genpolicy: load OCI version from settings

Load OCI version from genpolicy-settings.json and validate it in rules.rego Fixes: #9593 Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-06-25 15:02:45 +00:00 · 2024-06-10 11:14:59 -07:00 · 2024-06-10 11:14:59 -07:00 · 6a84562c16
commit 6a84562c16
parent 0c5849b68b
4 changed files with 6 additions and 12 deletions
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@ -269,7 +269,8 @@
        ]
    },
    "kata_config": {
-        "confidential_guest": false
+        "confidential_guest": false,
+        "oci_version": "1.1.0"
    },
    "cluster_config": {
        "default_namespace": "default",
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@ -66,8 +66,7 @@ CreateContainerRequest {
    p_oci := p_container.OCI

    print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
-    # TODO: Reenable when the Mariner host is reinstated, see #9593.
-    # p_oci.Version == i_oci.Version
+    p_oci.Version == i_oci.Version

    print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly)
    p_oci.Root.Readonly == i_oci.Root.Readonly
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@ -29,9 +29,6 @@ use std::collections::BTreeMap;
 use std::fs::read_to_string;
 use std::io::Write;

-// TODO: load this value from the settings file.
-const DEFAULT_OCI_VERSION: &str = "1.1.0-rc.1";
-
 /// Intermediary format of policy data.
 pub struct AgentPolicy {
    /// K8s resources described by the input YAML file.
@ -73,7 +70,7 @@ pub struct PolicyData {
 #[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct KataSpec {
    /// Version of the Open Container Initiative Runtime Specification with which the bundle complies.
-    #[serde(default = "version_default")]
+    #[serde(default)]
    pub Version: String,

    /// Process configures the container process.
@ -100,10 +97,6 @@ pub struct KataSpec {
    pub Linux: KataLinux,
 }

-fn version_default() -> String {
-    DEFAULT_OCI_VERSION.to_string()
-}
-
 /// OCI container Process struct. This struct is very similar to the Process
 /// struct generated from oci.proto. The main difference is that it preserves
 /// the upper case field names from oci.proto, for consistency with the structs
@ -565,7 +558,7 @@ impl AgentPolicy {

        ContainerPolicy {
            OCI: KataSpec {
-                Version: version_default(),
+                Version: self.config.settings.kata_config.oci_version.clone(),
                Process: process,
                Root: root,
                Mounts: mounts,
--- a/src/tools/genpolicy/src/settings.rs
+++ b/src/tools/genpolicy/src/settings.rs
@ -64,6 +64,7 @@ pub struct ConfigMapVolume {
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct KataConfig {
    pub confidential_guest: bool,
+    pub oci_version: String,
 }

 impl Settings {