From 4804a087738b47feaf8dca0c7893ea410e4be4c7 Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Wed, 3 Jun 2026 18:07:40 +0000 Subject: [PATCH] genpolicy: model block-plain emptyDirs Replace the encrypted-emptyDir boolean setting with an emptydir_type setting that can describe shared-fs, block-encrypted, and block-plain emptyDirs. Add policy storage templates for block encrypted and block plain emptyDirs with the create-filesystem driver option. Plain block emptyDirs also carry the discard mount option. The block storage source pattern is relaxed to match the runtime-rs values observed for block devices. Signed-off-by: Manuel Huber Assisted-by: OpenAI Codex --- .../10-non-coco-aks-cbl-mariner-drop-in.json | 4 +- .../10-non-coco-aks-drop-in.json | 4 +- .../drop-in-examples/10-non-coco-drop-in.json | 4 +- src/tools/genpolicy/genpolicy-settings.json | 20 ++++- src/tools/genpolicy/rules.rego | 2 +- src/tools/genpolicy/src/mount_and_storage.rs | 29 +++++-- src/tools/genpolicy/src/policy.rs | 6 +- src/tools/genpolicy/src/settings.rs | 1 + .../security_context/fsgroup/testcases.json | 3 +- .../volumes/emptydir/testcases.json | 84 ++++++++++++------- 10 files changed, 108 insertions(+), 49 deletions(-) diff --git a/src/tools/genpolicy/drop-in-examples/10-non-coco-aks-cbl-mariner-drop-in.json b/src/tools/genpolicy/drop-in-examples/10-non-coco-aks-cbl-mariner-drop-in.json index f522f80190..d232cd8c7c 100644 --- a/src/tools/genpolicy/drop-in-examples/10-non-coco-aks-cbl-mariner-drop-in.json +++ b/src/tools/genpolicy/drop-in-examples/10-non-coco-aks-cbl-mariner-drop-in.json @@ -6,8 +6,8 @@ }, { "op": "replace", - "path": "/cluster_config/encrypted_emptydir", - "value": false + "path": "/cluster_config/emptydir_type", + "value": "shared-fs" }, { "op": "replace", diff --git a/src/tools/genpolicy/drop-in-examples/10-non-coco-aks-drop-in.json b/src/tools/genpolicy/drop-in-examples/10-non-coco-aks-drop-in.json index f522f80190..d232cd8c7c 100644 --- a/src/tools/genpolicy/drop-in-examples/10-non-coco-aks-drop-in.json +++ b/src/tools/genpolicy/drop-in-examples/10-non-coco-aks-drop-in.json @@ -6,8 +6,8 @@ }, { "op": "replace", - "path": "/cluster_config/encrypted_emptydir", - "value": false + "path": "/cluster_config/emptydir_type", + "value": "shared-fs" }, { "op": "replace", diff --git a/src/tools/genpolicy/drop-in-examples/10-non-coco-drop-in.json b/src/tools/genpolicy/drop-in-examples/10-non-coco-drop-in.json index 9749635486..022ac48279 100644 --- a/src/tools/genpolicy/drop-in-examples/10-non-coco-drop-in.json +++ b/src/tools/genpolicy/drop-in-examples/10-non-coco-drop-in.json @@ -6,8 +6,8 @@ }, { "op": "replace", - "path": "/cluster_config/encrypted_emptydir", - "value": false + "path": "/cluster_config/emptydir_type", + "value": "shared-fs" }, { "op": "replace", diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index 91dc3c5146..8ad88b1eb0 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -170,7 +170,8 @@ "mount_type": "bind", "driver": "", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "source": "", "mount_point": "$(spath)/$(b64_device_id)", @@ -178,6 +179,21 @@ "options": [], "shared": true }, + "emptyDir_plain": { + "mount_source": "", + "mount_type": "bind", + "driver": "", + "driver_options": [ + "create_filesystem" + ], + "source": "", + "mount_point": "$(spath)/$(b64_device_id)", + "fstype": "ext4", + "options": [ + "discard" + ], + "shared": true + }, "emptyDir_memory": { "mount_type": "bind", "mount_source": "^/run/kata-containers/sandbox/ephemeral/", @@ -335,7 +351,7 @@ "pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6", "guest_pull": true, "pause_container_id_policy": "v1", - "encrypted_emptydir": true, + "emptydir_type": "block-encrypted", "cgroup_mount_extras_allowed": [ "nsdelegate", "memory_recursiveprot" diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index a3745f890e..915b97515e 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1274,7 +1274,7 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id) if { print("allow_storage with blk: start") i_storage.driver == "blk" - regex.match("^[0-9]{2}/[0-9]{2}$", i_storage.source) + regex.match("^[0-9a-f]{2}(/[0-9a-f]{2})?$", i_storage.source) allow_block_storage(p_storages, i_storage, bundle_id, sandbox_id) diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs index f144c182ce..53d2b8f6c3 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -17,6 +17,10 @@ use std::ffi::OsString; use std::path::Path; use std::str; +const EMPTYDIR_TYPE_SHARED_FS: &str = "shared-fs"; +const EMPTYDIR_TYPE_BLOCK_ENCRYPTED: &str = "block-encrypted"; +const EMPTYDIR_TYPE_BLOCK_PLAIN: &str = "block-plain"; + pub fn get_policy_mounts( settings: &settings::Settings, p_mounts: &mut Vec, @@ -145,15 +149,24 @@ fn get_empty_dir_mount( pod_security_context: &Option, ) { let settings_volumes = &settings.volumes; - let (volume, block_encrypted_emptydir) = match emptyDir.medium.as_deref() { + let (volume, block_emptydir) = match emptyDir.medium.as_deref() { Some("Memory") => (&settings_volumes.emptyDir_memory, false), - _ if settings.cluster_config.encrypted_emptydir => { + _ if settings.cluster_config.emptydir_type == EMPTYDIR_TYPE_BLOCK_ENCRYPTED => { (&settings_volumes.emptyDir_encrypted, true) } - _ => (&settings_volumes.emptyDir, false), + _ if settings.cluster_config.emptydir_type == EMPTYDIR_TYPE_BLOCK_PLAIN => { + (&settings_volumes.emptyDir_plain, true) + } + _ if settings.cluster_config.emptydir_type == EMPTYDIR_TYPE_SHARED_FS => { + (&settings_volumes.emptyDir, false) + } + _ => panic!