Commit Graph

219 Commits

Author SHA1 Message Date
Dan Mihai
c11c972465 genpolicy: config layer logging clean-up
Use a simple debug!() for logging the config_layer string, instead of
transcoding, etc.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-28 18:30:13 +00:00
Dan Mihai
30bfa2dfcc genpolicy: use CoCo settings by default
- "confidential_emptyDir" becomes "emptyDir" in the settings file.
- "confidential_configMap" becomes "configMap" in settings.
- "mount_source_cpath" becomes "cpath".
- The new "root_path" gets used instead of the old "cpath" to point to
  the container root path..
- "confidential_guest" is no longer used. By default it gets replaced
  by "enable_configmap_secret_storages"=false, because CoCo is using
  CopyFileRequest instead of the Storage data structures for ConfigMap
  and/or Secret volume mounts during CreateContainerRequest.
- The value of "guest_pull" becomes true by default.
- "image_layer_verification" is no longer used - just CoCo's guest pull
  is supported.
- The Request input files from unit tests are changing to reflect the
  new default settings values described above.
- tests/integration/kubernetes/tests_common.sh adjusts the settings for
  platforms that are not set-up for CoCo during CI (i.e., platforms
  other than SNP, TDX, and CoCo Dev).

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-28 18:30:13 +00:00
Dan Mihai
94995d7102 genpolicy: skip pulling layers for guest-pull
Skip pulling container image layers when guest-pull=true. The contents
of these layers were ignored due to:
- #11162, and
- tarfs snapshotter support having been removed from genpolicy.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-28 18:30:13 +00:00
Dan Mihai
f6016f4f36 genpolicy: remove tarfs snapshotter support
AKS Confidential Containers are using the tarfs snapshotter. CoCo
upstream doesn't use this snapshotter, so remove this Policy complexity
from upstream.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-28 18:30:10 +00:00
dependabot[bot]
ef9d960763 build(deps): bump the openssl group across 4 directories with 1 update
Bumps the openssl group with 1 update in the /src/dragonball directory: [openssl](https://github.com/sfackler/rust-openssl).
Bumps the openssl group with 1 update in the /src/runtime-rs directory: [openssl](https://github.com/sfackler/rust-openssl).
Bumps the openssl group with 1 update in the /src/tools/genpolicy directory: [openssl](https://github.com/sfackler/rust-openssl).
Bumps the openssl group with 1 update in the /src/tools/kata-ctl directory: [openssl](https://github.com/sfackler/rust-openssl).


Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

---
updated-dependencies:
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: openssl
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: openssl
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: openssl
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: openssl
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-23 15:17:12 +00:00
dependabot[bot]
a9c8377073 build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy
---
updated-dependencies:
- dependency-name: zerocopy
  dependency-version: 0.6.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 12:50:38 +00:00
Tim Zhang
45b44742de genpolicy: update Cargo.lock to fix CVE-2025-53605
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/394
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-07-18 16:10:52 +02:00
stevenhorsman
41a608e5ce tools: Bump borsh, liboci-cli and oci-spec
Bump these crates to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-07-17 18:23:19 +01:00
stevenhorsman
661d88b11f versions: Bump oci-spec
Try bumping oci-spec to 0.8.1 as it included fixes for vulnerabilities
including RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-07-14 16:54:30 +01:00
stevenhorsman
b7bf46fdfa versions: Bump idna crate to >= 1.0.4
Bump url, reqwests and idna crates in order to move away from
idna <1.0.3 and remediate CVE-2024-12224.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-07-09 11:34:27 +01:00
Archana Choudhary
6932beb01f policy: fix parse errors in rules.rego
This patch fixes the rules.rego file to ensure that the
policy is correctly parsed and applied by opa.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2025-07-01 12:43:41 +00:00
Archana Choudhary
abbe1be69f tests: enable confidential_guest setting for coco
This commit updates the `tests_common.sh` script
to enable the `confidential_guest`
setting for the coco tests in the Kubernetes
integration tests.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2025-07-01 10:35:20 +00:00
Archana Choudhary
9dd365fdb5 genpolicy: fix mount source check in rules.rego
This commit fixes the mount source check in rules.rego.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2025-07-01 10:35:20 +00:00
Archana Choudhary
1cbea890f1 genpolicy: tests: update testcases for execprocess
This patch removes storages from the testcases.json file for execprocess.
This is because input storage objects are invalid for two reasons:
1. "io.katacontainers.fs-opt.layer=" is missing option in annotations.
2. by default, we don't have host-tarfs-dm-verity enabled, so the storage
objects are not created in policy.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
---
2025-07-01 10:35:20 +00:00
Archana Choudhary
6adec0737c genpolicy: add rules for image_guest_pull storage
This patch introduces some basic checks for the
`image_guest_pull` storage type in the genpolicy tool.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2025-07-01 10:35:20 +00:00
Archana Choudhary
bd2dc1422e genpolicy: add test for container images having volumes
This patch adds a test case to genpolicy for container images that have volumes.
Examples of such container images include:
 - quay.io/opstree/redis
 - https://github.com/kubernetes/examples/blob/master/cassandra/image/Dockerfile

