genpolicy: enable create container UID verification

Disabling the UID Policy rule was a workaround for #9928. Re-enable that rule here and add a new test/CI temporary workaround for this issue. This new test workaround will be removed after fixing #9928. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-05-10 17:37:37 +00:00 · 2024-09-11 18:28:23 +00:00 · 2024-09-11 18:28:23 +00:00 · eb7f747df1
commit eb7f747df1
parent 71ede4ea3f
3 changed files with 11 additions and 22 deletions
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@ -540,9 +540,8 @@ allow_user(p_process, i_process) {
    p_user := p_process.User
    i_user := i_process.User

-    # TODO: remove this workaround when fixing https://github.com/kata-containers/kata-containers/issues/9928.
-    #print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
-    #p_user.UID == i_user.UID
+    print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
+    p_user.UID == i_user.UID

    # TODO: track down the reason for registry.k8s.io/pause:3.9 being
    #       executed with gid = 0 despite having "65535:65535" in its container image
--- a/tests/integration/kubernetes/k8s-policy-pod.bats
+++ b/tests/integration/kubernetes/k8s-policy-pod.bats
@ -35,6 +35,15 @@ setup() {

 	kubectl create -f "${priority_class_yaml}"

+	# This container image specifies user = "nobody", that corresponds to UID = 65534.
+	# genpolicy doesn't know yet how to convert the user name to UID (as described by
+	# https://github.com/kata-containers/kata-containers/issues/9928), so temporarily
+	# work around that limitation of the tool by explicitly settings runAsUser = 65534
+	# in the YAML file.
+	yq -i \
+		'.spec.containers[0].securityContext.runAsUser = 65534' \
+		"${correct_pod_yaml}"
+
    # Save some time by executing genpolicy a single time.
    if [ "${BATS_TEST_NUMBER}" == "1" ]; then
 		# Save pre-generated yaml files
@ -193,24 +202,6 @@ test_pod_policy_error() {
 	run ! grep -q "io.katacontainers.config.agent.policy" "${testcase_pre_generate_pod_yaml}"
 }

-@test "Successful pod due to runAsUser workaround from rules.rego" {
-	# This test case should fail, but it passes due to these lines being commented out in rules.rego:
-	#
-	# allow_user(p_process, i_process) {
-	#     #print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
-	#     #p_user.UID == i_user.UID
-	#
-	# So this test case should be converted to use test_pod_policy_error when that workaround will
-	# be removed.
-	yq -i \
-		'.spec.containers[0].securityContext.runAsUser = 101' \
-		"${incorrect_pod_yaml}"
-
-	kubectl create -f "${correct_configmap_yaml}"
-	kubectl create -f "${incorrect_pod_yaml}"
-	kubectl wait --for=condition=Ready "--timeout=${timeout}" pod "${pod_name}"
-}
-
@test "ExecProcessRequest tests" {
 	wait_for_pod_ready

--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
@ -27,7 +27,6 @@ spec:
              name: policy-configmap
              key: data-2
      securityContext:
-        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
      livenessProbe: