github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-04-05 03:24:15 +00:00
Code Issues Projects Releases Wiki Activity
16,528 Commits 78 Branches 145 Tags
10fefb6d635042316eb3d2a9389df6be13eb6d33
Commit Graph

523 Commits

Author SHA1 Message Date
Steve Horsman
09efcfbd86 Merge pull request #11606 from kata-containers/dependabot/cargo/src/tools/genpolicy/zerocopy-0.6.6 
build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy
 2025-07-21 18:58:56 +01:00
dependabot[bot]
a9c8377073 build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy 
---
updated-dependencies:
- dependency-name: zerocopy
  dependency-version: 0.6.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-21 12:50:38 +00:00
dependabot[bot]
0b4c434ece build(deps): bump unsafe-libyaml in /src/tools/kata-ctl 
Bumps [unsafe-libyaml](https://github.com/dtolnay/unsafe-libyaml) from 0.2.9 to 0.2.11.
- [Release notes](https://github.com/dtolnay/unsafe-libyaml/releases)
- [Commits](https://github.com/dtolnay/unsafe-libyaml/compare/0.2.9...0.2.11)

---
updated-dependencies:
- dependency-name: unsafe-libyaml
  dependency-version: 0.2.11
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-21 12:46:27 +00:00
stevenhorsman
162ba19b85 agent-ctl: Bump rusttls 
Bump rusttls to >=0.23.18 to remediate RUSTSEC-2024-0399

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:41:59 +01:00
stevenhorsman
1795361589 runk: Update rustjail 
Update the rustjail crate to pull in the latest security fixes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:31:18 +01:00
Tim Zhang
2fe9df16cc gent-ctl: update Cargo.lock to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/392
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:13:25 +02:00
Tim Zhang
45b44742de genpolicy: update Cargo.lock to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/394
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:10:52 +02:00
Tim Zhang
fa9ff1b299 kata-ctl: update prometheus/protobuf to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/395
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:05:13 +02:00
Fabiano Fidêncio
eb2bfbf7ac Merge pull request #11572 from stevenhorsman/RUSTSEC-2024-0384-remediate 
More crate bumps for security remediations
 2025-07-17 22:35:05 +02:00
stevenhorsman
41a608e5ce tools: Bump borsh, liboci-cli and oci-spec 
Bump these crates to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
e56f493191 deps: Bump zbus, serial_test & async-std 
Bump these crates across various components to remove the
dependency on unmaintained instant crate and remediate
RUSTSEC-2024-0384

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
bb820714cb agent-ctl: Update borsh 
- Update borsh to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
4c776167e5 trace-forwarder: Add nix features 
Some of the nix apis we are using are now enabled by features,
so add these to resolve the compilation issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:09:21 +01:00
dependabot[bot]
cd79108c77 build(deps): bump nix in /src/tools/trace-forwarder 
Bumps [nix](https://github.com/nix-rust/nix) from 0.23.1 to 0.30.1.
- [Changelog](https://github.com/nix-rust/nix/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nix-rust/nix/compare/v0.23.1...v0.30.1)

---
updated-dependencies:
- dependency-name: nix
  dependency-version: 0.30.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 15:09:06 +01:00
Tim Zhang
c8183a2c14 runk: rename imported crate from users to uzers 
To adapt the new crate name and fix build errors
introduced in the commit 39f51b4c6d

Fixes: #11574

Signed-off-by: Tim Zhang <tim@hyper.sh>
 2025-07-16 11:35:39 +08:00
stevenhorsman
661d88b11f versions: Bump oci-spec 
Try bumping oci-spec to 0.8.1 as it included fixes for vulnerabilities
including RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-14 16:54:30 +01:00
Fabiano Fidêncio
579d373623 Merge pull request #11521 from stevenhorsman/idna-1.0.4-bump 
versions: Bump idna crate to >= 1.0.3
 2025-07-14 17:39:30 +02:00
stevenhorsman
c740896b1c trace-forwarder: Bump chrono crate version 
Bump chrono version to drop time@0.1.43 and remediate
vulnerability CVE-2020-26235

