github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-26 15:32:30 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: load OCI version from settings

Browse Source 
Load OCI version from genpolicy-settings.json and validate it in
rules.rego

Fixes: #9593

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
This commit is contained in:
Saul Paredes 2024-06-10 11:14:59 -07:00
parent 0c5849b68b
commit 6a84562c16
4 changed files with 6 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/tools/genpolicy/genpolicy-settings.json
View File

@ -269,7 +269,8 @@
] ]
}, },
"kata_config": { "kata_config": {
"confidential_guest": false "confidential_guest": false,
"oci_version": "1.1.0"
}, },
"cluster_config": { "cluster_config": {
"default_namespace": "default", "default_namespace": "default",

3
src/tools/genpolicy/rules.rego
View File

@ -66,8 +66,7 @@ CreateContainerRequest {
p_oci := p_container.OCI p_oci := p_container.OCI
print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
# TODO: Reenable when the Mariner host is reinstated, see #9593. p_oci.Version == i_oci.Version
# p_oci.Version == i_oci.Version
print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly)
p_oci.Root.Readonly == i_oci.Root.Readonly p_oci.Root.Readonly == i_oci.Root.Readonly

11
src/tools/genpolicy/src/policy.rs
View File

@ -29,9 +29,6 @@ use std::collections::BTreeMap;
use std::fs::read_to_string; use std::fs::read_to_string;
use std::io::Write; use std::io::Write;
// TODO: load this value from the settings file.
const DEFAULT_OCI_VERSION: &str = "1.1.0-rc.1";
/// Intermediary format of policy data. /// Intermediary format of policy data.
pub struct AgentPolicy { pub struct AgentPolicy {
/// K8s resources described by the input YAML file. /// K8s resources described by the input YAML file.
@ -73,7 +70,7 @@ pub struct PolicyData {
#[derive(Clone, Debug, Deserialize, Serialize)] #[derive(Clone, Debug, Deserialize, Serialize)]
pub struct KataSpec { pub struct KataSpec {
/// Version of the Open Container Initiative Runtime Specification with which the bundle complies. /// Version of the Open Container Initiative Runtime Specification with which the bundle complies.
#[serde(default = "version_default")] #[serde(default)]
pub Version: String, pub Version: String,
/// Process configures the container process. /// Process configures the container process.
@ -100,10 +97,6 @@ pub struct KataSpec {
pub Linux: KataLinux, pub Linux: KataLinux,
} }
fn version_default() -> String {
DEFAULT_OCI_VERSION.to_string()
}
/// OCI container Process struct. This struct is very similar to the Process /// OCI container Process struct. This struct is very similar to the Process
/// struct generated from oci.proto. The main difference is that it preserves /// struct generated from oci.proto. The main difference is that it preserves
/// the upper case field names from oci.proto, for consistency with the structs /// the upper case field names from oci.proto, for consistency with the structs
@ -565,7 +558,7 @@ impl AgentPolicy {
ContainerPolicy { ContainerPolicy {
OCI: KataSpec { OCI: KataSpec {
Version: version_default(), Version: self.config.settings.kata_config.oci_version.clone(),
Process: process, Process: process,
Root: root, Root: root,
Mounts: mounts, Mounts: mounts,

1
src/tools/genpolicy/src/settings.rs
View File

@ -64,6 +64,7 @@ pub struct ConfigMapVolume {
#[derive(Clone, Debug, Serialize, Deserialize)] #[derive(Clone, Debug, Serialize, Deserialize)]
pub struct KataConfig { pub struct KataConfig {
pub confidential_guest: bool, pub confidential_guest: bool,
pub oci_version: String,
} }
impl Settings { impl Settings {