From 73ad83e1ccafe55e7726acc6de97f62cf66ab685 Mon Sep 17 00:00:00 2001
From: Dan Mihai <dmihai@microsoft.com>
Date: Wed, 12 Nov 2025 22:36:42 +0000
Subject: [PATCH] genpolicy: update workaround for guest pull

Don't skip anymore parsing the pause container image when using the
recently updated AKS pause container handling - i.e. when
pause_container_id_policy == "v2".

This was the easiest CI fix for guest pull + new AKS given the *current*
tests. When adding *new* UID/GID/AdditionalGids tests in the future,
these workarounds might need additional updates.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
---
 src/tools/genpolicy/src/pod.rs                |  9 ++-
 src/tools/genpolicy/src/registry.rs           | 72 +++++++++----------
 .../genpolicy/src/registry_containerd.rs      | 46 ++++++------
 src/tools/genpolicy/src/yaml.rs               |  6 +-
 4 files changed, 67 insertions(+), 66 deletions(-)

diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
index b54d686047..60b5781465 100644
--- a/src/tools/genpolicy/src/pod.rs
+++ b/src/tools/genpolicy/src/pod.rs
@@ -602,9 +602,11 @@ struct TopologySpreadConstraint {
 }
 
 impl Container {
-    pub async fn init(&mut self, config: &Config) {
+    pub async fn init(&mut self, config: &Config, is_pause_container: bool) {
         // Load container image properties from the registry.
-        self.registry = registry::get_container(config, &self.image).await.unwrap();
+        self.registry = registry::get_container(config, &self.image, is_pause_container)
+            .await
+            .unwrap();
     }
 
     pub fn get_env_variables(
@@ -1103,7 +1105,8 @@ pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Confi
         }),
         ..Default::default()
     };
-    pause_container.init(config).await;
+    let is_pause_container = true;
+    pause_container.init(config, is_pause_container).await;
     containers.insert(0, pause_container);
     debug!("pause container added.");
 }
diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
index f6298a0834..1ba71946d4 100644
--- a/src/tools/genpolicy/src/registry.rs
+++ b/src/tools/genpolicy/src/registry.rs
@@ -125,7 +125,7 @@ const GROUP_FILE_WHITEOUT_TAR_PATH: &str = "etc/.wh.group";
 pub const WHITEOUT_MARKER: &str = "WHITEOUT";
 
 impl Container {
-    pub async fn new(config: &Config, image: &str) -> Result<Self> {
+    pub async fn new(config: &Config, image: &str, is_pause_container: bool) -> Result<Self> {
         info!("============================================");
         info!("Pulling manifest and config for {image}");
         let image_string = image.to_string();
@@ -168,41 +168,36 @@ impl Container {
 
         // Nydus/guest_pull doesn't make available passwd/group files from layers properly.
         // See issue https://github.com/kata-containers/kata-containers/issues/11162
-        if config.settings.cluster_config.guest_pull {
+        let v1_policy = config.settings.cluster_config.pause_container_id_policy == "v1";
+        if config.settings.cluster_config.guest_pull && (v1_policy || !is_pause_container) {
             info!("Guest pull is enabled, skipping passwd/group file parsing");
-            return Ok(Container {
-                image: image_string,
-                config_layer,
-                passwd,
-                group,
-            });
-        }
+        } else {
+            let image_layers = get_image_layers(
+                &config.layers_cache,
+                &mut client,
+                &reference,
+                &manifest,
+                &config_layer,
+            )
+            .await
+            .unwrap();
 
-        let image_layers = get_image_layers(
-            &config.layers_cache,
-            &mut client,
-            &reference,
-            &manifest,
-            &config_layer,
-        )
-        .await
-        .unwrap();
+            // Find the last layer with an /etc/* file, respecting whiteouts.
+            info!("Parsing users and groups in image layers");
+            for layer in &image_layers {
+                if layer.passwd == WHITEOUT_MARKER {
+                    passwd = String::new();
+                } else if !layer.passwd.is_empty() {
+                    passwd = layer.passwd.clone();
+                    debug!("Container:new: Found in image layer passwd = \n{passwd}");
+                }
 
-        // Find the last layer with an /etc/* file, respecting whiteouts.
-        info!("Parsing users and groups in image layers");
-        for layer in &image_layers {
-            if layer.passwd == WHITEOUT_MARKER {
-                passwd = String::new();
-            } else if !layer.passwd.is_empty() {
-                passwd = layer.passwd.clone();
-                debug!("Container:new: Found in image layer passwd = \n{passwd}");
-            }
-
-            if layer.group == WHITEOUT_MARKER {
-                group = String::new();
-            } else if !layer.group.is_empty() {
-                group = layer.group.clone();
-                debug!("Container:new: Found in image layer group = \n{group}");
+                if layer.group == WHITEOUT_MARKER {
+                    group = String::new();
+                } else if !layer.group.is_empty() {
+                    group = layer.group.clone();
+                    debug!("Container:new: Found in image layer group = \n{group}");
+                }
             }
         }
 
