Commit Graph

412 Commits

Author SHA1 Message Date
Fabiano Fidêncio
593cbb8710
Merge pull request #10306 from microsoft/danmihai1/more-security-contexts
genpolicy: get UID from PodSecurityContext
2024-09-18 21:33:39 +02:00
Sumedh Alok Sharma
18c887f055 agent-ctl: Add SetPolicy support
This patch adds support to call kata agents SetPolicy
API. Also adds tests for SetPolicy API using agent-ctl.

Fixes #9711

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2024-09-18 10:53:49 +05:30
Dan Mihai
16f5ebf5f9 genpolicy: get UID from PodSecurityContext
Get UID from PodSecurityContext for other k8s resource types too,
not just for Pods.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-13 22:05:31 +00:00
Dan Mihai
d2d8d2e519 genpolicy: remove default UID/GID values
Remove the recently added default UID/GID values, because the genpolicy
design is to initialize those fields before this new code path gets
executed.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-11 22:38:20 +00:00
Hernan Gatta
871476c3cb genpolicy: pull UID:GID values from /etc/passwd
Some container images are configured such that the user (and group)
under which their entrypoint should run is not a number (or pair of
numbers), but a user name.

For example, in a Dockerfile, one might write:

> USER 185

indicating that the entrypoint should run under UID=185.

Some images, however, might have:

> RUN groupadd --system --gid=185 spark
> RUN useradd --system --uid=185 --gid=spark spark
> ...
> USER spark

indicating that the UID:GID pair should be resolved at runtime via
/etc/passwd.

To handle such images correctly, read through all /etc/passwd files in
all layers, find the latest version of it (i.e., the top-most layer with
such a file), and, in so doing, ensure that whiteouts of this file are
respected (i.e., if one layer adds the file and some subsequent layer
removes it, don't use it).

Signed-off-by: Hernan Gatta <hernan.gatta@opaque.co>
2024-09-11 22:38:20 +00:00
Hernan Gatta
f9249b4476 genpolicy: add tar dependency
Used to read /etc/passwd from tar files.

Signed-off-by: Hernan Gatta <hernan.gatta@opaque.co>
2024-09-11 22:38:20 +00:00
Dan Mihai
eb7f747df1 genpolicy: enable create container UID verification
Disabling the UID Policy rule was a workaround for #9928. Re-enable
that rule here and add a new test/CI temporary workaround for this
issue. This new test workaround will be removed after fixing #9928.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-11 22:38:20 +00:00
Sumedh Alok Sharma
2af1113426 agent-ctl: Refactor CopyFile handler
In the existing implementation for the CopyFile subcommand,
- cmd line argument list is too long, including various metadata information.
- in case of a regular file, passing the actual data as bytes stream adds to the size and complexity of the input.
- the copy request will fail when the file size exceeds that of the allowed ttrpc max data length limit of 4Mb.

This change refactors the CopyFile handler and modifies the input to a known 'source' 'destination' syntax.

Fixes #9708

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2024-09-11 10:54:01 +05:30
Archana Choudhary
f2625b0014 genpolicy: add support for PodDisruptionBudget
yaml

Prevent panic for PDB specs

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-09-05 11:33:47 -07:00
Saul Paredes
24c2d13fd3 genpolicy: support readonly emptyDir mount
Set emptyDir access based on volume mount readOnly value

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-09-04 15:05:44 -07:00
Saul Paredes
36a4104753 genpolicy: support readonly hostpath
Set hostpath access based on volume mount readOnly value

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-09-04 14:55:22 -07:00
Archana Choudhary
ae2cdedba8 genpolicy: add priorityClassName as a field in PodSpec interface
This allows generation of policy for pods specifying priority classes.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-08-27 19:54:02 -07:00
Dan Mihai
6654491cc3 genpolicy: deny UpdateEphemeralMountsRequest
* genpolicy: deny UpdateEphemeralMountsRequest

Deny UpdateEphemeralMountsRequest by default, because paths to
critical Guest components can be redirected using such request.

Signed-off-by: Dan Mihai <Daniel.Mihai@microsoft.com>
2024-08-20 18:28:17 -07:00
Dan Mihai
c22ac4f72c genpolicy: add bind mounts for image volumes
Add bind mounts for volumes defined by docker container images, unless
those mounts have been defined in the input K8s YAML file too.

