github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-14 22:24:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #8909 from microsoft/danmihai1/main-shareProcessNamespace

Browse Source 
genpolicy: add shareProcessNamespace support
This commit is contained in:
Dan Mihai 2024-01-26 05:49:19 -08:00 committed by GitHub
commit ef1ee81f81
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 92 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/tools/genpolicy/rules.rego
View File

@ -45,8 +45,12 @@ CreateContainerRequest {
some p_container in policy_data.containers some p_container in policy_data.containers
print("======== CreateContainerRequest: trying next policy container") print("======== CreateContainerRequest: trying next policy container")
p_pidns := p_container.sandbox_pidns
i_pidns := input.sandbox_pidns
print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns)
p_pidns == i_pidns
p_oci := p_container.OCI p_oci := p_container.OCI
p_storages := p_container.storages
print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
p_oci.Version == i_oci.Version p_oci.Version == i_oci.Version
@ -55,7 +59,10 @@ CreateContainerRequest {
p_oci.Root.Readonly == i_oci.Root.Readonly p_oci.Root.Readonly == i_oci.Root.Readonly
allow_anno(p_oci, i_oci) allow_anno(p_oci, i_oci)
p_storages := p_container.storages
allow_by_anno(p_oci, i_oci, p_storages, i_storages) allow_by_anno(p_oci, i_oci, p_storages, i_storages)
allow_linux(p_oci, i_oci) allow_linux(p_oci, i_oci)
print("CreateContainerRequest: true") print("CreateContainerRequest: true")
@ -1076,6 +1083,12 @@ CopyFileRequest {
print("CopyFileRequest: true") print("CopyFileRequest: true")
} }
CreateSandboxRequest {
i_pidns := input.sandbox_pidns
print("CreateSandboxRequest: i_pidns =", i_pidns)
i_pidns == false
}
ExecProcessRequest { ExecProcessRequest {
print("ExecProcessRequest 1: input =", input) print("ExecProcessRequest 1: input =", input)

4
src/tools/genpolicy/src/config_map.rs
View File

@ -125,4 +125,8 @@ impl yaml::K8sResource for ConfigMap {
fn use_host_network(&self) -> bool { fn use_host_network(&self) -> bool {
panic!("Unsupported"); panic!("Unsupported");
} }
fn use_sandbox_pidns(&self) -> bool {
panic!("Unsupported");
}
} }

7
src/tools/genpolicy/src/daemon_set.rs
View File

@ -129,4 +129,11 @@ impl yaml::K8sResource for DaemonSet {
} }
false false
} }
fn use_sandbox_pidns(&self) -> bool {
if let Some(shared) = self.spec.template.spec.shareProcessNamespace {
return shared;
}
false
}
} }

7
src/tools/genpolicy/src/deployment.rs
View File

@ -127,4 +127,11 @@ impl yaml::K8sResource for Deployment {
} }
false false
} }
fn use_sandbox_pidns(&self) -> bool {
if let Some(shared) = self.spec.template.spec.shareProcessNamespace {
return shared;
}
false
}
} }

7
src/tools/genpolicy/src/job.rs
View File

@ -101,4 +101,11 @@ impl yaml::K8sResource for Job {
} }
false false
} }
fn use_sandbox_pidns(&self) -> bool {
if let Some(shared) = self.spec.template.spec.shareProcessNamespace {
return shared;
}
false
}
} }

4
src/tools/genpolicy/src/list.rs
View File

@ -100,4 +100,8 @@ impl yaml::K8sResource for List {
fn use_host_network(&self) -> bool { fn use_host_network(&self) -> bool {
panic!("Unsupported"); panic!("Unsupported");
} }
fn use_sandbox_pidns(&self) -> bool {
panic!("Unsupported");
}
} }

4
src/tools/genpolicy/src/no_policy.rs
View File

@ -67,4 +67,8 @@ impl yaml::K8sResource for NoPolicyResource {
fn use_host_network(&self) -> bool { fn use_host_network(&self) -> bool {
panic!("Unsupported"); panic!("Unsupported");
} }
fn use_sandbox_pidns(&self) -> bool {
panic!("Unsupported");
}
} }

