Merge pull request #9294 from burgerdev/burgerdev/genpolicy-configurable-pause

genpolicy: support insecure registries and custom pause containers

src/tools/genpolicy/genpolicy-settings.json

@@ -272,7 +272,8 @@
         "confidential_guest": false
     },
     "cluster_config": {
-        "default_namespace": "default"
+        "default_namespace": "default",
+        "pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6"
     },
     "request_defaults": {
         "CreateContainerRequest": {

src/tools/genpolicy/src/pod.rs

@@ -834,9 +834,7 @@ fn compress_capabilities(capabilities: &mut Vec<String>, defaults: &policy::Comm
 pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Config) {
     debug!("Adding pause container...");
     let mut pause_container = Container {
-        // TODO: load this path from the settings file.
+        image: config.settings.cluster_config.pause_container_image.clone(),
-        image: "mcr.microsoft.com/oss/kubernetes/pause:3.6".to_string(),
-
         name: String::new(),
         imagePullPolicy: None,
         securityContext: Some(SecurityContext {

src/tools/genpolicy/src/policy.rs

@@ -13,7 +13,6 @@ use crate::pod;
 use crate::policy;
 use crate::registry;
 use crate::secret;
-use crate::settings;
 use crate::utils;
 use crate::yaml;
 
@@ -47,10 +46,7 @@ pub struct AgentPolicy {
     /// Rego rules read from a file (rules.rego).
     pub rules: String,
 
-    /// Settings loaded from genpolicy-settings.json.
+    /// Policy settings.
-    pub settings: settings::Settings,
-
-    /// Additional Policy settings.
     pub config: utils::Config,
 }
 
@@ -73,7 +69,7 @@ pub struct PolicyData {
 /// is ordered, thus resulting in the same output policy contents every time
 /// when this apps runs with the same inputs. Also, it preserves the upper
 /// case field names, for consistency with the structs used by agent's rpc.rs.
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct KataSpec {
     /// Version of the Open Container Initiative Runtime Specification with which the bundle complies.
     #[serde(default = "version_default")]
@@ -366,6 +362,9 @@ pub struct CommonData {
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct ClusterConfig {
     default_namespace: String,
+
+    /// Pause container image reference.
+    pub pause_container_image: String,
 }
 
 impl AgentPolicy {
@@ -402,8 +401,6 @@ impl AgentPolicy {
             }
         }
 
-        let settings = settings::Settings::new(&config.json_settings_path);
-
         if let Some(config_map_files) = &config.config_map_files {
             for file in config_map_files {
                 config_maps.push(config_map::ConfigMap::new(file)?);
@@ -414,7 +411,6 @@ impl AgentPolicy {
             Ok(AgentPolicy {
                 resources,
                 rules,
-                settings,
                 config_maps,
                 secrets,
                 config: config.clone(),
@@ -460,8 +456,8 @@ impl AgentPolicy {
 
         let policy_data = policy::PolicyData {
             containers: policy_containers,
-            request_defaults: self.settings.request_defaults.clone(),
+            request_defaults: self.config.settings.request_defaults.clone(),
-            common: self.settings.common.clone(),
+            common: self.config.settings.common.clone(),
         };
 
         let json_data = serde_json::to_string_pretty(&policy_data).unwrap();
@@ -478,14 +474,21 @@ impl AgentPolicy {
         yaml_container: &pod::Container,
         is_pause_container: bool,
     ) -> ContainerPolicy {
-        let c_settings = self.settings.get_container_settings(is_pause_container);
+        let c_settings = self
+            .config
+            .settings
+            .get_container_settings(is_pause_container);
         let mut root = c_settings.Root.clone();
         root.Readonly = yaml_container.read_only_root_filesystem();
 
         let namespace = if let Some(ns) = resource.get_namespace() {
             ns
         } else {
-            self.settings.cluster_config.default_namespace.clone()
+            self.config
+                .settings
+                .cluster_config
+                .default_namespace
+                .clone()
         };
 
         let use_host_network = resource.use_host_network();
@@ -510,7 +513,7 @@ impl AgentPolicy {
 
         let mut mounts = containerd::get_mounts(is_pause_container, is_privileged);
         mount_and_storage::get_policy_mounts(
-            &self.settings,
+            &self.config.settings,
             &mut mounts,
             yaml_container,
             is_pause_container,
@@ -523,7 +526,7 @@ impl AgentPolicy {
             &mut mounts,
             &mut storages,
             yaml_container,
-            &self.settings,
+            &self.config.settings,
         );
 
         let mut linux = containerd::get_linux(is_privileged);
@@ -570,9 +573,9 @@ impl AgentPolicy {
     ) -> KataProcess {
         // Start with the Default Unix Spec from
         // https://github.com/containerd/containerd/blob/release/1.6/oci/spec.go#L132
-        let mut process = containerd::get_process(is_privileged, &self.settings.common);
+        let mut process = containerd::get_process(is_privileged, &self.config.settings.common);
 
