github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-17 15:38:00 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11012 from microsoft/saulparedes/validate_generated_name_upstr

Browse Source 
policy: validate pod generated name
This commit is contained in:
Dan Mihai 2025-03-13 14:09:57 -07:00 committed by GitHub
commit b910daf625
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 288 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/tools/genpolicy/Cargo.lock generated
View File

@ -785,6 +785,7 @@ dependencies = [
"openssl", "openssl",
"protobuf 3.3.0", "protobuf 3.3.0",
"protocols", "protocols",
"regex",
"serde", "serde",
"serde-transcode", "serde-transcode",
"serde_ignored", "serde_ignored",

1
src/tools/genpolicy/Cargo.toml
View File

@ -21,6 +21,7 @@ clap = { version = "4.1.8", features = ["derive"] }
# YAML file serialization/deserialization. # YAML file serialization/deserialization.
base64 = "0.21.0" base64 = "0.21.0"
serde = { version = "1.0.159", features = ["derive"] } serde = { version = "1.0.159", features = ["derive"] }
regex = "1.10.5"
# Newer serde_yaml versions are using unsafe-libyaml instead of yaml-rust, # Newer serde_yaml versions are using unsafe-libyaml instead of yaml-rust,
# and incorrectly change on serialization: # and incorrectly change on serialization:

15
src/tools/genpolicy/rules.rego
View File

@ -275,19 +275,10 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
} }
allow_sandbox_name(p_s_name, i_s_name) { allow_sandbox_name(p_s_name, i_s_name) {
print("allow_sandbox_name 1: start") print("allow_sandbox_name: start")
regex.match(p_s_name, i_s_name)
p_s_name == i_s_name print("allow_sandbox_name: true")
print("allow_sandbox_name 1: true")
}
allow_sandbox_name(p_s_name, i_s_name) {
print("allow_sandbox_name 2: start")
# TODO: should generated names be handled differently?
contains(p_s_name, "$(generated-name)")
print("allow_sandbox_name 2: true")
} }
# Check that the "io.kubernetes.cri.container-type" and # Check that the "io.kubernetes.cri.container-type" and

7
src/tools/genpolicy/src/obj_meta.rs
View File

@ -34,9 +34,10 @@ pub struct ObjectMeta {
impl ObjectMeta { impl ObjectMeta {
pub fn get_name(&self) -> String { pub fn get_name(&self) -> String {
if let Some(name) = &self.name { if let Some(name) = &self.name {
name.clone() format!("^{}$", regex::escape(name))
} else if self.generateName.is_some() { } else if let Some(generateName) = &self.generateName {
"$(generated-name)".to_string() // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
format!("^{}[a-z0-9.-]*[a-z0-9]$", regex::escape(generateName))
} else { } else {
String::new() String::new()
} }

5
src/tools/genpolicy/tests/main.rs
View File

@ -151,4 +151,9 @@ mod tests {
async fn test_create_container_sysctls() { async fn test_create_container_sysctls() {
runtests::<CreateContainerRequest>("createcontainer/sysctls").await; runtests::<CreateContainerRequest>("createcontainer/sysctls").await;
} }
#[tokio::test]
async fn test_create_container_generate_name() {
runtests::<CreateContainerRequest>("createcontainer/generate_name").await;
}
} }

10
src/tools/genpolicy/tests/testdata/createcontainer/generate_name/pod.yaml vendored Normal file
View File

@ -0,0 +1,10 @@
---
apiVersion: v1
kind: Pod
metadata:
generateName: dummy
spec:
runtimeClassName: kata-cc-isolation
containers:
- name: dummy
image: "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db"

264
src/tools/genpolicy/tests/testdata/createcontainer/generate_name/testcases.json vendored Normal file
View File

@ -0,0 +1,264 @@
[
{
"description": "generated name with valid prefix (dummyxyz)",
"allowed": true,
"request": {
"OCI": {
"Version": "1.1.0",
"Annotations": {
"io.kubernetes.cri.sandbox-name": "dummyxyz",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.container-type": "sandbox",
"io.katacontainers.pkg.oci.container_type": "pod_sandbox",
"nerdctl/network-namespace": "/var/run/netns/cni-00000000-0000-0000-0000-000000000000",
"io.kubernetes.cri.sandbox-log-directory": "/var/log/pods/default_dummyxyz_00000000-0000-0000-0000-000000000000",
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
"io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000"
},
"Linux": {
"GIDMappings": [],
"MountLabel": "",
"Resources": {
"Devices": []
},
"RootfsPropagation": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
},
{
"Path": "/run/netns/podns",
"Type": "network"
}
],
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"Process": {
"SelinuxLabel": "",
"User": {
"Username": "",
"UID": 65535
},
"Args": [
"/pause"
],
"Cwd": "/",
"NoNewPrivileges": true,
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
}
},
"Root": {
"Readonly": true,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs"
}
}
}
},
{
"description": "generated name with invalid prefix (xyzdummy)",
"allowed": false,
"request": {
"OCI": {
"Version": "1.1.0",
"Annotations": {
"io.kubernetes.cri.sandbox-name": "xyzdummy",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.container-type": "sandbox",
"io.katacontainers.pkg.oci.container_type": "pod_sandbox",
"nerdctl/network-namespace": "/var/run/netns/cni-00000000-0000-0000-0000-000000000000",
"io.kubernetes.cri.sandbox-log-directory": "/var/log/pods/default_xyzdummy_00000000-0000-0000-0000-000000000000",
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
"io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000"
},
"Linux": {
"GIDMappings": [],
"MountLabel": "",
"Resources": {
"Devices": []
},
"RootfsPropagation": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
},
{
"Path": "/run/netns/podns",
"Type": "network"
}
],
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"Process": {
"SelinuxLabel": "",
"User": {
"Username": "",
"UID": 65535
},
"Args": [
"/pause"
],
"Cwd": "/",
"NoNewPrivileges": true,
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
}
},
"Root": {
"Readonly": true,
"Path": "/run/kata-containers/shared/containers/bundle-id/rootfs"
}
}
}
}
]