For example, quay.io/opstree/redis defines two mounts:
/data
/node-conf
Before these changes, if these mounts were not defined in the YAML file
too, the auto-generated policy did not allow this container image to
start.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-08-16 15:11:05 +00:00
Fabiano Fidêncio
8d63723910
Merge pull request #10161 from microsoft/saulparedes/ignore_role_resource
genpolicy: ignore Role resource
2024-08-16 16:50:16 +02:00
Dan Mihai
905c76bd47
Merge pull request #10153 from microsoft/saulparedes/support_cron_job
genpolicy: Add support for cron jobs
2024-08-15 11:11:00 -07:00
Saul Paredes
5ad47b8372 genpolicy: ignore Role resource
Ignore Role resources because they don't need a Policy.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-08-14 12:57:06 -07:00
Saul Paredes
88451d26d0 genpolicy: add support for cron jobs
Add support for cron jobs

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-08-13 10:47:42 -07:00
Markus Rudy
bce5cb2ce5 genpolicy: harden CreateSandboxRequest checks
Hooks are executed on the host, so we don't expect to run hooks and thus
require that no hook paths are set.

Additional Kernel modules expand the attack surface, so require that
none are set. If a use case arises, modules should be allowlisted via
settings.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-08-13 09:01:58 +02:00
Markus Rudy
aee23409da genpolicy: harden CopyFileRequest checks
CopyFile is invoked by the host's FileSystemShare.ShareFile function,
which puts all files into directories with a common pattern. Copying
files anywhere else is dangerous and must be prevented. Thus, we check
that the target path prefix matches the expected directory pattern of
ShareFile, and that this directory is not escaped by .. traversal.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-08-13 09:01:58 +02:00
Markus Rudy
69535e5458 genpolicy: add crate-scoped integration test
Provides a test runner that generates a policy and validates it
with canned requests. The initial set of test cases is mostly for
illustration and will be expanded incrementally.

In order to enable both cross-compilation on Ubuntu test runners as well
as native compilation on the Alpine tools builder, it is easiest to
switch to the vendored openssl-src variant. This builds OpenSSL from
source, which depends on Perl at build time.

Adding the test to the Makefile makes it execute in CI, on a variety of
architectures. Building on ppc64le requires a newer version of the
libz-ng-sys crate.

Fixes: #10061

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-08-05 11:52:01 +02:00
Markus Rudy
4d1416529d genpolicy: fix clippy v1.78.0 warnings
cargo clippy has two new warnings that need addressing:
- assigning_clones
  These were fixed by clippy itself.
- suspicious_open_options
  I added truncate(false) because we're opening the file for reading.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-08-05 11:48:30 +02:00
Fabiano Fidêncio
43dca8deb4
Merge pull request #10121 from microsoft/saulparedes/add_version_flag
genpolicy: add --version flag
2024-08-03 21:22:10 +02:00
Saul Paredes
194cc7ca81 genpolicy: add --version flag
- Add --version flag to the genpolicy tool that prints the current
version
- Add version.rs.in template to store the version information
- Update makefile to autogenerate version.rs from version.rs.in
- Add license to Cargo.toml

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-08-01 17:18:17 -07:00
Dan Mihai
9e99329bef genpolicy: reject create sandbox hooks
Reject CreateSandboxRequest hooks, because these hooks may be used by an
attacker.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-08-01 16:58:35 -07:00
Dan Mihai
5546ce4031
Merge pull request #10069 from microsoft/danmihai1/exec-args
genpolicy: validate each exec command line arg
2024-07-26 11:39:44 -07:00
Dan Mihai
a37f10fc87 genpolicy: validate each exec command line arg
Generate policy that validates each exec command line argument, instead
of joining those args and validating the resulting string. Joining the
args ignored the fact that some of the args might include space
characters.

The older format from genpolicy-settings.json was similar to:

    "ExecProcessRequest": {
      "commands": [
                "sh -c cat /proc/self/status"
        ],
      "regex": []
    },

That format will not be supported anymore. genpolicy will detect if its
users are trying to use the older "commands" field and will exit with
a relevant error message in that case.

The new settings format is:

    "ExecProcessRequest": {
      "allowed_commands": [
        [
          "sh",
          "-c",
          "cat /proc/self/status"
        ]
      ],
      "regex": []
    },

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-07-25 16:57:17 +00:00
Alex Lyn
abb0a2659a
Merge pull request #9944 from Apokleos/align-ocispec-rs
Align kata oci spec with oci-spec-rs
2024-07-25 19:36:52 +08:00
Alex Lyn
bf813f85f2 runk: Align oci spec with oci-spec-rs
Utilized oci-spec-rs to align OCI Spec structures
and data representations in runk with the OCI Spec.