-        yaml_container.apply_capabilities(&mut process.Capabilities, &self.settings.common);
+        yaml_container.apply_capabilities(&mut process.Capabilities, &self.config.settings.common);
 
         let (yaml_has_command, yaml_has_args) = yaml_container.get_process_args(&mut process.Args);
         yaml_container

src/tools/genpolicy/src/registry.rs

@@ -15,7 +15,7 @@ use anyhow::{anyhow, bail, Result};
 use docker_credential::{CredentialRetrievalError, DockerCredential};
 use log::warn;
 use log::{debug, info, LevelFilter};
-use oci_distribution::client::{linux_amd64_resolver, ClientConfig};
+use oci_distribution::client::{linux_amd64_resolver, ClientConfig, ClientProtocol};
 use oci_distribution::{manifest, secrets::RegistryAuth, Client, Reference};
 use serde::{Deserialize, Serialize};
 use sha2::{digest::typenum::Unsigned, digest::OutputSizeUser, Sha256};
@@ -64,13 +64,14 @@ pub struct ImageLayer {
 }
 
 impl Container {
-    pub async fn new(use_cached_files: bool, image: &str) -> Result<Self> {
+    pub async fn new(config: &Config, image: &str) -> Result<Self> {
         info!("============================================");
         info!("Pulling manifest and config for {:?}", image);
         let reference: Reference = image.to_string().parse().unwrap();
         let auth = build_auth(&reference);
 
         let mut client = Client::new(ClientConfig {
+            protocol: ClientProtocol::HttpsExcept(config.insecure_registries.clone()),
             platform_resolver: Some(Box::new(linux_amd64_resolver)),
             ..Default::default()
         });
@@ -93,7 +94,7 @@ impl Container {
                 let config_layer: DockerConfigLayer =
                     serde_json::from_str(&config_layer_str).unwrap();
                 let image_layers = get_image_layers(
-                    use_cached_files,
+                    config.use_cache,
                     &mut client,
                     &reference,
                     &manifest,
@@ -430,7 +431,7 @@ pub async fn get_container(config: &Config, image: &str) -> Result<Container> {
     if let Some(socket_path) = &config.containerd_socket_path {
         return Container::new_containerd_pull(config.use_cache, image, socket_path).await;
     }
-    Container::new(config.use_cache, image).await
+    Container::new(config, image).await
 }
 
 fn build_auth(reference: &Reference) -> RegistryAuth {

src/tools/genpolicy/src/settings.rs

@@ -14,7 +14,7 @@ use std::fs::File;
 use std::str;
 
 /// Policy settings loaded from genpolicy-settings.json.
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct Settings {
     pub pause_container: policy::KataSpec,
     pub other_container: policy::KataSpec,

src/tools/genpolicy/src/utils.rs

@@ -3,6 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+use crate::settings;
 use clap::Parser;
 
 #[derive(Debug, Parser)]
@@ -75,16 +76,23 @@ struct CommandLineOptions {
         require_equals= true
     )]
     containerd_socket_path: Option<String>,
+
+    #[clap(
+        long,
+        help = "Registry that uses plain HTTP. Can be passed more than once to configure multiple insecure registries."
+    )]
+    insecure_registry: Vec<String>,
 }
 
 /// Application configuration, derived from on command line parameters.
 #[derive(Clone, Debug)]
 pub struct Config {
     pub use_cache: bool,
+    pub insecure_registries: Vec<String>,
 
     pub yaml_file: Option<String>,
     pub rego_rules_path: String,
-    pub json_settings_path: String,
+    pub settings: settings::Settings,
     pub config_map_files: Option<Vec<String>>,
 
     pub silent_unsupported_fields: bool,
@@ -108,11 +116,14 @@ impl Config {
             None
         };
 
+        let settings = settings::Settings::new(&args.json_settings_path);
+
         Self {
             use_cache: args.use_cached_files,
+            insecure_registries: args.insecure_registry,
             yaml_file: args.yaml_file,
             rego_rules_path: args.rego_rules_path,
-            json_settings_path: args.json_settings_path,
+            settings,
             config_map_files: cm_files,
             silent_unsupported_fields: args.silent_unsupported_fields,
             raw_out: args.raw_out,