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2025-07-01 10:35:20 +00:00
Archana Choudhary
d7f998fbd5 genpolicy: tests: update test for emptydir volumes
This patch
  - updates testcases.json for emptydir volumes/storages

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2025-07-01 10:35:20 +00:00
Archana Choudhary
68c8c31718 genpolicy: tests: add test for config_map volumes
This patch adds test for config_map volumes.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2025-07-01 10:35:20 +00:00
Archana Choudhary
9ebbc08d70 genpolicy: enable storage checks
This patch
 - adds condition to add container image layers as storages
 - enable storage checks
 - fix CI policy test cases
 - update genpolicy-settings.json to enable storage checks
 - remove storage object addition in container image parsing

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2025-07-01 10:35:20 +00:00
Archana Choudhary
5b1459e623 genpolicy: test framework: enable config map usage
This patch improves the test framework for the
genpolicy tool by enabling the use of config maps.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2025-07-01 10:35:20 +00:00
Fabiano Fidêncio
69c706b570 Merge pull request #11441 from stevenhorsman/protobuf-3.7.2-bump
versions: Bump protobuf to 3.7.2
2025-06-25 13:47:28 +02:00
Dan Mihai
0a57e09259 Merge pull request #11426 from charludo/fix/genpolicy-corruption-of-layer-cache-file
genpolicy: prevent corruption of the layer cache file
2025-06-23 14:00:45 -07:00
charludo
4e57cc0ed2 genpolicy: keep layers cache in-memory to prevent corruption
The locking mechanism around the layers cache file was insufficient to
prevent corruption of the file. This commit moves the layers cache's
management in-memory, only reading the cache file once at the beginning
of `genpolicy`, and only writing to it once, at the end of `genpolicy`.

In the case that obtaining a lock on the cache file fails,
reading/writing to it is skipped, and the cache is not used/persisted.

Signed-off-by: charludo <git@charlotteharludo.com>
2025-06-23 16:16:42 +02:00
dependabot[bot]
0aa80313eb build(deps): bump the clap group across 6 directories with 1 update
Bumps the clap group with 1 update in the /src/agent directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/agent-ctl directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/genpolicy directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/kata-ctl directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/runk directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/trace-forwarder directory: [clap](https://github.com/clap-rs/clap).

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

---
updated-dependencies:
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-21 17:15:12 +01:00
stevenhorsman
900d9be55e build(deps): bump rustix in various components
Bumps of rustix 0.36, 0.37 and 0.38 to resolve
CVE-2024-43806

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-20 14:52:43 -05:00
stevenhorsman
0f1c326ca0 versions: Bump protobuf to 3.7.2
Now we are decoupled from the image-rs crate,
we can bump the protobuf version across our project
to resolve the GHSA-2gh3-rmm4-6rq5 advisory

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-20 20:52:04 +01:00
Archana Choudhary
e093919b42 tests: update container image for ci and unit test
This patch updates the container image for the CI test workloads:
- `k8s-layered-sc-deployment.yaml`
- `k8s-pod-sc-deployment.yaml`
- `k8s-pod-sc-nobodyupdate-deployment.yaml`
- `k8s-pod-sc-supplementalgroups-deployment.yaml`
- `k8s-policy-deployment.yaml`

Also updates unit tests:
- `test_create_container_security_context`
- `test_create_container_security_context_supplemental_groups`

This fixes tests failing due to an image pull error as the previous image is no longer available in
the container registry.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-06-20 10:46:56 -07:00
Dan Mihai
0f8e453518 Merge pull request #11412 from katexochen/rego-v1
genpolicy: fix rules syntax issues, rego v1 compatibility; ci: checks for rego parsing
2025-06-13 07:30:34 -07:00
dependabot[bot]
1e6962e4a8 build(deps): bump the tracing group across 7 directories with 1 update
Bumps the tracing group with 1 update in the /src/dragonball directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/libs directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/agent-ctl directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/genpolicy directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/kata-ctl directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/runk directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/trace-forwarder directory: [tracing](https://github.com/tokio-rs/tracing).