Fixes #9766

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2024-07-25 17:47:01 +08:00
Alex Lyn
b3eab5ffea genpolicy: Align agent-ctl OCI Spec with oci-spec-rs
Fixes #9766

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2024-07-25 17:47:01 +08:00
Alex Lyn
c500fd5761 agent-ctl: Align agent-ctl OCI Spec with oci-spec-rs
This commit aligns the OCI Spec used within agent-ctl
with the oci-spec-rs definition and operations. This
enhancement ensures that agent-ctl adheres to the latest
OCI standards and provides a more consistent and reliable
experience for managing container images and configurations.

Fixes #9766

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2024-07-25 17:47:01 +08:00
Saul Paredes
2681fc7eb0 genpolicy: Add support for envFrom
This change adds support for the `envFrom` field in the `Pod` resource

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-07-19 09:53:58 -07:00
Aurélien Bombo
ab6f37aa52
Merge pull request #10022 from microsoft/danmihai1/probes-and-lifecycle
genpolicy: container.exec_commands args validation
2024-07-18 12:21:31 -07:00
Dan Mihai
f31c1b121e
Merge pull request #9812 from microsoft/saulparedes/test_policy_on_tdx
gha: enable policy testing on TDX
2024-07-17 08:47:44 -07:00
Dan Mihai
9f4d1ffd43 genpolicy: container.exec_commands args validation
Keep track of individual exec args instead of joining them in the
policy text. Verifying each arg results in a more precise policy,
because some of the args might include space characters.

This improved validation applies to commands specified in K8s YAML
files using:

- livenessProbe
- readinessProbe
- startupProbe
- lifecycle.postStart
- lifecycle.preStop

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-07-17 01:19:23 +00:00
Saul Paredes
0b3d193730 genpolicy: Support cpath for mount sources
Add setting to allow specifying the cpath for a mount source.

cpath is the root path for most files used by a container. For example,
the container rootfs and various files copied from the Host to the
Guest when shared_fs=none are hosted under cpath.

mount_source_cpath is the root of the paths used a storage mount
sources. Depending on Kata settings, mount_source_cpath might have the
same value as cpath - but on TDX for example these two paths are
different: TDX uses "/run/kata-containers" as cpath,
but "/run/kata-containers/shared/containers" as mount_source_cpath.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-07-15 14:09:49 -07:00
Dan Mihai
f087044ecb genpolicy: add support for runAsUser
Add ability to auto-generate policy for SecurityContext.runAsUser and
PodSecurityContext.runAsUser.

Fixes: #8879

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-07-13 01:10:43 +00:00
Dan Mihai
5282701b5b genpolicy: add link to allow_user() active issue
Improve comment to workaround in rules.rego, to explain better the
reason for that workaround.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-07-13 01:05:58 +00:00
Dan Mihai
ada53744ea
Merge pull request #9907 from microsoft/saulparedes/allow_empty_env_vars
genpolicy: allow some empty env vars
2024-07-03 08:07:23 -07:00
Aurélien Bombo
33d08a8417
Merge pull request #9825 from microsoft/mahuber/main
osbuilder: allow rootfs builds w/o git or version file deps
2024-07-02 09:38:13 -07:00
Wainer Moschetta
ec695f67e1
Merge pull request #9577 from microsoft/saulparedes/topology
genpolicy: add topologySpreadConstraints support
2024-07-02 11:24:26 -03:00
Saul Paredes
f3f3caa80a genpolicy: update sample
Update pod-one-container.yaml sample

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-07-01 13:49:08 -07:00
Dan Mihai
75aee526a9 genpolicy: add topologySpreadConstraints support
Allow genpolicy to process Pod YAML files including
topologySpreadConstraints.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-07-01 13:32:49 -07:00
Greg Kurz
db7b2f7aaa kata-ctl: Update Cargo.lock
A previous change missed to refresh Cargo.lock.

