Merge pull request #9808 from microsoft/saulparedes/oci_from_settings

genpolicy: load OCI version from settings
2025-09-18 07:18:27 +00:00 · 2024-06-11 10:42:04 -07:00
parent 59ff40f054 6a84562c16
commit d47f40210a
4 changed files with 6 additions and 12 deletions
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@@ -269,7 +269,8 @@
        ]
    },
    "kata_config": {
-        "confidential_guest": false
+        "confidential_guest": false,
+        "oci_version": "1.1.0"
    },
    "cluster_config": {
        "default_namespace": "default",
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -66,8 +66,7 @@ CreateContainerRequest {
    p_oci := p_container.OCI

    print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
-    # TODO: Reenable when the Mariner host is reinstated, see #9593.
-    # p_oci.Version == i_oci.Version
+    p_oci.Version == i_oci.Version

    print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly)
    p_oci.Root.Readonly == i_oci.Root.Readonly
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@@ -29,9 +29,6 @@ use std::collections::BTreeMap;
 use std::fs::read_to_string;
 use std::io::Write;

-// TODO: load this value from the settings file.
-const DEFAULT_OCI_VERSION: &str = "1.1.0-rc.1";
-
 /// Intermediary format of policy data.
 pub struct AgentPolicy {
    /// K8s resources described by the input YAML file.
@@ -73,7 +70,7 @@ pub struct PolicyData {
 #[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct KataSpec {
    /// Version of the Open Container Initiative Runtime Specification with which the bundle complies.
-    #[serde(default = "version_default")]
+    #[serde(default)]
    pub Version: String,

    /// Process configures the container process.
@@ -100,10 +97,6 @@ pub struct KataSpec {
    pub Linux: KataLinux,
 }

-fn version_default() -> String {
-    DEFAULT_OCI_VERSION.to_string()
-}
-
 /// OCI container Process struct. This struct is very similar to the Process
 /// struct generated from oci.proto. The main difference is that it preserves
 /// the upper case field names from oci.proto, for consistency with the structs
@@ -565,7 +558,7 @@ impl AgentPolicy {

        ContainerPolicy {
            OCI: KataSpec {
-                Version: version_default(),
+                Version: self.config.settings.kata_config.oci_version.clone(),
                Process: process,
                Root: root,
                Mounts: mounts,
--- a/src/tools/genpolicy/src/settings.rs
+++ b/src/tools/genpolicy/src/settings.rs
@@ -64,6 +64,7 @@ pub struct ConfigMapVolume {
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct KataConfig {
    pub confidential_guest: bool,
+    pub oci_version: String,
 }

 impl Settings {