Updates `tracing` from 0.1.37 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.34 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.37 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.37 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.40 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.40 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.29 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

---
updated-dependencies:
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-12 15:45:35 +00:00
Paul Meyer
5baea34fff genpolicy/rules: rego v1 compatibility
Migrate policy to rego v1.
See https://www.openpolicyagent.org/docs/v0-upgrade#changes-to-rego-in-opa-v10

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-06-12 10:46:43 +02:00
Ruoqing He
44142b13d3 genpolicy: Fix clippy unstable_name_collisions
Manually fix `unstable_name_collisions` clippy warning reported by rust
1.85.1.

```console
error: a method with this name may be added to the standard library in the future
   --> src/registry.rs:646:10
    |
646 |     file.unlock()?;
    |          ^^^^^^
    |
    = warning: once this associated item is added to the standard library, the ambiguity may cause an error or change in behavior!
    = note: for more information, see issue #48919 <https://github.com/rust-lang/rust/issues/48919>
    = help: call with fully qualified syntax `fs2::FileExt::unlock(...)` to keep using the current method
    = note: `-D unstable-name-collisions` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(unstable_name_collisions)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 13:50:10 +00:00
Ruoqing He
366d293141 genpolicy: Fix clippy manual_unwrap_or_default
Manually fix `manual_unwrap_or_default` clippy warning reported by rust
1.85.1.