Signed-off-by: Greg Kurz <groug@kaod.org>
2024-06-26 08:27:52 +02:00
Saul Paredes
ce19419d72 genpolicy: allow some empty env vars
Updated genpolicy settings to allow 2 empty environment variables that
may be forgotten to specify (AZURE_CLIENT_ID and AZURE_TENANT_ID)

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-06-25 10:53:05 -07:00
Aurélien Bombo
0582a9c75b
Merge pull request #9864 from 3u13r/feat/genpolicy/layers-cache-file-path
genpolicy: allow specifying layer cache file
2024-06-25 10:42:22 -07:00
Leonard Cohnen
6a3ed38140 genpolicy: allow specifying layer cache file
Add --layers-cache-file-path flag to allow the user to
specify where the cache file for the container layers
is saved. This allows e.g. to have one cache file
independent of the user's working directory.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2024-06-24 14:53:27 +02:00
Saul Paredes
44afb4aa5f genpolicy: ignore SeccompProfile in PodSpec
Ignore SeccompProfile in PodSpec

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-06-20 09:42:17 -07:00
Dan Mihai
4df66568cf genpolicy: reject untested CreateContainer field values
Reject CreateContainerRequest field values that are not tested by
Kata CI and that might impact the confidentiality of CoCo Guests.

This change uses a "better safe than sorry" approach to untested
fields. It is very possible that in the future we'll encounter
reasonable use cases that will either:

- Show that some of these fields are benign and don't have to be
  verified by Policy, or
- Show that Policy should verify legitimate values of these fields

These are the new CreateContainerRequest Policy rules:

    count(input.shared_mounts) == 0
    is_null(input.string_user)

    i_oci := input.OCI
    is_null(i_oci.Hooks)
    is_null(i_oci.Linux.Seccomp)
    is_null(i_oci.Solaris)
    is_null(i_oci.Windows)

    i_linux := i_oci.Linux
    count(i_linux.GIDMappings) == 0
    count(i_linux.MountLabel) == 0
    count(i_linux.Resources.Devices) == 0
    count(i_linux.RootfsPropagation) == 0
    count(i_linux.UIDMappings) == 0
    is_null(i_linux.IntelRdt)
    is_null(i_linux.Resources.BlockIO)
    is_null(i_linux.Resources.Network)
    is_null(i_linux.Resources.Pids)
    is_null(i_linux.Seccomp)
    i_linux.Sysctl == {}

    i_process := i_oci.Process
    count(i_process.SelinuxLabel) == 0
    count(i_process.User.Username) == 0

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-06-18 18:09:31 +00:00
Alex Lyn
d3fb6bfd35
Merge pull request #9860 from stevenhorsman/tokio-vulnerability-bump
Tokio vulnerability bump
2024-06-18 08:35:34 +08:00
Wainer Moschetta
b6a28bd932
Merge pull request #9786 from microsoft/saulparedes/add_back_insecure_registry_pull
genpolicy: add back support for insecure
2024-06-17 15:21:25 -03:00
Wainer Moschetta
68415dabcd
Merge pull request #9815 from msanft/fix/genpolicy/flag-name
genpolicy: fix settings path flag name
2024-06-17 15:13:25 -03:00
stevenhorsman
3bb1a67d80 agent-ctl: Update rustjail dependencies
- Run `cargo update -p rustjail` to pick up rustjail's bump of
tokio to 1.38.0 to fix the security vulnerability
https://rustsec.org/advisories/RUSTSEC-2024-0019

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-06-17 13:03:01 +01:00
stevenhorsman
d2d35d2dcc runk: Update tokio dependencies
- Bump tokio to 1.38.0 to fix the security vulnerability
https://rustsec.org/advisories/RUSTSEC-2024-0019

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-06-17 13:03:01 +01:00
stevenhorsman
adda401a8c genpolicy: Update tokio dependencies
- Bump tokio to 1.38.0 to fix the security vulnerability
https://rustsec.org/advisories/RUSTSEC-2024-0019

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-06-17 13:03:01 +01:00
Manuel Huber
62fd84dfd8 build: allow rootfs builds w/o git or VERSION file deps
We set the VERSION variable consistently across Makefiles to
'unknown'  if the file is empty or not present.
We also use git commands consistently for calculating the COMMIT,
COMMIT_NO variables, not erroring out when building outside of
a git repository.
In create_summary_file we also account for a missing/empty VERSION
file.
This makes e.g. the UVM build process in an environment where we
build outside of git with a minimal/reduced set of files smoother.

