From bc2292bc27bbfe55f9171bdb6019b3b07e9c0c26 Mon Sep 17 00:00:00 2001
From: Markus Rudy <webmaster@burgerdev.de>
Date: Mon, 18 Mar 2024 11:34:54 +0100
Subject: [PATCH] genpolicy: make pause container image configurable

CRIs don't always use a pause container, but even if they do the
concrete container choice is not specified. Even if the CRI config can
be tweaked, it's not guaranteed that registries in the public internet
can be reached. To be portable across CRI implementations and
configurations, the genpolicy user needs to be able to configure the
container the tool should append to the policy.

Signed-off-by: Markus Rudy <webmaster@burgerdev.de>
---
 src/tools/genpolicy/genpolicy-settings.json | 3 ++-
 src/tools/genpolicy/src/pod.rs              | 4 +---
 src/tools/genpolicy/src/policy.rs           | 3 +++
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
index 4aef352a98..d177966013 100644
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@@ -272,7 +272,8 @@
         "confidential_guest": false
     },
     "cluster_config": {
-        "default_namespace": "default"
+        "default_namespace": "default",
+        "pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6"
     },
     "request_defaults": {
         "CreateContainerRequest": {
diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
index 43d2639753..c897729936 100644
--- a/src/tools/genpolicy/src/pod.rs
+++ b/src/tools/genpolicy/src/pod.rs
@@ -834,9 +834,7 @@ fn compress_capabilities(capabilities: &mut Vec<String>, defaults: &policy::Comm
 pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Config) {
     debug!("Adding pause container...");
     let mut pause_container = Container {
-        // TODO: load this path from the settings file.
-        image: "mcr.microsoft.com/oss/kubernetes/pause:3.6".to_string(),
-
+        image: config.settings.cluster_config.pause_container_image.clone(),
         name: String::new(),
         imagePullPolicy: None,
         securityContext: Some(SecurityContext {
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
index 1a459480b4..87b78adda6 100644
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@@ -362,6 +362,9 @@ pub struct CommonData {
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct ClusterConfig {
     default_namespace: String,
+
+    /// Pause container image reference.
+    pub pause_container_image: String,
 }
 
 impl AgentPolicy {