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-10 14:55:20 +01:00
stevenhorsman
f96b8fb690 kata-ctl: Update expected test failure message 
Update expected error after url crate bump

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-09 11:34:27 +01:00
stevenhorsman
b7bf46fdfa versions: Bump idna crate to >= 1.0.4 
Bump url, reqwests and idna crates in order to move away from
idna <1.0.3 and remediate CVE-2024-12224.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-09 11:34:27 +01:00
stevenhorsman
7845129bdc versions: Bump slog-term to 2.9.1 
slog-term 2.9.0 included atty, which is unmaintained
as has a security advisory GHSA-g98v-hv3f-hcfr,
so bump the version across our components to remove
this dependency.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-04 09:43:34 +08:00
Archana Choudhary
6932beb01f policy: fix parse errors in rules.rego 
This patch fixes the rules.rego file to ensure that the
policy is correctly parsed and applied by opa.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 12:43:41 +00:00
Archana Choudhary
abbe1be69f tests: enable confidential_guest setting for coco 
This commit updates the `tests_common.sh` script
to enable the `confidential_guest`
setting for the coco tests in the Kubernetes
integration tests.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
9dd365fdb5 genpolicy: fix mount source check in rules.rego 
This commit fixes the mount source check in rules.rego.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
1cbea890f1 genpolicy: tests: update testcases for execprocess 
This patch removes storages from the testcases.json file for execprocess.
This is because input storage objects are invalid for two reasons:
1. "io.katacontainers.fs-opt.layer=" is missing option in annotations.
2. by default, we don't have host-tarfs-dm-verity enabled, so the storage
objects are not created in policy.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
---
 2025-07-01 10:35:20 +00:00
Archana Choudhary
6adec0737c genpolicy: add rules for image_guest_pull storage 
This patch introduces some basic checks for the
`image_guest_pull` storage type in the genpolicy tool.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
bd2dc1422e genpolicy: add test for container images having volumes 
This patch adds a test case to genpolicy for container images that have volumes.
Examples of such container images include:
 - quay.io/opstree/redis
 - https://github.com/kubernetes/examples/blob/master/cassandra/image/Dockerfile

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
d7f998fbd5 genpolicy: tests: update test for emptydir volumes 
This patch
  - updates testcases.json for emptydir volumes/storages

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
68c8c31718 genpolicy: tests: add test for config_map volumes 
This patch adds test for config_map volumes.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
9ebbc08d70 genpolicy: enable storage checks 
This patch
 - adds condition to add container image layers as storages
 - enable storage checks
 - fix CI policy test cases
 - update genpolicy-settings.json to enable storage checks
 - remove storage object addition in container image parsing

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
Archana Choudhary
5b1459e623 genpolicy: test framework: enable config map usage 
This patch improves the test framework for the
genpolicy tool by enabling the use of config maps.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
 2025-07-01 10:35:20 +00:00
stevenhorsman
290fda9b97 agent-ctl: Bump image-rs version 
I notices that agent-ctl is including a 9 month old version of
image-rs and the libs crates haven't been update for potentially
many years, so bump all of these.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-25 16:30:58 +01:00
Fabiano Fidêncio
69c706b570 Merge pull request #11441 from stevenhorsman/protobuf-3.7.2-bump 
versions: Bump protobuf to 3.7.2
 2025-06-25 13:47:28 +02:00
Dan Mihai
0a57e09259 Merge pull request #11426 from charludo/fix/genpolicy-corruption-of-layer-cache-file 
genpolicy: prevent corruption of the layer cache file
 2025-06-23 14:00:45 -07:00
charludo
4e57cc0ed2 genpolicy: keep layers cache in-memory to prevent corruption 
The locking mechanism around the layers cache file was insufficient to
prevent corruption of the file. This commit moves the layers cache's
management in-memory, only reading the cache file once at the beginning
of `genpolicy`, and only writing to it once, at the end of `genpolicy`.

In the case that obtaining a lock on the cache file fails,
reading/writing to it is skipped, and the cache is not used/persisted.