Signed-off-by: Manuel Huber <mahuber@microsoft.com>
2024-06-13 22:46:52 +00:00
Fabiano Fidêncio
56423cbbfe
Merge pull request #9706 from burgerdev/burgerdev/genpolicy-devices
genpolicy: add support for devices
2024-06-12 23:03:41 +02:00
Moritz Sanft
84903c898c
genpolicy: fix settings path flag name
This corrects the warning to point to the \`-j\` flag,
which is the correct flag for the JSON settings file.
Previously, the warning was confusing, as it pointed to
the \`-p\` flag, which specifies to the path for the Rego ruleset.

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2024-06-11 21:17:18 +02:00
Saul Paredes
3e9d6c11a1 genpolicy: add back support for insecure
registries

Adding back changes from
77540503f9.

Fixes: #9008

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-06-11 09:42:23 -07:00
Saul Paredes
6a84562c16 genpolicy: load OCI version from settings
Load OCI version from genpolicy-settings.json and validate it in
rules.rego

Fixes: #9593

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-06-10 15:30:39 -07:00
GabyCT
6c2e8bed77
Merge pull request #9725 from 3u13r/feat/genpolicy/filter-by-runtime
genpolicy: add ability to filter for runtimeClassName
2024-06-04 10:06:14 -06:00
Markus Rudy
13310587ed genpolicy: check requested devices
CreateContainerRequest objects can specify devices to be created inside
the guest VM. This change ensures that requested devices have a
corresponding entry in the PodSpec.

Devices that are added to the pod dynamically, for example via the
Device Plugin architecture, can be allowlisted globally by adding their
definition to the settings file.

Fixes: #9651
Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-05-31 22:05:49 +02:00
Markus Rudy
ea578f0a80 genpolicy: add support for VolumeDevices
This adds structs and fields required to parse PodSpecs with
VolumeDevices and PVCs with non-default VolumeModes.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2024-05-31 19:34:14 +02:00
Leonard Cohnen
1d1690e2a4 genpolicy: add ability to filter for runtimeClassName
Add the CLI flag --runtime-class-names, which is used during
policy generation. For resources that can define a
runtimeClassName (e.g., Pods, Deployments, ReplicaSets,...)
the value must have any of the --runtime-class-names as
prefix, otherwise the resource is ignored.

This allows to run genpolicy on larger yaml
files defining many different resources and only generating
a policy for resources which will be deployed in a
confidential context.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2024-05-31 03:17:02 +02:00
Malte Poll
babdab9078 genpolicy: detect empty string in ns as default
In Kubernetes, the following values for namespace are equivalent and all refer to the default namespace:

- ` ` (namespace field missing)
- `namespace: ""` (namespace field is the empty string)
- `namespace: "default"`(namespace field has the explicit value `default`)

Genpolicy currently does not handle the empty string case correctly.

Signed-Off-By: Malte Poll <1780588+malt3@users.noreply.github.com>
2024-05-18 12:44:59 +02:00
Fabiano Fidêncio
ddf6b367c7
Merge pull request #9568 from kata-containers/dependabot/go_modules/src/runtime/go_modules-22ef55fa20
build(deps): bump the go_modules group across 5 directories with 8 updates
2024-05-07 13:14:48 +02:00
Aurélien Bombo
0cc2b07a8c tests: adapt Mariner CI to unblock CH v39 upgrade
The CH v39 upgrade in #9575 is currently blocked because of a bug in the
Mariner host kernel. To address this, we temporarily tweak the Mariner
CI to use an Ubuntu host and the Kata guest kernel, while retaining the
Mariner initrd. This is tracked in #9594.

Importantly, this allows us to preserve CI for genpolicy. We had to
tweak the default rules.rego however, as the OCI version is now
different in the Ubuntu host. This is tracked in #9593.

This change has been tested together with CH v39 in #9588.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-05-03 16:29:12 +00:00
dependabot[bot]
391bc35805 build(deps): bump the go_modules group across 5 directories with 8 updates
Bumps the go_modules group with 2 updates in the /src/runtime directory: [github.com/containerd/containerd](https://github.com/containerd/containerd) and [github.com/containers/podman/v4](https://github.com/containers/podman).
Bumps the go_modules group with 4 updates in the /src/tools/csi-kata-directvolume directory: [golang.org/x/sys](https://github.com/golang/sys), google.golang.org/protobuf, [golang.org/x/net](https://github.com/golang/net) and [google.golang.org/grpc](https://github.com/grpc/grpc-go).
Bumps the go_modules group with 2 updates in the /src/tools/log-parser directory: [golang.org/x/sys](https://github.com/golang/sys) and gopkg.in/yaml.v3.
Bumps the go_modules group with 2 updates in the /tests directory: [golang.org/x/sys](https://github.com/golang/sys) and gopkg.in/yaml.v3.
Bumps the go_modules group with 2 updates in the /tools/testing/kata-webhook directory: [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/net](https://github.com/golang/net).


