mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-01 07:47:15 +00:00
Merge pull request #9051 from microsoft/danmihai1/k8s-copy-file
tests: k8s: k8s-copy-file auto-generated policy
This commit is contained in:
Dan Mihai
GitHub
commit
a054462eb7
@ -299,6 +299,7 @@
|
||||
"commands": [],
|
||||
"regex": []
|
||||
},
|
||||
"CloseStdinRequest": false,
|
||||
"ReadStreamRequest": false,
|
||||
"WriteStreamRequest": false
|
||||
}
|
||||
|
||||
@ -10,6 +10,9 @@ import future.keywords.every
|
||||
import input
|
||||
|
||||
# Default values, returned by OPA when rules cannot be evaluated to true.
|
||||
default AddARPNeighborsRequest := false
|
||||
default AddSwapRequest := false
|
||||
default CloseStdinRequest := false
|
||||
default CopyFileRequest := false
|
||||
default CreateContainerRequest := false
|
||||
default CreateSandboxRequest := true
|
||||
@ -17,15 +20,25 @@ default DestroySandboxRequest := true
|
||||
default ExecProcessRequest := false
|
||||
default GetOOMEventRequest := true
|
||||
default GuestDetailsRequest := true
|
||||
default ListInterfacesRequest := false
|
||||
default ListRoutesRequest := false
|
||||
default MemHotplugByProbeRequest := false
|
||||
default OnlineCPUMemRequest := true
|
||||
default PullImageRequest := true
|
||||
default PauseContainerRequest := false
|
||||
default ReadStreamRequest := false
|
||||
default RemoveContainerRequest := true
|
||||
default RemoveStaleVirtiofsShareMountsRequest := true
|
||||
default ReseedRandomDevRequest := false
|
||||
default ResumeContainerRequest := false
|
||||
default SetGuestDateTimeRequest := false
|
||||
default SetPolicyRequest := false
|
||||
default SignalProcessRequest := true
|
||||
default StartContainerRequest := true
|
||||
default StartTracingRequest := false
|
||||
default StatsContainerRequest := true
|
||||
default StopTracingRequest := false
|
||||
default TtyWinResizeRequest := true
|
||||
default UpdateContainerRequest := false
|
||||
default UpdateEphemeralMountsRequest := true
|
||||
default UpdateInterfaceRequest := true
|
||||
default UpdateRoutesRequest := true
|
||||
@ -1096,6 +1109,7 @@ ExecProcessRequest {
|
||||
print("ExecProcessRequest 3: i_command =", i_command)
|
||||
|
||||
some p_command in policy_data.request_defaults.ExecProcessRequest.commands
|
||||
print("ExecProcessRequest 1: p_command =", p_command)
|
||||
p_command == i_command
|
||||
|
||||
print("ExecProcessRequest 1: true")
|
||||
@ -1130,6 +1144,10 @@ ExecProcessRequest {
|
||||
print("ExecProcessRequest 3: true")
|
||||
}
|
||||
|
||||
CloseStdinRequest {
|
||||
policy_data.request_defaults.CloseStdinRequest == true
|
||||
}
|
||||
|
||||
ReadStreamRequest {
|
||||
policy_data.request_defaults.ReadStreamRequest == true
|
||||
}
|
||||
|
||||
@ -324,6 +324,9 @@ pub struct RequestDefaults {
|
||||
/// Commands allowed to be executed by the Host in all Guest containers.
|
||||
pub ExecProcessRequest: ExecProcessRequestDefaults,
|
||||
|
||||
/// Allow the Host to close stdin for a container. Typically used with WriteStreamRequest.
|
||||
pub CloseStdinRequest: bool,
|
||||
|
||||
/// Allow Host reading from Guest containers stdout and stderr.
|
||||
pub ReadStreamRequest: bool,
|
||||
|
||||
|
||||
@ -23,9 +23,12 @@ setup() {
|
||||
|
||||
# Add policy to yaml
|
||||
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
|
||||
|
||||
display_message="cat /usr/share/message"
|
||||
exec_command="sh -c ${display_message}"
|
||||
add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
|
||||
|
||||
add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
|
||||
auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
|
||||
}
|
||||
|
||||
|
||||
@ -15,7 +15,7 @@ setup() {
|
||||
}
|
||||
|
||||
@test "Copy file in a pod" {
|
||||
# Create pod
|
||||
# Create pod config YAML file.
|
||||
pod_name="pod-copy-file-from-host"
|
||||
ctr_name="ctr-copy-file-from-host"
|
||||
|
||||
@ -24,6 +24,25 @@ setup() {
|
||||
sed -i "s/POD_NAME/$pod_name/" "$pod_config"
|
||||
sed -i "s/CTR_NAME/$ctr_name/" "$pod_config"
