Commit Graph

528 Commits

Author SHA1 Message Date
Hui Zhu
2b6caf26e0 agent-ctl: Add mem-agent API support
Add sub command MemAgentMemcgSet and MemAgentCompactSet to agent-ctl to
configate the mem-agent inside the running kata-containers.

Fixes: #10625

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2024-12-06 10:00:24 +08:00
Saul Paredes
84a411dac4 policy: improve pod namespace validation
- Remove default_namespace from settings
- Ensure container namespaces in a pod match each other in case no namespace is specified in the YAML

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-12-04 10:17:54 -08:00
Alex Lyn
5f9cc86b5a Merge pull request #10604 from 3u13r/euler/fix/genpolicy-rego-state-getter
genpolicy: align state path getter and setter
2024-12-04 13:57:34 +08:00
Aurélien Bombo
fe55b29ef0 csi-kata-directvolume: Remove go version check
The driver build recipe has a script to check the current Go version against
the go.mod version.  However, the script is broken ($expected is unbound) and I
don't believe we do this for other components. On top of this, Go should be
backward-compatible. Let's keep things simple for now and we can evaluate
restoring this script in the future if need be.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-12-03 14:43:36 -06:00
Aurélien Bombo
fb87bf221f ci: Implement build step for CSI driver
This fully implements the compilation step for csi-kata-directvolume.
This component can now be built by the CI running:

 $ cd tools/packaging/kata-deploy/local-build
 $ make csi-kata-directvolume-tarball

A couple notes:

 * When installing the binary, we rename it from directvolplugin to
   csi-kata-directvolume on the fly to make it more readable.
 * We add go to the tools builder Dockerfile to support building this
   tool.
 * I've noticed the file install_libseccomp.sh gets created by the build
   process so I've added it to a .gitignore.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-12-03 14:43:36 -06:00
Dan Mihai
2a67038836 Merge pull request #10608 from microsoft/saulparedes/policy_metadatata_uid
policy: ignore optional metadata uid field
2024-12-03 10:19:12 -08:00
Leonard Cohnen
9b614a4615 genpolicy: align state path getter and setter
Before this patch there was a mismatch between the JSON path under which
the state of the rule evaluation is set in comparison to under which
it is retrieved.

This resulted in the behavior that each time the policy was evaluated,
it thought it was the _first_ time the policy was evaluated.
This also means that the consistency check for the `sandbox_name`
was ineffective.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2024-12-03 13:25:24 +01:00
Saul Paredes
711d12e5db policy: support optional metadata uid field
This prevents a deserialization error when uid is specified

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-12-02 11:24:58 -08:00
Saul Paredes
9105c1fa0c policy: add constants to rules.rego
Reuse constants where applicable

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-12-02 08:28:58 -08:00
Dan Mihai
f340b31c41 genpolicy: avoid regorus warning
Avoid adding to the Guest console warnings about "agent_policy:10:8".

"import input" is unnecessary.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-11-25 21:19:01 +00:00
Saul Paredes
c207312260 genpolicy: validate container sandbox names
Make sure all container sandbox names match the sandbox name of the first container.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-11-12 15:17:01 -08:00
Sumedh Alok Sharma
4b7aba5c57 agent-ctl: Add support to test kata-agent's container creation APIs.
This commit introduces changes to enable testing kata-agent's container
APIs of CreateContainer/StartContainer/RemoveContainer. The changeset
include:
- using confidential-containers image-rs crate to pull/unpack/mount a
container image. Currently supports only un-authenicated registry pull
- re-factor api handlers to reduce cmdline complexity and handle
request generation logic in tool
- introduce an OCI config template for container creation
- add test case

Fixes #9707

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2024-11-01 22:18:54 +05:30
Markus Rudy
091a410b96 kata-sys-util: move json parsing to protocols crate
The parse_json_string function is specific to parsing capability strings
out of ttRPC proto definitions and does not benefit from being available
to other crates. Moving it into the protocols crate allows removing
kata-sys-util as a dependency, which in turn enables compiling the
library on darwin.

Fixes: #10071

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-10-31 09:41:07 +01:00
Markus Rudy
8ab4bd2bfc kata-sys-util: remove obsolete cgroups dependency
The cgroups.rs source file was removed in
234d7bca04. With cgroups support handled
in runtime-rs, the cgroups dependency on kata-sys-util can be removed.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-10-31 09:41:07 +01:00
Leonard Cohnen
c06bf2e3bb genpolicy: read binaryData value as String
While Kubernetes defines `binaryData` as `[]byte`,
when defined in a YAML file the raw bytes are
base64 encoded. Therefore, we need to read the YAML
value as `String` and not as `Vec<u8>`.

Fixes: #10410

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2024-10-14 20:03:11 +02:00
Dan Mihai
7fe44d3a3d genpolicy: validate create sandbox storages
Reject any unexpected values from the CreateSandboxRequest storages
field.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-30 11:31:12 -07:00
Fabiano Fidêncio
593cbb8710 Merge pull request #10306 from microsoft/danmihai1/more-security-contexts
genpolicy: get UID from PodSecurityContext
2024-09-18 21:33:39 +02:00
Sumedh Alok Sharma
18c887f055 agent-ctl: Add SetPolicy support
This patch adds support to call kata agents SetPolicy
API. Also adds tests for SetPolicy API using agent-ctl.