10
src/tools/genpolicy/src/pod.rs
View File

@ -77,6 +77,9 @@ pub struct PodSpec {
#[serde(skip_serializing_if = "Option::is_none")] #[serde(skip_serializing_if = "Option::is_none")]
pub hostNetwork: Option<bool>, pub hostNetwork: Option<bool>,
#[serde(skip_serializing_if = "Option::is_none")]
pub shareProcessNamespace: Option<bool>,
#[serde(skip_serializing_if = "Option::is_none")] #[serde(skip_serializing_if = "Option::is_none")]
dnsConfig: Option<PodDNSConfig>, dnsConfig: Option<PodDNSConfig>,
@ -737,6 +740,13 @@ impl yaml::K8sResource for Pod {
} }
false false
} }
fn use_sandbox_pidns(&self) -> bool {
if let Some(shared) = self.spec.shareProcessNamespace {
return shared;
}
false
}
} }
impl Container { impl Container {

9
src/tools/genpolicy/src/policy.rs
View File

@ -256,6 +256,9 @@ pub struct ContainerPolicy {
/// Data compared with req.storages for CreateContainerRequest calls. /// Data compared with req.storages for CreateContainerRequest calls.
storages: Vec<agent::Storage>, storages: Vec<agent::Storage>,
/// Data compared with req.sandbox_pidns for CreateContainerRequest calls.
sandbox_pidns: bool,
/// Allow list of ommand lines that are allowed to be executed using /// Allow list of ommand lines that are allowed to be executed using
/// ExecProcessRequest. By default, all ExecProcessRequest calls are blocked /// ExecProcessRequest. By default, all ExecProcessRequest calls are blocked
/// by the policy. /// by the policy.
@ -518,6 +521,11 @@ impl AgentPolicy {
linux.ReadonlyPaths = c_settings.Linux.ReadonlyPaths.clone(); linux.ReadonlyPaths = c_settings.Linux.ReadonlyPaths.clone();
} }
let sandbox_pidns = if is_pause_container {
false
} else {
resource.use_sandbox_pidns()
};
let exec_commands = yaml_container.get_exec_commands(); let exec_commands = yaml_container.get_exec_commands();
ContainerPolicy { ContainerPolicy {
@ -531,6 +539,7 @@ impl AgentPolicy {
Linux: linux, Linux: linux,
}, },
storages, storages,
sandbox_pidns,
exec_commands, exec_commands,
} }
} }

7
src/tools/genpolicy/src/replica_set.rs
View File

@ -99,4 +99,11 @@ impl yaml::K8sResource for ReplicaSet {
} }
false false
} }
fn use_sandbox_pidns(&self) -> bool {
if let Some(shared) = self.spec.template.spec.shareProcessNamespace {
return shared;
}
false
}
} }

7
src/tools/genpolicy/src/replication_controller.rs
View File

@ -101,4 +101,11 @@ impl yaml::K8sResource for ReplicationController {
} }
false false
} }
fn use_sandbox_pidns(&self) -> bool {
if let Some(shared) = self.spec.template.spec.shareProcessNamespace {
return shared;
}
false
}
} }

4
src/tools/genpolicy/src/secret.rs
View File

@ -111,4 +111,8 @@ impl yaml::K8sResource for Secret {
fn use_host_network(&self) -> bool { fn use_host_network(&self) -> bool {
panic!("Unsupported"); panic!("Unsupported");
} }
fn use_sandbox_pidns(&self) -> bool {
panic!("Unsupported");
}
} }

7
src/tools/genpolicy/src/stateful_set.rs
View File

@ -174,6 +174,13 @@ impl yaml::K8sResource for StatefulSet {
} }
false false
} }
fn use_sandbox_pidns(&self) -> bool {
if let Some(shared) = self.spec.template.spec.shareProcessNamespace {
return shared;
}
false
}
} }
impl StatefulSet { impl StatefulSet {

1
src/tools/genpolicy/src/yaml.rs
View File

@ -65,6 +65,7 @@ pub trait K8sResource {
fn get_containers(&self) -> &Vec<pod::Container>; fn get_containers(&self) -> &Vec<pod::Container>;
fn get_annotations(&self) -> &Option<BTreeMap<String, String>>; fn get_annotations(&self) -> &Option<BTreeMap<String, String>>;
fn use_host_network(&self) -> bool; fn use_host_network(&self) -> bool;
fn use_sandbox_pidns(&self) -> bool;
} }
/// See Reference / Kubernetes API / Common Definitions / LabelSelector. /// See Reference / Kubernetes API / Common Definitions / LabelSelector.