Updates `github.com/containerd/containerd` from 1.7.2 to 1.7.11
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](https://github.com/containerd/containerd/compare/v1.7.2...v1.7.11)

Updates `github.com/containers/podman/v4` from 4.2.0 to 4.9.4
- [Release notes](https://github.com/containers/podman/releases)
- [Changelog](https://github.com/containers/podman/blob/v4.9.4/RELEASE_NOTES.md)
- [Commits](https://github.com/containers/podman/compare/v4.2.0...v4.9.4)

Updates `google.golang.org/protobuf` from 1.29.1 to 1.33.0

Updates `github.com/cyphar/filepath-securejoin` from 0.2.3 to 0.2.4
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4)

Updates `golang.org/x/sys` from 0.15.0 to 0.19.0
- [Commits](https://github.com/golang/sys/compare/v0.15.0...v0.19.0)

Updates `google.golang.org/protobuf` from 1.31.0 to 1.33.0

Updates `golang.org/x/net` from 0.19.0 to 0.23.0
- [Commits](https://github.com/golang/net/compare/v0.19.0...v0.23.0)

Updates `google.golang.org/grpc` from 1.59.0 to 1.63.2
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.59.0...v1.63.2)

Updates `golang.org/x/sys` from 0.0.0-20191026070338-33540a1f6037 to 0.1.0
- [Commits](https://github.com/golang/sys/compare/v0.15.0...v0.19.0)

Updates `gopkg.in/yaml.v3` from 3.0.0-20200313102051-9f266ea9e77c to 3.0.0

Updates `golang.org/x/sys` from 0.0.0-20220429233432-b5fbb4746d32 to 0.19.0
- [Commits](https://github.com/golang/sys/compare/v0.15.0...v0.19.0)

Updates `gopkg.in/yaml.v3` from 3.0.0-20210107192922-496545a6307b to 3.0.0

Updates `golang.org/x/sys` from 0.15.0 to 0.19.0
- [Commits](https://github.com/golang/sys/compare/v0.15.0...v0.19.0)

Updates `golang.org/x/net` from 0.19.0 to 0.23.0
- [Commits](https://github.com/golang/net/compare/v0.19.0...v0.23.0)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/containers/podman/v4
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/sys
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/sys
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: gopkg.in/yaml.v3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/sys
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: gopkg.in/yaml.v3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/sys
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-30 09:46:13 +01:00
Dan Mihai
b42ddaf15f
Merge pull request #9530 from microsoft/saulparedes/improve_caching
genpolicy: changing caching so the tool can run concurrently with itself
2024-04-25 13:06:23 -07:00
Archana Choudhary
4a010cf71b genpolicy: add default implementations for K8sResource trait
This commit adds default implementations for following methods of
K8sResource trait:
- generate_policy
- serialize

Fixes: #8960
Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-04-21 12:59:02 +00:00
Archana Choudhary
6edc3b6b0a genpolicy: add default implementation for use_sandbox_pidns
This patch adds a default implementation for the use_sandbox_pidns
and updates the structs that implement the K8sResource trait to use
the default.

Fixes: #8960
Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-04-21 12:59:02 +00:00
Archana Choudhary
d5d3f9cda7 genpolicy: add default implementation for use_host_network
- Provide default implementation for use_host_network
- Remove default implementation from structs implementing the trait K8sResource

Fixes: #8960
Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-04-21 12:59:02 +00:00
Archana Choudhary
9a3eac5306 genpolicy: add default impl for get_containers
- Provide default impl for get_containers
- Remove default impl from structs implementing the trait K8sResource

Fixes: #8960
Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-04-21 12:59:02 +00:00
Archana Choudhary
2db3470602 genpolicy: add default impl for get_container_mounts_and_storages
- Provide default impl for get_container_mounts_and_storages
- Remove default impl from structs implementing the trait K8sResource

