Merge pull request #9051 from microsoft/danmihai1/k8s-copy-file

tests: k8s: k8s-copy-file auto-generated policy

src/tools/genpolicy/genpolicy-settings.json

@@ -299,6 +299,7 @@
             "commands": [],
             "regex": []
         },
+        "CloseStdinRequest": false,
         "ReadStreamRequest": false,
         "WriteStreamRequest": false
     }

src/tools/genpolicy/rules.rego

@@ -10,6 +10,9 @@ import future.keywords.every
 import input
 
 # Default values, returned by OPA when rules cannot be evaluated to true.
+default AddARPNeighborsRequest := false
+default AddSwapRequest := false
+default CloseStdinRequest := false
 default CopyFileRequest := false
 default CreateContainerRequest := false
 default CreateSandboxRequest := true
@@ -17,15 +20,25 @@ default DestroySandboxRequest := true
 default ExecProcessRequest := false
 default GetOOMEventRequest := true
 default GuestDetailsRequest := true
+default ListInterfacesRequest := false
+default ListRoutesRequest := false
+default MemHotplugByProbeRequest := false
 default OnlineCPUMemRequest := true
-default PullImageRequest := true
+default PauseContainerRequest := false
 default ReadStreamRequest := false
 default RemoveContainerRequest := true
 default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := false
+default ResumeContainerRequest := false
+default SetGuestDateTimeRequest := false
+default SetPolicyRequest := false
 default SignalProcessRequest := true
 default StartContainerRequest := true
+default StartTracingRequest := false
 default StatsContainerRequest := true
+default StopTracingRequest := false
 default TtyWinResizeRequest := true
+default UpdateContainerRequest := false
 default UpdateEphemeralMountsRequest := true
 default UpdateInterfaceRequest := true
 default UpdateRoutesRequest := true
@@ -1096,6 +1109,7 @@ ExecProcessRequest {
     print("ExecProcessRequest 3: i_command =", i_command)
 
     some p_command in policy_data.request_defaults.ExecProcessRequest.commands
+    print("ExecProcessRequest 1: p_command =", p_command)
     p_command == i_command
 
     print("ExecProcessRequest 1: true")
@@ -1130,6 +1144,10 @@ ExecProcessRequest {
     print("ExecProcessRequest 3: true")
 }
 
+CloseStdinRequest {
+    policy_data.request_defaults.CloseStdinRequest == true
+}
+
 ReadStreamRequest {
     policy_data.request_defaults.ReadStreamRequest == true
 }

src/tools/genpolicy/src/policy.rs

@@ -324,6 +324,9 @@ pub struct RequestDefaults {
     /// Commands allowed to be executed by the Host in all Guest containers.
     pub ExecProcessRequest: ExecProcessRequestDefaults,
 
+    /// Allow the Host to close stdin for a container. Typically used with WriteStreamRequest.
+    pub CloseStdinRequest: bool,
+
     /// Allow Host reading from Guest containers stdout and stderr.
     pub ReadStreamRequest: bool,
 

tests/integration/kubernetes/k8s-attach-handlers.bats

@@ -23,9 +23,12 @@ setup() {
 
 	# Add policy to yaml
 	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+	
 	display_message="cat /usr/share/message"
 	exec_command="sh -c ${display_message}"
 	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+	
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
 	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }
 

tests/integration/kubernetes/k8s-copy-file.bats

@@ -15,7 +15,7 @@ setup() {
 }
 
 @test "Copy file in a pod" {
-	# Create pod
+	# Create pod config YAML file.
 	pod_name="pod-copy-file-from-host"
 	ctr_name="ctr-copy-file-from-host"
 
@@ -24,6 +24,25 @@ setup() {
 	sed -i "s/POD_NAME/$pod_name/" "$pod_config"
 	sed -i "s/CTR_NAME/$ctr_name/" "$pod_config"
 
