From 8401adb113848b47625e6962d171618588411c5f Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 7 Feb 2024 21:50:17 +0000 Subject: [PATCH 1/5] genpolicy: update default values 1. Remove PullImageRequest because that is not used in the main branch. It was used in the CCv0 branch. 2. Add default false values for the remaining Kata Agent ttrpc requests. These changes don't change the functionality of the auto generated Policy, but they help with easier understanding the Policy text and the logging from the Rego rules. Fixes: #9049 Signed-off-by: Dan Mihai --- src/tools/genpolicy/rules.rego | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 75be33f594..f5f616ced6 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -10,6 +10,9 @@ import future.keywords.every import input # Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false default CopyFileRequest := false default CreateContainerRequest := false default CreateSandboxRequest := true @@ -17,15 +20,25 @@ default DestroySandboxRequest := true default ExecProcessRequest := false default GetOOMEventRequest := true default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false default OnlineCPUMemRequest := true -default PullImageRequest := true +default PauseContainerRequest := false default ReadStreamRequest := false default RemoveContainerRequest := true default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false default SignalProcessRequest := true default StartContainerRequest := true +default StartTracingRequest := false default StatsContainerRequest := true +default StopTracingRequest := false default TtyWinResizeRequest := true +default UpdateContainerRequest := false default UpdateEphemeralMountsRequest := true default UpdateInterfaceRequest := true default UpdateRoutesRequest := true From dab567bdfa377fffea41f7fa82ea7b199add9652 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 7 Feb 2024 21:58:13 +0000 Subject: [PATCH 2/5] genpolicy: add easy way to allow CloseStdinRequest For example, Kata CI's k8s-copy-file.bats transfers files between the Host and the Guest using "kubectl exec", and that results in CloseStdinRequest being called from the Host. Signed-off-by: Dan Mihai --- src/tools/genpolicy/genpolicy-settings.json | 1 + src/tools/genpolicy/rules.rego | 4 ++++ src/tools/genpolicy/src/policy.rs | 3 +++ 3 files changed, 8 insertions(+) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index bc355fa5fa..4aef352a98 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -299,6 +299,7 @@ "commands": [], "regex": [] }, + "CloseStdinRequest": false, "ReadStreamRequest": false, "WriteStreamRequest": false } diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index f5f616ced6..04ac97d45c 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1143,6 +1143,10 @@ ExecProcessRequest { print("ExecProcessRequest 3: true") } +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + ReadStreamRequest { policy_data.request_defaults.ReadStreamRequest == true } diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 794c583d2e..56c79412fe 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -324,6 +324,9 @@ pub struct RequestDefaults { /// Commands allowed to be executed by the Host in all Guest containers. pub ExecProcessRequest: ExecProcessRequestDefaults, + /// Allow the Host to close stdin for a container. Typically used with WriteStreamRequest. + pub CloseStdinRequest: bool, + /// Allow Host reading from Guest containers stdout and stderr. pub ReadStreamRequest: bool, From 9a780aa98f4ae73d50bf96bcf672825f909fd678 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 7 Feb 2024 22:03:06 +0000 Subject: [PATCH 3/5] genpolicy: improve logging from ExecProcessRequest Additional logging from the ExecProcessRequest rules, for easier debugging. Signed-off-by: Dan Mihai --- src/tools/genpolicy/rules.rego | 1 + 1 file changed, 1 insertion(+) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 04ac97d45c..f04eaca20c 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1109,6 +1109,7 @@ ExecProcessRequest { print("ExecProcessRequest 3: i_command =", i_command) some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) p_command == i_command print("ExecProcessRequest 1: true") From 1179306afa86101d5beaddec2dce39f821c3501e Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 7 Feb 2024 22:38:26 +0000 Subject: [PATCH 4/5] tests: k8s: additional policy testing utilities 1. add_requests_to_policy_settings allows one or more ttrpc requests from the Host to the Guest. Example: add_requests_to_policy_settings "${policy_settings_dir}" \ "ReadStreamRequest" "WriteStreamRequest" 2. add_copy_from_host_to_policy_settings allows executing on the Guest the commands initiated behind the scenes by "kubectl cp" from the Host to the Guest. Example: add_copy_from_host_to_policy_settings "${policy_settings_dir}" 3. add_copy_from_guest_to_policy_settings allows executing on the Guest the commands initiated behind the scenes by "kubectl cp" from the Guest to the Host. Example: add_copy_from_guest_to_policy_settings "${policy_settings_dir}" \ "/tmp/file.txt" Signed-off-by: Dan Mihai --- .../kubernetes/k8s-attach-handlers.bats | 3 ++ tests/integration/kubernetes/tests_common.sh | 48 +++++++++++++++---- 2 files changed, 43 insertions(+), 8 deletions(-) diff --git a/tests/integration/kubernetes/k8s-attach-handlers.bats b/tests/integration/kubernetes/k8s-attach-handlers.bats index fa38534ed2..7fb96908b6 100644 --- a/tests/integration/kubernetes/k8s-attach-handlers.bats +++ b/tests/integration/kubernetes/k8s-attach-handlers.bats @@ -23,9 +23,12 @@ setup() { # Add policy to yaml policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" + display_message="cat /usr/share/message" exec_command="sh -c ${display_message}" add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" + + add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest" auto_generate_policy "${policy_settings_dir}" "${yaml_file}" } diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index a7e3397cc1..200ee87443 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -175,12 +175,44 @@ add_exec_to_policy_settings() { "${settings_dir}/new-genpolicy-settings.json" mv "${settings_dir}/new-genpolicy-settings.json" \ "${settings_dir}/genpolicy-settings.json" - - # Change genpolicy settings to allow kubectl to read the output of the command being executed. - info "${settings_dir}/genpolicy-settings.json: allowing ReadStreamRequest" - jq '.request_defaults.ReadStreamRequest |= true' \ - "${settings_dir}"/genpolicy-settings.json > \ - "${settings_dir}"/new-genpolicy-settings.json - mv "${settings_dir}"/new-genpolicy-settings.json \ - "${settings_dir}"/genpolicy-settings.json +} + +# Change genpolicy settings to allow one or more ttrpc requests from the Host to the Guest. +add_requests_to_policy_settings() { + declare -r settings_dir="$1" + shift + declare -r requests=("$@") + + auto_generate_policy_enabled || return 0 + + for request in ${requests[@]} + do + info "${settings_dir}/genpolicy-settings.json: allowing ${request}" + jq ".request_defaults.${request} |= true" \ + "${settings_dir}"/genpolicy-settings.json > \ + "${settings_dir}"/new-genpolicy-settings.json + mv "${settings_dir}"/new-genpolicy-settings.json \ + "${settings_dir}"/genpolicy-settings.json + done +} + +# Change genpolicy settings to allow executing on the Guest VM the commands +# used by "kubectl cp" from the Host to the Guest. +add_copy_from_host_to_policy_settings() { + declare -r genpolicy_settings_dir="$1" + + exec_command="test -d /tmp" + add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" + exec_command="tar -xmf - -C /tmp" + add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" +} + +# Change genpolicy settings to allow executing on the Guest VM the commands +# used by "kubectl cp" from the Guest to the Host. +add_copy_from_guest_to_policy_settings() { + declare -r genpolicy_settings_dir="$1" + declare -r copied_file="$2" + + exec_command="tar cf - ${copied_file}" + add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" } From f139c7dc60d8560c73acd0b1d41ac2ae791912fa Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Sat, 3 Feb 2024 15:08:00 +0000 Subject: [PATCH 5/5] tests: k8s: k8s-copy-file auto-generated policy Auto-generate policy for k8s-copy-file.bats. Fixes: #9050 Signed-off-by: Dan Mihai --- .../integration/kubernetes/k8s-copy-file.bats | 43 +++++++++++++++++-- 1 file changed, 39 insertions(+), 4 deletions(-) diff --git a/tests/integration/kubernetes/k8s-copy-file.bats b/tests/integration/kubernetes/k8s-copy-file.bats index 0106e12c3f..4b1cf44879 100644 --- a/tests/integration/kubernetes/k8s-copy-file.bats +++ b/tests/integration/kubernetes/k8s-copy-file.bats @@ -15,7 +15,7 @@ setup() { } @test "Copy file in a pod" { - # Create pod + # Create pod config YAML file. pod_name="pod-copy-file-from-host" ctr_name="ctr-copy-file-from-host" @@ -24,6 +24,25 @@ setup() { sed -i "s/POD_NAME/$pod_name/" "$pod_config" sed -i "s/CTR_NAME/$ctr_name/" "$pod_config" + # Add policy to the YAML file. + policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" + allowed_requests=( + "CloseStdinRequest" + "ReadStreamRequest" + "WriteStreamRequest" + ) + add_requests_to_policy_settings "${policy_settings_dir}" "${allowed_requests[@]}" + add_copy_from_host_to_policy_settings "${policy_settings_dir}" + + cat_command="cat /tmp/$file_name" + exec_command="sh -c ${cat_command}" + add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" + + auto_generate_policy "${policy_settings_dir}" "${pod_config}" + delete_tmp_policy_settings_dir "${policy_settings_dir}" + policy_settings_dir="" + + # Create pod kubectl create -f "${pod_config}" # Check pod creation @@ -36,11 +55,11 @@ setup() { kubectl cp "$file_name" $pod_name:/tmp # Print environment variables - kubectl exec $pod_name -- sh -c "cat /tmp/$file_name | grep $content" + kubectl exec $pod_name -- sh -c "${cat_command}" | grep $content } @test "Copy from pod to host" { - # Create pod + # Create pod config YAML file. pod_name="pod-copy-file-to-host" ctr_name="ctr-copy-file-to-host" @@ -49,6 +68,20 @@ setup() { sed -i "s/POD_NAME/$pod_name/" "$pod_config" sed -i "s/CTR_NAME/$ctr_name/" "$pod_config" + # Add policy to the YAML file. + policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" + add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest" + add_copy_from_guest_to_policy_settings "${policy_settings_dir}" "/tmp/file.txt" + + guest_command="cd /tmp && echo $content > $file_name" + exec_command="sh -c ${guest_command}" + add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" + + auto_generate_policy "${policy_settings_dir}" "${pod_config}" + delete_tmp_policy_settings_dir "${policy_settings_dir}" + policy_settings_dir="" + + # Create pod kubectl create -f "${pod_config}" # Check pod creation @@ -59,7 +92,7 @@ setup() { kubectl get pods --all-namespaces # Create a file in the pod - kubectl exec "$pod_name" -- sh -c "cd /tmp && echo $content > $file_name" + kubectl exec "$pod_name" -- sh -c "$guest_command" kubectl logs "$pod_name" || true kubectl describe pod "$pod_name" || true @@ -80,4 +113,6 @@ teardown() { kubectl delete pod "$pod_name" rm -f "$pod_config" + + delete_tmp_policy_settings_dir "${policy_settings_dir}" }