```console
error: if let can be simplified with `.unwrap_or_default()`
   --> src/registry.rs:619:37
    |
619 |       let mut data: Vec<ImageLayer> = if let Ok(vec) = serde_json::from_reader(read_file) {
    |  _____________________________________^
620 | |         vec
621 | |     } else {
...   |
624 | |     };
    | |_____^ help: replace it with: `serde_json::from_reader(read_file).unwrap_or_default()`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_unwrap_or_default
    = note: `-D clippy::manual-unwrap-or-default` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::manual_unwrap_or_default)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 13:50:10 +00:00
Ruoqing He
a71a77bfa3 genpolicy: Fix clippy manual_div_ceil
Manually fix `manual_div_ceil` clippy warning reported by rust 1.85.1.

```console
error: manually reimplementing `div_ceil`
  --> src/verity.rs:73:25
   |
73 |             let count = (data_size + entry_size - 1) / entry_size;
   |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: consider using `.div_ceil()`: `data_size.div_ceil(entry_size)`
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_div_ceil
   = note: `-D clippy::manual-div-ceil` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(clippy::manual_div_ceil)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 13:50:10 +00:00
Ruoqing He
5d491bd4f4 genpolicy: Bump ttrpc-codegen related dependencies
Bump `ttrpc-codegen` related dependencies in response to `ttrpc-codegen`
bump in `libs/protocol`.

Relates: #11376

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 13:50:10 +00:00
Paul Meyer
d488c998c7 genpolicy/rules: fix syntax issue
Policy wan't parsable with OPA due to surplus whitespace.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-06-11 14:48:36 +02:00
Markus Rudy
1c240de58d genpolicy: don't parse /etc/passwd in a loop
Instead of looping over the users per group and parsing passwd for each
user, we can do the reverse lookup uid->user up front and then compare
the names directly. This has the nice side-effect of silencing warnings
about non-existent users mentioned in /etc/group, which is not relevant
for policy decisions.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-06-04 17:54:57 +02:00
Markus Rudy
a1baaf6fe2 genpolicy: ignore groups with same name as user
containerd does not automatically add groups to the list of additional
GIDs when the groups have the same name as the user:

https://github.com/containerd/containerd/blob/f482992/pkg/oci/spec_opts.go#L852-L854

This is a bug and should be corrected, but it has been present since at
least 1.6.0 and thus affects almost all containerd deployments in
existence. Thus, we adopt the same behavior and ignore groups with the
same name as the user when calculating additional GIDs.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-06-04 10:29:49 +02:00
Markus Rudy
eeb3d1384b genpolicy: compare additionalGIDs as sets
The additional GIDs are handled by genpolicy as a BTreeSet. This set is
then serialized to an ordered JSON array. On the containerd side, the
GIDs are added to a list in the order they are discovered in /etc/group,
and the main GID of the user is prepended to that list. This means that
we don't have any guarantees that the input GIDs will be sorted. Since
the order does not matter here, comparing the list of GIDs as sets is
close enough.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-06-03 20:18:35 +02:00
Markus Rudy
02ad39ddf1 genpolicy: push down warning about missing passwd file
The warning used to trigger even if the passwd file was not needed. This
commit moves it down to where it actually matters.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-06-03 11:19:29 +02:00
Markus Rudy
ec969e4dcd genpolicy: remove redundant group check
https://github.com/kata-containers/kata-containers/pull/11077
established that the GID from the image config is never used for
deriving the primary group of the container process. This commit removes
the associated logic that derived a GID from a named group.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-06-03 10:59:10 +02:00
Paul Meyer
8de8b8185e genpolicy: rename svc_name to svc_name_downward_env
Just to be more explicit what this matches.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-05-27 10:13:43 +02:00
Paul Meyer
78eb65bb0b genpolicy: fix svc_name regex
The service name is specified as RFC 1035 lable name [1]. The svc_name
regex in the genpolicy settings is applied to the downward API env
variables created based on the service name. So it tries to match
RFC 1035 labels after they are transformed to downward API variable
names [2]. So the set of lower case alphanumerics and dashes is
transformed to upper case alphanumerics and underscores.
The previous regex wronly permitted use of numbers, but did allow
dot and dash, which shouldn't be allowed (dot not because they aren't
conform with RFC 1035, dash not because it is transformed to underscore).

We have to take care not to also try to use the regex in places where
we actually want to check for RFC 1035 label instead of the downward
API transformed version of it.

Further, we should consider using a format like JSON5/JSONC for the
policy settings, as these are far from trivial and would highly benefit
from proper documentation through comments.

[1]: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
[2]: b2dfba4151/pkg/kubelet/envvars/envvars.go (L29-L70)

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-05-27 08:43:25 +02:00
Ankita Pareek
ad75595dc8 genpolicy: Add tests for various input validations for ExecProcessRequest
These additional tests cover edge cases specific to-
- Terminal validation
- Capabilities validation
- Working directory (Cwd) validation
- NoNewPrivileges validation
- User validation
- Environment variables validation

Signed-off-by: Ankita Pareek <ankitapareek@microsoft.com>
2025-05-20 11:19:55 +00:00
Saul Paredes
1e466bf39c genpolicy: fix validation of env variables sourced from metadata.namespace
Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare
input against annotation value.

Fixes regression introduced in https://github.com/microsoft/kata-containers/pull/273
where samples that use metadata.namespace env var were no longer working.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-05-20 11:19:46 +00:00
Dan Mihai
a113b9eefd genpolicy: validate probe process fields
Validate more process fields for k8s probe commands - e.g.,
livenessProbe, readinessProbe, etc.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-05-20 11:15:30 +00:00
Dan Mihai
c0b8c6ed5e genpolicy: validate process for commands from settings
Validate more process fields for commands enabled using the
ExecProcessRequest "commands" and/or "regex" fields from the
settings file.
Add function to get the container from state based on container_id
matching instead of matching it against every policy container data

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Signed-off-by: Ankita Pareek <ankitapareek@microsoft.com>
2025-05-20 11:15:30 +00:00
Dan Mihai
6f78aaa411 genpolicy: use process inputs for allow_process()
Using process data inputs for allow_process() is easier to
read/understand compared with the older OCI data inputs.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-05-20 11:15:30 +00:00
Dan Mihai
b9651eadab Merge pull request #11214 from microsoft/cameronbaird/address-gid-mismatch-additionalgids
genpolicy: Enable AdditionalGids checks in rules.rego
2025-05-16 10:15:53 -07:00
Cameron Baird
7bba7374ec genpolicy: Add retries to policy generation
As the genpolicy from_files call makes network requests to container
registries, it has a chance to fail.

Harden us against flakes due to network by introducing a 6x retry loop
in genpolicy tests.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-05-15 18:12:50 +00:00
Cameron Baird
090497f520 genpolicy: Add test cases for fsGroup and supplementalGroup fields
Fix up genpolicy test inputs to include required additionalGids

Include a test for the pod_container container in security_context tests
as these containers follow slightly different paths in containerd.

Introduce a test for fsGroup/supplementalGroups fields in the security
context.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-05-13 21:48:58 +00:00