@@ -657,11 +652,16 @@ pub fn get_users_from_decompressed_layer(path: &Path) -> Result<(String, String)
     Ok((passwd, group))
 }
 
-pub async fn get_container(config: &Config, image: &str) -> Result<Container> {
+pub async fn get_container(
+    config: &Config,
+    image: &str,
+    is_pause_container: bool,
+) -> Result<Container> {
     if let Some(socket_path) = &config.containerd_socket_path {
-        return Container::new_containerd_pull(config, image, socket_path).await;
+        return Container::new_containerd_pull(config, image, socket_path, is_pause_container)
+            .await;
     }
-    Container::new(config, image).await
+    Container::new(config, image, is_pause_container).await
 }
 
 fn build_auth(reference: &Reference) -> RegistryAuth {
diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs
index 4c71a7ea6a..b567fd7b54 100644
--- a/src/tools/genpolicy/src/registry_containerd.rs
+++ b/src/tools/genpolicy/src/registry_containerd.rs
@@ -32,6 +32,7 @@ impl Container {
         config: &Config,
         image: &str,
         containerd_socket_path: &str,
+        is_pause_container: bool,
     ) -> Result<Self> {
         info!("============================================");
         info!("Using containerd socket: {:?}", containerd_socket_path);
@@ -70,34 +71,29 @@ impl Container {
 
         // Nydus/guest_pull doesn't make available passwd/group files from layers properly.
         // See issue https://github.com/kata-containers/kata-containers/issues/11162
-        if config.settings.cluster_config.guest_pull {
+        let v1_policy = config.settings.cluster_config.pause_container_id_policy == "v1";
+        if config.settings.cluster_config.guest_pull && (v1_policy || !is_pause_container) {
             info!("Guest pull is enabled, skipping passwd/group file parsing");
-            return Ok(Container {
-                image: image_str,
-                config_layer,
-                passwd,
-                group,
-            });
-        }
+        } else {
+            let image_layers =
+                get_image_layers(&config.layers_cache, &manifest, &config_layer, &ctrd_client)
+                    .await
+                    .unwrap();
 
-        let image_layers =
-            get_image_layers(&config.layers_cache, &manifest, &config_layer, &ctrd_client)
-                .await
-                .unwrap();
+            // Find the last layer with an /etc/* file, respecting whiteouts.
+            info!("Parsing users and groups in image layers");
+            for layer in &image_layers {
+                if layer.passwd == WHITEOUT_MARKER {
+                    passwd = String::new();
+                } else if !layer.passwd.is_empty() {
+                    passwd = layer.passwd.clone();
+                }
 
-        // Find the last layer with an /etc/* file, respecting whiteouts.
-        info!("Parsing users and groups in image layers");
-        for layer in &image_layers {
-            if layer.passwd == WHITEOUT_MARKER {
-                passwd = String::new();
-            } else if !layer.passwd.is_empty() {
-                passwd = layer.passwd.clone();
-            }
-
-            if layer.group == WHITEOUT_MARKER {
-                group = String::new();
-            } else if !layer.group.is_empty() {
-                group = layer.group.clone();
+                if layer.group == WHITEOUT_MARKER {
+                    group = String::new();
+                } else if !layer.group.is_empty() {
+                    group = layer.group.clone();
+                }
             }
         }
 
diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
index 1c83b43574..7fb078b340 100644
--- a/src/tools/genpolicy/src/yaml.rs
+++ b/src/tools/genpolicy/src/yaml.rs
@@ -271,7 +271,8 @@ pub fn get_yaml_header(yaml: &str) -> anyhow::Result<YamlHeader> {
 
 pub async fn k8s_resource_init(spec: &mut pod::PodSpec, config: &Config) {
     for container in &mut spec.containers {
-        container.init(config).await;
+        let is_pause_container = false;
+        container.init(config, is_pause_container).await;
     }
 
     pod::add_pause_container(&mut spec.containers, config).await;
@@ -279,7 +280,8 @@ pub async fn k8s_resource_init(spec: &mut pod::PodSpec, config: &Config) {
     if let Some(init_containers) = &spec.initContainers {
         for container in init_containers {
             let mut new_container = container.clone();
-            new_container.init(config).await;
+            let is_pause_container = false;
+            new_container.init(config, is_pause_container).await;
             spec.containers.insert(1, new_container);
         }
     }