Fixes #9711

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2024-09-18 10:53:49 +05:30
Dan Mihai
16f5ebf5f9 genpolicy: get UID from PodSecurityContext
Get UID from PodSecurityContext for other k8s resource types too,
not just for Pods.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-13 22:05:31 +00:00
Dan Mihai
d2d8d2e519 genpolicy: remove default UID/GID values
Remove the recently added default UID/GID values, because the genpolicy
design is to initialize those fields before this new code path gets
executed.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-11 22:38:20 +00:00
Hernan Gatta
871476c3cb genpolicy: pull UID:GID values from /etc/passwd
Some container images are configured such that the user (and group)
under which their entrypoint should run is not a number (or pair of
numbers), but a user name.

For example, in a Dockerfile, one might write:

> USER 185

indicating that the entrypoint should run under UID=185.

Some images, however, might have:

> RUN groupadd --system --gid=185 spark
> RUN useradd --system --uid=185 --gid=spark spark
> ...
> USER spark

indicating that the UID:GID pair should be resolved at runtime via
/etc/passwd.

To handle such images correctly, read through all /etc/passwd files in
all layers, find the latest version of it (i.e., the top-most layer with
such a file), and, in so doing, ensure that whiteouts of this file are
respected (i.e., if one layer adds the file and some subsequent layer
removes it, don't use it).

Signed-off-by: Hernan Gatta <hernan.gatta@opaque.co>
2024-09-11 22:38:20 +00:00
Hernan Gatta
f9249b4476 genpolicy: add tar dependency
Used to read /etc/passwd from tar files.

Signed-off-by: Hernan Gatta <hernan.gatta@opaque.co>
2024-09-11 22:38:20 +00:00
Dan Mihai
eb7f747df1 genpolicy: enable create container UID verification
Disabling the UID Policy rule was a workaround for #9928. Re-enable
that rule here and add a new test/CI temporary workaround for this
issue. This new test workaround will be removed after fixing #9928.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-11 22:38:20 +00:00
Sumedh Alok Sharma
2af1113426 agent-ctl: Refactor CopyFile handler
In the existing implementation for the CopyFile subcommand,
- cmd line argument list is too long, including various metadata information.
- in case of a regular file, passing the actual data as bytes stream adds to the size and complexity of the input.
- the copy request will fail when the file size exceeds that of the allowed ttrpc max data length limit of 4Mb.

This change refactors the CopyFile handler and modifies the input to a known 'source' 'destination' syntax.

Fixes #9708

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2024-09-11 10:54:01 +05:30
Archana Choudhary
f2625b0014 genpolicy: add support for PodDisruptionBudget
yaml

Prevent panic for PDB specs

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-09-05 11:33:47 -07:00
Saul Paredes
24c2d13fd3 genpolicy: support readonly emptyDir mount
Set emptyDir access based on volume mount readOnly value

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-09-04 15:05:44 -07:00
Saul Paredes
36a4104753 genpolicy: support readonly hostpath
Set hostpath access based on volume mount readOnly value

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-09-04 14:55:22 -07:00
Archana Choudhary
ae2cdedba8 genpolicy: add priorityClassName as a field in PodSpec interface
This allows generation of policy for pods specifying priority classes.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-08-27 19:54:02 -07:00
Dan Mihai
6654491cc3 genpolicy: deny UpdateEphemeralMountsRequest
* genpolicy: deny UpdateEphemeralMountsRequest

Deny UpdateEphemeralMountsRequest by default, because paths to
critical Guest components can be redirected using such request.

Signed-off-by: Dan Mihai <Daniel.Mihai@microsoft.com>
2024-08-20 18:28:17 -07:00
Dan Mihai
c22ac4f72c genpolicy: add bind mounts for image volumes
Add bind mounts for volumes defined by docker container images, unless
those mounts have been defined in the input K8s YAML file too.

For example, quay.io/opstree/redis defines two mounts:
/data
/node-conf
Before these changes, if these mounts were not defined in the YAML file
too, the auto-generated policy did not allow this container image to
start.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-08-16 15:11:05 +00:00
Fabiano Fidêncio
8d63723910 Merge pull request #10161 from microsoft/saulparedes/ignore_role_resource
genpolicy: ignore Role resource
2024-08-16 16:50:16 +02:00
Dan Mihai
905c76bd47 Merge pull request #10153 from microsoft/saulparedes/support_cron_job
genpolicy: Add support for cron jobs
2024-08-15 11:11:00 -07:00
Saul Paredes
5ad47b8372 genpolicy: ignore Role resource
Ignore Role resources because they don't need a Policy.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-08-14 12:57:06 -07:00
Saul Paredes
88451d26d0 genpolicy: add support for cron jobs
Add support for cron jobs

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-08-13 10:47:42 -07:00
Markus Rudy
bce5cb2ce5 genpolicy: harden CreateSandboxRequest checks
Hooks are executed on the host, so we don't expect to run hooks and thus
require that no hook paths are set.

Additional Kernel modules expand the attack surface, so require that
none are set. If a use case arises, modules should be allowlisted via
settings.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-08-13 09:01:58 +02:00
Markus Rudy
aee23409da genpolicy: harden CopyFileRequest checks
CopyFile is invoked by the host's FileSystemShare.ShareFile function,
which puts all files into directories with a common pattern. Copying
files anywhere else is dangerous and must be prevented. Thus, we check
that the target path prefix matches the expected directory pattern of
ShareFile, and that this directory is not escaped by .. traversal.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-08-13 09:01:58 +02:00
Markus Rudy
69535e5458 genpolicy: add crate-scoped integration test
Provides a test runner that generates a policy and validates it
with canned requests. The initial set of test cases is mostly for
illustration and will be expanded incrementally.

In order to enable both cross-compilation on Ubuntu test runners as well
as native compilation on the Alpine tools builder, it is easiest to
switch to the vendored openssl-src variant. This builds OpenSSL from
source, which depends on Perl at build time.

Adding the test to the Makefile makes it execute in CI, on a variety of
architectures. Building on ppc64le requires a newer version of the
libz-ng-sys crate.

Fixes: #10061

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-08-05 11:52:01 +02:00
Markus Rudy
4d1416529d genpolicy: fix clippy v1.78.0 warnings
cargo clippy has two new warnings that need addressing:
- assigning_clones
  These were fixed by clippy itself.
- suspicious_open_options
  I added truncate(false) because we're opening the file for reading.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-08-05 11:48:30 +02:00
Fabiano Fidêncio
43dca8deb4 Merge pull request #10121 from microsoft/saulparedes/add_version_flag
genpolicy: add --version flag
2024-08-03 21:22:10 +02:00
Saul Paredes
194cc7ca81 genpolicy: add --version flag
- Add --version flag to the genpolicy tool that prints the current
version
- Add version.rs.in template to store the version information
- Update makefile to autogenerate version.rs from version.rs.in
- Add license to Cargo.toml

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-08-01 17:18:17 -07:00
Dan Mihai
9e99329bef genpolicy: reject create sandbox hooks
Reject CreateSandboxRequest hooks, because these hooks may be used by an
attacker.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-08-01 16:58:35 -07:00
Dan Mihai
5546ce4031 Merge pull request #10069 from microsoft/danmihai1/exec-args
genpolicy: validate each exec command line arg
2024-07-26 11:39:44 -07:00
Dan Mihai
a37f10fc87 genpolicy: validate each exec command line arg
Generate policy that validates each exec command line argument, instead
of joining those args and validating the resulting string. Joining the
args ignored the fact that some of the args might include space
characters.

The older format from genpolicy-settings.json was similar to:

    "ExecProcessRequest": {
      "commands": [
                "sh -c cat /proc/self/status"
        ],
      "regex": []
    },

That format will not be supported anymore. genpolicy will detect if its
users are trying to use the older "commands" field and will exit with
a relevant error message in that case.

The new settings format is:

    "ExecProcessRequest": {
      "allowed_commands": [
        [
          "sh",
          "-c",
          "cat /proc/self/status"
        ]
      ],
      "regex": []
    },

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-07-25 16:57:17 +00:00
Alex Lyn
abb0a2659a Merge pull request #9944 from Apokleos/align-ocispec-rs
Align kata oci spec with oci-spec-rs
2024-07-25 19:36:52 +08:00
Alex Lyn
bf813f85f2 runk: Align oci spec with oci-spec-rs
Utilized oci-spec-rs to align OCI Spec structures
and data representations in runk with the OCI Spec.

Fixes #9766

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2024-07-25 17:47:01 +08:00
Alex Lyn
b3eab5ffea genpolicy: Align agent-ctl OCI Spec with oci-spec-rs
Fixes #9766

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2024-07-25 17:47:01 +08:00
Alex Lyn
c500fd5761 agent-ctl: Align agent-ctl OCI Spec with oci-spec-rs
This commit aligns the OCI Spec used within agent-ctl
with the oci-spec-rs definition and operations. This
enhancement ensures that agent-ctl adheres to the latest
OCI standards and provides a more consistent and reliable
experience for managing container images and configurations.

Fixes #9766

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2024-07-25 17:47:01 +08:00
Saul Paredes
2681fc7eb0 genpolicy: Add support for envFrom
This change adds support for the `envFrom` field in the `Pod` resource

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-07-19 09:53:58 -07:00
Aurélien Bombo
ab6f37aa52 Merge pull request #10022 from microsoft/danmihai1/probes-and-lifecycle
genpolicy: container.exec_commands args validation
2024-07-18 12:21:31 -07:00
Dan Mihai
f31c1b121e Merge pull request #9812 from microsoft/saulparedes/test_policy_on_tdx
gha: enable policy testing on TDX
2024-07-17 08:47:44 -07:00