Merge pull request #9812 from microsoft/saulparedes/test_policy_on_tdx

gha: enable policy testing on TDX
2025-07-05 19:47:53 +00:00 · 2024-07-17 08:47:44 -07:00 · 2024-07-17 08:47:44 -07:00 · f31c1b121e
commit f31c1b121e
parent 449103c7bf af49252c69
6 changed files with 31 additions and 3 deletions
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@ -203,6 +203,7 @@
    ],
    "common": {
        "cpath": "/run/kata-containers/shared/containers",
        "mount_source_cpath": "/run/kata-containers/shared/containers",
        "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-",
        "ip_p": "[0-9]{1,5}",
        "ipv4_a": "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])",
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@ -803,7 +803,7 @@ check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
 mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
    regex1 := p_mount.source
    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
-    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath)
    regex4 := replace(regex3, "$(bundle-id)", bundle_id)
    print("mount_source_allows 1: regex4 =", regex4)
@ -814,7 +814,7 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
 mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
    regex1 := p_mount.source
    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
-    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
+    regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath)
    regex4 := replace(regex3, "$(sandbox-id)", sandbox_id)
    print("mount_source_allows 2: regex4 =", regex4)
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@ -349,6 +349,9 @@ pub struct CommonData {
    /// Path to the shared container files - e.g., "/run/kata-containers/shared/containers".
    pub cpath: String,
    /// Path to the shared container files for mount sources - e.g., "/run/kata-containers/shared/containers".
    pub mount_source_cpath: String,
    /// Regex prefix for shared file paths - e.g., "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-".
    pub sfprefix: String,
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@ -272,7 +272,7 @@ function run_tests() {
 		export KUBECONFIG="$HOME/.kcli/clusters/${CLUSTER_NAME:-kata-k8s}/auth/kubeconfig"
 	# TODO: enable testing auto-generated policy for other types of hosts too.
-	if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then
+	if [ "${KATA_HOST_OS}" = "cbl-mariner" ] || [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then
 		export AUTO_GENERATE_POLICY="yes"
 	fi
--- a/tests/integration/kubernetes/k8s-policy-pvc.bats
+++ b/tests/integration/kubernetes/k8s-policy-pvc.bats
@ -10,6 +10,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 setup() {
 	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
 	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
 	pod_name="policy-pod-pvc"
 	pvc_name="policy-dev"
@ -54,6 +55,7 @@ test_pod_policy_error() {
 teardown() {
 	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
 	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
 	# Debugging information. Don't print the "Message:" line because it contains a truncated policy log.
 	kubectl describe pod "${pod_name}" | grep -v "Message:"
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@ -130,6 +130,26 @@ auto_generate_policy_enabled() {
 	[ "${AUTO_GENERATE_POLICY}" == "yes" ]
 }
 # adapt common policy settings for tdx
 adapt_common_policy_settings_for_tdx() {
 	local settings_dir=$1
 	info "Adapting common policy settings for TDX"
 	jq '.common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
 }
 # adapt common policy settings for various platforms
 adapt_common_policy_settings() {
 	local settings_dir=$1
 	case "${KATA_HYPERVISOR}" in
  		"qemu-tdx")
 			adapt_common_policy_settings_for_tdx "${settings_dir}"
 	esac
 }
 # If auto-generated policy testing is enabled, make a copy of the genpolicy settings,
 # and change these settings to use Kata CI cluster's default namespace.
 create_common_genpolicy_settings() {
@ -138,6 +158,8 @@ create_common_genpolicy_settings() {
 	auto_generate_policy_enabled || return 0
 	adapt_common_policy_settings "${default_genpolicy_settings_dir}"
 	cp "${default_genpolicy_settings_dir}/genpolicy-settings.json" "${genpolicy_settings_dir}"
 	cp "${default_genpolicy_settings_dir}/rules.rego" "${genpolicy_settings_dir}"