( + "Unsupported emptydir_type {:?}", + settings.cluster_config.emptydir_type + ), }; - if emptyDir.medium.as_deref() == Some("Memory") || block_encrypted_emptydir { + if emptyDir.medium.as_deref() == Some("Memory") || block_emptydir { get_guest_empty_dir_mount_and_storage( settings, p_mounts, @@ -161,7 +174,7 @@ fn get_empty_dir_mount( yaml_mount, volume, pod_security_context, - block_encrypted_emptydir, + block_emptydir, ); } else { let access = if yaml_mount.readOnly == Some(true) { @@ -181,21 +194,21 @@ fn get_guest_empty_dir_mount_and_storage( yaml_mount: &pod::VolumeMount, settings_empty_dir: &settings::EmptyDirVolume, pod_security_context: &Option, - block_encrypted_emptydir: bool, + block_emptydir: bool, ) { debug!("Settings emptyDir: {:?}", settings_empty_dir); if yaml_mount.subPathExpr.is_none() { let mut options = settings_empty_dir.options.clone(); // Pod fsGroup in policy must mirror how the shim encodes it on Storage: - // - block-encrypted host emptyDirs become virtio-blk/scsi volumes; the runtime sets + // - block host emptyDirs become virtio-blk/scsi volumes; the runtime sets // Storage.fs_group from mount metadata (handleDeviceBlockVolume in kata_agent.go). // - shared-fs / guest-local emptyDirs use Storage.options: the runtime appends // fsgid= when the volume is not root-owned (handleEphemeralStorage and // handleLocalStorage in kata_agent.go). Genpolicy uses pod fsGroup when non-zero as // the usual kubelet-applied GID for that stat. let pod_gid = pod_security_context.as_ref().and_then(|sc| sc.fsGroup); - let fs_group = if block_encrypted_emptydir { + let fs_group = if block_emptydir { match pod_gid { Some(gid) if gid > 0 => protobuf::MessageField::some(agent::FSGroup { group_id: u32::try_from(gid).unwrap_or_else(|_| { diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index ffb4921af6..7bf747fbfa 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -476,9 +476,9 @@ pub struct ClusterConfig { /// as the only value* in AdditionalGids. pub pause_container_id_policy: String, - /// Whether emptyDirs are encrypted with modified metadata in the - /// mount and a storage object for the block device. - pub encrypted_emptydir: bool, + /// How emptyDirs are represented in the policy. + /// Supported values are "shared-fs", "block-encrypted", and "block-plain". + pub emptydir_type: String, /// Cgroup v2 mount options that may appear beyond what genpolicy embeds /// (e.g. "nsdelegate", "memory_recursiveprot" on newer kernels). diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs index 501e8951ba..c7d18c777f 100644 --- a/src/tools/genpolicy/src/settings.rs +++ b/src/tools/genpolicy/src/settings.rs @@ -35,6 +35,7 @@ pub struct Settings { pub struct Volumes { pub emptyDir: EmptyDirVolume, pub emptyDir_encrypted: EmptyDirVolume, + pub emptyDir_plain: EmptyDirVolume, pub emptyDir_memory: EmptyDirVolume, pub configMap: ConfigMapVolume, pub image_volume: ImageVolume, diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/fsgroup/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/fsgroup/testcases.json index c4db65ae59..914a2e2a4c 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/fsgroup/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/fsgroup/testcases.json @@ -343,7 +343,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": { "group_id": 1000 diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json index c3a10a70d6..1b593d3475 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json @@ -168,7 +168,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -180,7 +181,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -192,7 +194,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -204,7 +207,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -365,7 +369,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -377,7 +382,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -389,7 +395,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -401,7 +408,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -572,7 +580,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -584,7 +593,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -596,7 +606,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -608,7 +619,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -764,7 +776,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -776,7 +789,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -788,7 +802,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -800,7 +815,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -1315,7 +1331,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -1327,7 +1344,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -1339,7 +1357,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -1351,7 +1370,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -1512,7 +1532,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -1526,7 +1547,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -1540,7 +1562,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -1554,7 +1577,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "ext4", @@ -1717,7 +1741,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "invalid_fstype", @@ -1729,7 +1754,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "invalid_fstype", @@ -1741,7 +1767,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "invalid_fstype", @@ -1753,7 +1780,8 @@ { "driver": "blk", "driver_options": [ - "encryption_key=ephemeral" + "encryption_key=ephemeral", + "create_filesystem" ], "fs_group": null, "fstype": "invalid_fstype",