|
||||
|
||||
# Add policy to the YAML file.
|
||||
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
|
||||
allowed_requests=(
|
||||
"CloseStdinRequest"
|
||||
"ReadStreamRequest"
|
||||
"WriteStreamRequest"
|
||||
)
|
||||
add_requests_to_policy_settings "${policy_settings_dir}" "${allowed_requests[@]}"
|
||||
add_copy_from_host_to_policy_settings "${policy_settings_dir}"
|
||||
|
||||
cat_command="cat /tmp/$file_name"
|
||||
exec_command="sh -c ${cat_command}"
|
||||
add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
|
||||
|
||||
auto_generate_policy "${policy_settings_dir}" "${pod_config}"
|
||||
delete_tmp_policy_settings_dir "${policy_settings_dir}"
|
||||
policy_settings_dir=""
|
||||
|
||||
# Create pod
|
||||
kubectl create -f "${pod_config}"
|
||||
|
||||
# Check pod creation
|
||||
@ -36,11 +55,11 @@ setup() {
|
||||
kubectl cp "$file_name" $pod_name:/tmp
|
||||
|
||||
# Print environment variables
|
||||
kubectl exec $pod_name -- sh -c "cat /tmp/$file_name | grep $content"
|
||||
kubectl exec $pod_name -- sh -c "${cat_command}" | grep $content
|
||||
}
|
||||
|
||||
@test "Copy from pod to host" {
|
||||
# Create pod
|
||||
# Create pod config YAML file.
|
||||
pod_name="pod-copy-file-to-host"
|
||||
ctr_name="ctr-copy-file-to-host"
|
||||
|
||||
@ -49,6 +68,20 @@ setup() {
|
||||
sed -i "s/POD_NAME/$pod_name/" "$pod_config"
|
||||
sed -i "s/CTR_NAME/$ctr_name/" "$pod_config"
|
||||
|
||||
# Add policy to the YAML file.
|
||||
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
|
||||
add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
|
||||
add_copy_from_guest_to_policy_settings "${policy_settings_dir}" "/tmp/file.txt"
|
||||
|
||||
guest_command="cd /tmp && echo $content > $file_name"
|
||||
exec_command="sh -c ${guest_command}"
|
||||
add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
|
||||
|
||||
auto_generate_policy "${policy_settings_dir}" "${pod_config}"
|
||||
delete_tmp_policy_settings_dir "${policy_settings_dir}"
|
||||
policy_settings_dir=""
|
||||
|
||||
# Create pod
|
||||
kubectl create -f "${pod_config}"
|
||||
|
||||
# Check pod creation
|
||||
@ -59,7 +92,7 @@ setup() {
|
||||
kubectl get pods --all-namespaces
|
||||
|
||||
# Create a file in the pod
|
||||
kubectl exec "$pod_name" -- sh -c "cd /tmp && echo $content > $file_name"
|
||||
kubectl exec "$pod_name" -- sh -c "$guest_command"
|
||||
|
||||
kubectl logs "$pod_name" || true
|
||||
kubectl describe pod "$pod_name" || true
|
||||
@ -80,4 +113,6 @@ teardown() {
|
||||
kubectl delete pod "$pod_name"
|
||||
|
||||
rm -f "$pod_config"
|
||||
|
||||
delete_tmp_policy_settings_dir "${policy_settings_dir}"
|
||||
}
|
||||
|
||||
@ -175,12 +175,44 @@ add_exec_to_policy_settings() {
|
||||
"${settings_dir}/new-genpolicy-settings.json"
|
||||
mv "${settings_dir}/new-genpolicy-settings.json" \
|
||||
"${settings_dir}/genpolicy-settings.json"
|
||||
|
||||
# Change genpolicy settings to allow kubectl to read the output of the command being executed.
|
||||
info "${settings_dir}/genpolicy-settings.json: allowing ReadStreamRequest"
|
||||
jq '.request_defaults.ReadStreamRequest |= true' \
|
||||
"${settings_dir}"/genpolicy-settings.json > \
|
||||
"${settings_dir}"/new-genpolicy-settings.json
|
||||
mv "${settings_dir}"/new-genpolicy-settings.json \
|
||||
"${settings_dir}"/genpolicy-settings.json
|
||||
}
|
||||
|
||||
# Change genpolicy settings to allow one or more ttrpc requests from the Host to the Guest.
|
||||
add_requests_to_policy_settings() {
|
||||
declare -r settings_dir="$1"
|
||||
shift
|
||||
declare -r requests=("$@")
|
||||
|
||||
auto_generate_policy_enabled || return 0
|
||||
|
||||
for request in ${requests[@]}
|
||||
do
|
||||
info "${settings_dir}/genpolicy-settings.json: allowing ${request}"
|
||||
jq ".request_defaults.${request} |= true" \
|
||||
"${settings_dir}"/genpolicy-settings.json > \
|
||||
"${settings_dir}"/new-genpolicy-settings.json
|
||||
mv "${settings_dir}"/new-genpolicy-settings.json \
|
||||
"${settings_dir}"/genpolicy-settings.json
|
||||
done
|
||||
}
|
||||
|
||||
# Change genpolicy settings to allow executing on the Guest VM the commands
|
||||
# used by "kubectl cp" from the Host to the Guest.
|
||||
add_copy_from_host_to_policy_settings() {
|
||||
declare -r genpolicy_settings_dir="$1"
|
||||
|
||||
exec_command="test -d /tmp"
|
||||
add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
|
||||
exec_command="tar -xmf - -C /tmp"
|
||||
add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
|
||||
}
|
||||
|
||||
# Change genpolicy settings to allow executing on the Guest VM the commands
|
||||
# used by "kubectl cp" from the Guest to the Host.
|
||||
add_copy_from_guest_to_policy_settings() {
|
||||
declare -r genpolicy_settings_dir="$1"
|
||||
declare -r copied_file="$2"
|
||||
|
||||
exec_command="tar cf - ${copied_file}"
|
||||
add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user