Fixes: #8960
Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-04-21 12:59:02 +00:00
Archana Choudhary
09b0b4c11d genpolicy: add default implementation for get_sandbox_name
- Provide default implementation for get_sandbox_name in K8sResource trait
- Remove default implementation from structs implementing the trait K8sResource

Fixes: #8960
Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-04-21 12:55:32 +00:00
Archana Choudhary
43e9de8125 genpolicy: add default implementation for get_annotations
- Provide default implementation for get_annontations.
- Remove default implementation from structs implementing the trait K8sResource

Fixes: #8960
Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-04-21 12:55:32 +00:00
Saul Paredes
2149cb6502 genpolicy: changing caching so the tool can run
concurrently with itself

Based on 3a1461b0a5186a92afedaaea33ff2bd120d1cea0

Previously the tool would use the layers_cache folder for all instances
and hence delete the cache when it was done, interfereing with other
instances. This change makes it so that each instance of the tool will
have its own temp folder to use.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-04-19 15:46:30 -07:00
Markus Rudy
77540503f9 genpolicy: add support for insecure registries
genpolicy is a handy tool to use in CI systems, to prepare workloads
before applying them to the Kubernetes API server. However, many modern
build systems like Bazel or Nix restrict network access, and rightfully
so, so any registry interaction must take place on localhost.
Configuring certificates for localhost is tricky at best, and since
there are no privacy concerns for localhost traffic, genpolicy should
allow to contact some registries insecurely. As this is a runtime
environment detail, not a target environment detail, configuring
insecure registries does not belong into the JSON settings, so it's
implemented as command line flags.

Fixes: #9008

Signed-off-by: Markus Rudy <webmaster@burgerdev.de>
2024-04-11 22:29:03 +02:00
Markus Rudy
bc2292bc27 genpolicy: make pause container image configurable
CRIs don't always use a pause container, but even if they do the
concrete container choice is not specified. Even if the CRI config can
be tweaked, it's not guaranteed that registries in the public internet
can be reached. To be portable across CRI implementations and
configurations, the genpolicy user needs to be able to configure the
container the tool should append to the policy.

Signed-off-by: Markus Rudy <webmaster@burgerdev.de>
2024-04-11 16:26:35 +02:00
Markus Rudy
8b30fa103f genpolicy: parse json settings during config init
Decouple initialization of the Settings struct from creating the
AgentPolicy struct, so that the settings are available for evaluating,
extending or overriding command line arguments.

Signed-off-by: Markus Rudy <webmaster@burgerdev.de>
2024-04-11 16:17:33 +02:00
Saul Paredes
51498ba99a genpolicy: toggle containerd pull in tests
- Add v1 image test case
- Install protobuf-compiler in build check
- Reset containerd config to default in kubernetes test if we are testing genpolicy
- Update docker_credential crate
- Add test that uses default pull method
- Use GENPOLICY_PULL_METHOD in test

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-04-08 19:28:29 -07:00
Saul Paredes
c96ebf237c genpolicy: add containerd pull method
Add optional toggle to use existing containerd installation to pull and manage container images.
This adds support to a wider set of images that are currently not supported by standard pull method,
such as those that use v1 manifest.

Fixes: #9144

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-04-08 09:56:59 -07:00
Dan Mihai
6c72c29535 genpolicy: reduce policy debug prints
Kata CI has full debug output enabled for the cbl-mariner k8s tests,
and the test AKS node is relatively slow. So debug prints from policy
are expensive during CI.

Fixes: #9296

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-03-26 02:21:26 +00:00
Dan Mihai
b3b00e00a6
Merge pull request #9246 from microsoft/danmihai/default-env
genpolicy: default env if image doesn't have env
2024-03-14 11:01:43 -07:00
Dan Mihai
4c3d6fadc8 genpolicy: default env if image doesn't have env
Use containerd's default environment for container images that don't
specify the Env field.

Also, re-enable policy env variable verification, now that these
uncommon images are supported too.

Fixes: #9239

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-03-07 16:56:06 +00:00
Leonard Cohnen
e30e8ab7dc genpolicy: add restartPolicy to container struct
This adds support for sidecar container introduced in Kubernetes 1.28

Fixes: #9220

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2024-03-07 12:00:14 +01:00
Dan Mihai
e61ef30a76 genpolicy: disable env variable verification
Disable env variable verification to unblock CI, until container
images that don't specify the Env variables will be handled correctly
(see #9239).

