

@@ -168,7 +168,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -180,7 +181,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -192,7 +194,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -204,7 +207,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -365,7 +369,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -377,7 +382,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -389,7 +395,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -401,7 +408,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -572,7 +580,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -584,7 +593,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -596,7 +606,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -608,7 +619,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -764,7 +776,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -776,7 +789,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -788,7 +802,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -800,7 +815,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -1315,7 +1331,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -1327,7 +1344,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -1339,7 +1357,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -1351,7 +1370,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -1512,7 +1532,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -1526,7 +1547,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -1540,7 +1562,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -1554,7 +1577,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "ext4",
@@ -1717,7 +1741,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "invalid_fstype",
@@ -1729,7 +1754,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "invalid_fstype",
@@ -1741,7 +1767,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "invalid_fstype",
@@ -1753,7 +1780,8 @@
{
"driver": "blk",
"driver_options": [
"encryption_key=ephemeral"
"encryption_key=ephemeral",
"create_filesystem"
],
"fs_group": null,
"fstype": "invalid_fstype",