From dfd269eb872f67efb844aaa1d84d93b4a05ac272 Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Fri, 26 Sep 2025 16:54:30 -0700 Subject: [PATCH 1/3] genpolicy: take path to initdata from command line if provided Otherwise use default initdata. Signed-off-by: Saul Paredes --- src/libs/kata-types/src/initdata.rs | 2 +- src/tools/genpolicy/src/policy.rs | 2 +- src/tools/genpolicy/src/utils.rs | 18 ++++++++++++++++++ src/tools/genpolicy/tests/policy/main.rs | 1 + 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/libs/kata-types/src/initdata.rs b/src/libs/kata-types/src/initdata.rs index 43cd8ef081..4a28d72f82 100644 --- a/src/libs/kata-types/src/initdata.rs +++ b/src/libs/kata-types/src/initdata.rs @@ -175,7 +175,7 @@ fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec { } /// Parse initdata -fn parse_initdata(initdata_str: &str) -> Result { +pub fn parse_initdata(initdata_str: &str) -> Result { let initdata: InitData = toml::from_str(initdata_str)?; initdata.validate()?; diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 0420a91bb0..b0a0eec254 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -577,7 +577,7 @@ impl AgentPolicy { if self.config.raw_out { std::io::stdout().write_all(policy.as_bytes()).unwrap(); } - let mut initdata = kata_types::initdata::InitData::new("sha256", "0.1.0"); + let mut initdata = self.config.initdata.clone(); initdata.insert_data("policy.rego", policy); kata_types::initdata::encode_initdata(&initdata) diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs index e268244d65..241d80d964 100644 --- a/src/tools/genpolicy/src/utils.rs +++ b/src/tools/genpolicy/src/utils.rs @@ -5,6 +5,7 @@ use crate::layers_cache; use crate::settings; +use anyhow::Context; use clap::Parser; #[derive(Debug, Parser)] @@ -105,6 +106,9 @@ struct CommandLineOptions { layers_cache_file_path: Option, #[clap(short, long, help = "Print version information and exit")] version: bool, + + #[clap(long, help = "Path to the initdata TOML file", require_equals = true)] + initdata_path: Option, } /// Application configuration, derived from on command line parameters. @@ -126,6 +130,7 @@ pub struct Config { pub containerd_socket_path: Option, pub layers_cache: layers_cache::ImageLayersCache, pub version: bool, + pub initdata: kata_types::initdata::InitData, } impl Config { @@ -150,6 +155,18 @@ impl Config { let settings = settings::Settings::new(&args.json_settings_path); + let initdata = match args.initdata_path.as_deref() { + Some(p) => { + let s = std::fs::read_to_string(p) + .context(format!("Failed to read initdata file {}", p)) + .unwrap(); + kata_types::initdata::parse_initdata(&s) + .context(format!("Failed to parse initdata from {}", p)) + .unwrap() + } + None => kata_types::initdata::InitData::new("sha256", "0.1.0"), + }; + Self { use_cache: args.use_cached_files, insecure_registries: args.insecure_registry, @@ -164,6 +181,7 @@ impl Config { containerd_socket_path: args.containerd_socket_path, layers_cache: layers_cache::ImageLayersCache::new(&layers_cache_file_path), version: args.version, + initdata, } } } diff --git a/src/tools/genpolicy/tests/policy/main.rs b/src/tools/genpolicy/tests/policy/main.rs index 1b84ea4c59..5eeba23aa3 100644 --- a/src/tools/genpolicy/tests/policy/main.rs +++ b/src/tools/genpolicy/tests/policy/main.rs @@ -107,6 +107,7 @@ mod tests { use_cache: false, version: false, yaml_file: workdir.join("pod.yaml").to_str().map(|s| s.to_string()), + initdata: kata_types::initdata::InitData::new("sha256", "0.1.0"), }; // The container repos/network calls can be unreliable, so retry From 395f237fc2d267e5852d24a2b51e715a181741fa Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Wed, 1 Oct 2025 13:58:03 -0700 Subject: [PATCH 2/3] tests: k8s: use default-initdata.toml when auto-generating policy - copy default-initdata.toml in create_tmp_policy_settings_dir, so it can be modified by other tests if needed - make auto_generate_policy use default-initdata.toml by default - add auto_generate_policy_no_added_flags, so it may be used by tests that don't want to use default-initdata.toml by default Signed-off-by: Saul Paredes --- .../runtimeclass_workloads/default-initdata.toml | 4 ++++ tests/integration/kubernetes/tests_common.sh | 12 ++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/default-initdata.toml diff --git a/tests/integration/kubernetes/runtimeclass_workloads/default-initdata.toml b/tests/integration/kubernetes/runtimeclass_workloads/default-initdata.toml new file mode 100644 index 0000000000..03a370e68a --- /dev/null +++ b/tests/integration/kubernetes/runtimeclass_workloads/default-initdata.toml @@ -0,0 +1,4 @@ +version = "0.1.0" +algorithm = "sha256" + +[data] diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index 9646502b75..0a8b4c4ac1 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -170,6 +170,7 @@ create_tmp_policy_settings_dir() { tmp_settings_dir=$(mktemp -d --tmpdir="${common_settings_dir}" genpolicy.XXXXXXXXXX) cp "${common_settings_dir}/rules.rego" "${tmp_settings_dir}" cp "${common_settings_dir}/genpolicy-settings.json" "${tmp_settings_dir}" + cp "${common_settings_dir}/default-initdata.toml" "${tmp_settings_dir}" echo "${tmp_settings_dir}" } @@ -188,6 +189,17 @@ delete_tmp_policy_settings_dir() { # Execute genpolicy to auto-generate policy for a test YAML file. auto_generate_policy() { + declare -r settings_dir="$1" + declare -r yaml_file="$2" + declare -r config_map_yaml_file="${3:-""}" + declare additional_flags="${4:-""}" + + additional_flags="${additional_flags} --initdata-path=${settings_dir}/default-initdata.toml" + + auto_generate_policy_no_added_flags "${settings_dir}" "${yaml_file}" "${config_map_yaml_file}" "${additional_flags}" +} + +auto_generate_policy_no_added_flags() { declare -r settings_dir="$1" declare -r yaml_file="$2" declare -r config_map_yaml_file="${3:-""}" From ba7a5953c8b95a9757c1db277590a62d0687488a Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Fri, 10 Oct 2025 14:52:45 -0700 Subject: [PATCH 3/3] tests: k8s-policy-pod.bats: test unspecified initdata path use auto_generate_policy_no_added_flags, so we don't pass --initdata-path to genpolicy Signed-off-by: Saul Paredes --- tests/integration/kubernetes/k8s-policy-pod.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-policy-pod.bats b/tests/integration/kubernetes/k8s-policy-pod.bats index e4a9f3ee91..e948ad64ad 100644 --- a/tests/integration/kubernetes/k8s-policy-pod.bats +++ b/tests/integration/kubernetes/k8s-policy-pod.bats @@ -47,7 +47,7 @@ setup() { cp "${correct_pod_yaml}" "${pre_generate_pod_yaml}" # Add policy to the correct pod yaml file - auto_generate_policy "${policy_settings_dir}" "${correct_pod_yaml}" "${correct_configmap_yaml}" + auto_generate_policy_no_added_flags "${policy_settings_dir}" "${correct_pod_yaml}" "${correct_configmap_yaml}" fi # Start each test case with a copy of the correct yaml files.