Also, mark the image config Env field as optional, thus allowing
policy generation for these container images.

Fixes: #9240

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-03-07 01:59:18 +00:00
Alex Lyn
13a20957cb
Merge pull request #9164 from Apokleos/directvol-csi-dockerfile
csi-kata-directvolume: add Dockerfile for building csi image
2024-03-01 18:12:19 +08:00
Alex Lyn
f69428a1e7 csi-kata-directvolume: add Dockerfile for building csi image
Fixes: #9163

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2024-03-01 10:41:51 +08:00
Saul Paredes
9b7bd376eb genpolicy: panic when we see a volume mount subpath
Based on https://github.com/kata-containers/runtime/issues/2812

Fixes: #9145

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-02-23 09:56:51 -08:00
Dan Mihai
d84f50db5b genpolicy: fix typo in policy logging
Improve logging, for easier debugging.

Fixes: #9072

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-02-21 18:08:07 +00:00
Dan Mihai
9a780aa98f genpolicy: improve logging from ExecProcessRequest
Additional logging from the ExecProcessRequest rules, for easier
debugging.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-02-08 02:21:58 +00:00
Dan Mihai
dab567bdfa genpolicy: add easy way to allow CloseStdinRequest
For example, Kata CI's k8s-copy-file.bats transfers files between the
Host and the Guest using "kubectl exec", and that results in
CloseStdinRequest being called from the Host.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-02-08 02:21:58 +00:00
Dan Mihai
8401adb113 genpolicy: update default values
1. Remove PullImageRequest because that is not used in the main
   branch. It was used in the CCv0 branch.

2. Add default false values for the remaining Kata Agent ttrpc
   requests.

These changes don't change the functionality of the auto generated
Policy, but they help with easier understanding the Policy text and
the logging from the Rego rules.

Fixes: #9049

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-02-08 02:21:58 +00:00
Dan Mihai
473efc2149 genpolicy: mount source for non-confidential guest
The emergent Kata CI tests for Policy use confidential_guest = false
in genpolicy-settings.json. That value is inconsistent with the
following mount settings:

        "emptyDir": {
            "mount_type": "local",
            "mount_source": "^$(cpath)/$(sandbox-id)/local/",
            "mount_point": "^$(cpath)/$(sandbox-id)/local/",
            "driver": "local",
            "source": "local",
            "fstype": "local",
            "options": [
                "mode=0777"
            ]
        },

We need to keep those settings for confidential_guest = true, and
change confidential_guest = false to use:

        "emptyDir": {
            "mount_type": "local",
            "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/",
            "mount_point": "^$(cpath)/$(sandbox-id)/local/",
            "driver": "local",
            "source": "local",
            "fstype": "local",
            "options": [
                "mode=0777"
            ]
        },

The value of the mount_source field is different.

This change unblocks testing using Kata CI's pod-empty-dir.yaml:

genpolicy -u -y pod-empty-dir.yaml

kubectl apply -f pod-empty-dir.yaml

k get pod sharevol-kata
NAME            READY   STATUS    RESTARTS   AGE
sharevol-kata   1/1     Running   0          53s

Fixes: #8887

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-02-06 01:19:48 +00:00
Dan Mihai
6f1062b5d6
Merge pull request #8966 from microsoft/danmihai1/k8s-sandbox-vcpus-allocation
genpolicy: ignore empty YAML as input
2024-02-01 13:51:02 -08:00
Dan Mihai
8f9c92c0ee
Merge pull request #8977 from microsoft/danmihai1/default-namespace
genpolicy: support non-default namespace name
2024-02-01 13:50:33 -08:00
Xuewei Niu
2332552c8f
Merge pull request #7483 from frezcirno/passfd_io_feature
runtime-rs: improving io performance using dragonball's vsock fd passthrough
2024-02-01 14:53:53 +08:00
Dan Mihai
09ea0eed9d genpolicy: ignore empty YAML as input
Kata CI's pod-sandbox-vcpus-allocation.yaml ends with "---", so the
empty YAML document following that line should be ignored.

To test this fix:

genpolicy -u -y pod-sandbox-vcpus-allocation.yaml

Fixes: #8895

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-02-01 02:22:21 +00:00
Dan Mihai
befef119ff
Merge pull request #8941 from malt3/genpolicy-flags
genpolicy: allow separate paths for rules and settings files
2024-01-31 18:14:12 -08:00