+	# Add policy to the YAML file.
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+	allowed_requests=(
+		"CloseStdinRequest"
+		"ReadStreamRequest"
+		"WriteStreamRequest"
+	)
+	add_requests_to_policy_settings "${policy_settings_dir}" "${allowed_requests[@]}"
+	add_copy_from_host_to_policy_settings "${policy_settings_dir}"
+
+	cat_command="cat /tmp/$file_name"
+	exec_command="sh -c ${cat_command}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	auto_generate_policy "${policy_settings_dir}" "${pod_config}"
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
+	policy_settings_dir=""
+
+	# Create pod
 	kubectl create -f "${pod_config}"
 
 	# Check pod creation
@@ -36,11 +55,11 @@ setup() {
 	kubectl cp "$file_name" $pod_name:/tmp
 
 	# Print environment variables
-	kubectl exec $pod_name -- sh -c "cat /tmp/$file_name | grep $content"
+	kubectl exec $pod_name -- sh -c "${cat_command}" | grep $content
 }
 
 @test "Copy from pod to host" {
-	# Create pod
+	# Create pod config YAML file.
 	pod_name="pod-copy-file-to-host"
 	ctr_name="ctr-copy-file-to-host"
 
@@ -49,6 +68,20 @@ setup() {
 	sed -i "s/POD_NAME/$pod_name/" "$pod_config"
 	sed -i "s/CTR_NAME/$ctr_name/" "$pod_config"
 
+	# Add policy to the YAML file.
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	add_copy_from_guest_to_policy_settings "${policy_settings_dir}" "/tmp/file.txt"
+
+	guest_command="cd /tmp && echo $content > $file_name"
+	exec_command="sh -c ${guest_command}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	auto_generate_policy "${policy_settings_dir}" "${pod_config}"
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
+	policy_settings_dir=""
+
+	# Create pod
 	kubectl create -f "${pod_config}"
 
 	# Check pod creation
@@ -59,7 +92,7 @@ setup() {
 	kubectl get pods --all-namespaces
 
 	# Create a file in the pod
-	kubectl exec "$pod_name" -- sh -c "cd /tmp && echo $content > $file_name"
+	kubectl exec "$pod_name" -- sh -c "$guest_command"
 
 	kubectl logs "$pod_name" || true
 	kubectl describe pod "$pod_name" || true
@@ -80,4 +113,6 @@ teardown() {
 	kubectl delete pod "$pod_name"
 
 	rm -f "$pod_config"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/tests_common.sh

@@ -175,12 +175,44 @@ add_exec_to_policy_settings() {
 		"${settings_dir}/new-genpolicy-settings.json"
 	mv "${settings_dir}/new-genpolicy-settings.json" \
 		"${settings_dir}/genpolicy-settings.json"
+}
 
-	# Change genpolicy settings to allow kubectl to read the output of the command being executed.
+# Change genpolicy settings to allow one or more ttrpc requests from the Host to the Guest.
-	info "${settings_dir}/genpolicy-settings.json: allowing ReadStreamRequest"
+add_requests_to_policy_settings() {
-	jq '.request_defaults.ReadStreamRequest |= true' \
+	declare -r settings_dir="$1"
+	shift
+	declare -r requests=("$@")
+
+	auto_generate_policy_enabled || return 0
+
+	for request in ${requests[@]}
+	do
+		info "${settings_dir}/genpolicy-settings.json: allowing ${request}"
+		jq ".request_defaults.${request} |= true" \
 			"${settings_dir}"/genpolicy-settings.json > \
 			"${settings_dir}"/new-genpolicy-settings.json
 		mv "${settings_dir}"/new-genpolicy-settings.json \
 			"${settings_dir}"/genpolicy-settings.json
+	done
+}
+
+# Change genpolicy settings to allow executing on the Guest VM the commands
+# used by "kubectl cp" from the Host to the Guest.
+add_copy_from_host_to_policy_settings() {
+	declare -r genpolicy_settings_dir="$1"
+
+	exec_command="test -d /tmp"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+	exec_command="tar -xmf - -C /tmp"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+}
+
+# Change genpolicy settings to allow executing on the Guest VM the commands
+# used by "kubectl cp" from the Guest to the Host.
+add_copy_from_guest_to_policy_settings() {
+	declare -r genpolicy_settings_dir="$1"
+	declare -r copied_file="$2"
+
+	exec_command="tar cf - ${copied_file}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
 }