Signed-off-by: charludo <git@charlotteharludo.com>
 2025-06-23 16:16:42 +02:00
stevenhorsman
9685e2aeca trace-forwarder: Replace removed clap functions 
When moving from clap v2 to v4 a bunch of
functions have been removed, so update the code
to handle these replacements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 17:15:12 +01:00
stevenhorsman
e204847df5 agent-ctl: Replace removed clap functions 
When moving from clap v2 to v4 a bunch of
functions have been removed, so update the code
to handle these replacements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 17:15:12 +01:00
dependabot[bot]
0aa80313eb build(deps): bump the clap group across 6 directories with 1 update 
Bumps the clap group with 1 update in the /src/agent directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/agent-ctl directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/genpolicy directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/kata-ctl directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/runk directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/trace-forwarder directory: [clap](https://github.com/clap-rs/clap).

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

---
updated-dependencies:
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-21 17:15:12 +01:00
stevenhorsman
900d9be55e build(deps): bump rustix in various components 
Bumps of rustix 0.36, 0.37 and 0.38 to resolve
CVE-2024-43806

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 14:52:43 -05:00
stevenhorsman
0f1c326ca0 versions: Bump protobuf to 3.7.2 
Now we are decoupled from the image-rs crate,
we can bump the protobuf version across our project
to resolve the GHSA-2gh3-rmm4-6rq5 advisory

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 20:52:04 +01:00
Archana Choudhary
e093919b42 tests: update container image for ci and unit test 
This patch updates the container image for the CI test workloads:
- `k8s-layered-sc-deployment.yaml`
- `k8s-pod-sc-deployment.yaml`
- `k8s-pod-sc-nobodyupdate-deployment.yaml`
- `k8s-pod-sc-supplementalgroups-deployment.yaml`
- `k8s-policy-deployment.yaml`

Also updates unit tests:
- `test_create_container_security_context`
- `test_create_container_security_context_supplemental_groups`

This fixes tests failing due to an image pull error as the previous image is no longer available in
the container registry.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-06-20 10:46:56 -07:00
Dan Mihai
0f8e453518 Merge pull request #11412 from katexochen/rego-v1 
genpolicy: fix rules syntax issues, rego v1 compatibility; ci: checks for rego parsing
 2025-06-13 07:30:34 -07:00
dependabot[bot]
1e6962e4a8 build(deps): bump the tracing group across 7 directories with 1 update 
Bumps the tracing group with 1 update in the /src/dragonball directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/libs directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/agent-ctl directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/genpolicy directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/kata-ctl directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/runk directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/trace-forwarder directory: [tracing](https://github.com/tokio-rs/tracing).


Updates `tracing` from 0.1.37 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.34 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.37 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.37 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.40 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.40 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.29 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

---
updated-dependencies:
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-12 15:45:35 +00:00
Steve Horsman
843655c352 Merge pull request #11411 from stevenhorsman/runk-users-crate-switch 
runk: Switch users crate
 2025-06-12 10:35:31 +01:00
Paul Meyer
5baea34fff genpolicy/rules: rego v1 compatibility 
Migrate policy to rego v1.
See https://www.openpolicyagent.org/docs/v0-upgrade#changes-to-rego-in-opa-v10

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-06-12 10:46:43 +02:00
Ruoqing He
5011253818 agent-ctl: Bump ttrpc-codegen related dependencies 
Bump `ttrpc-codegen` related dependencies in response to `ttrpc-codegen`
bump in `libs/protocol`.

Relates: #11376

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
44142b13d3 genpolicy: Fix clippy unstable_name_collisions 
Manually fix `unstable_name_collisions` clippy warning reported by rust
1.85.1.

```console
error: a method with this name may be added to the standard library in the future
   --> src/registry.rs:646:10
    |
646 |     file.unlock()?;
    |          ^^^^^^
    |
    = warning: once this associated item is added to the standard library, the ambiguity may cause an error or change in behavior!
    = note: for more information, see issue #48919 <https://github.com/rust-lang/rust/issues/48919>
    = help: call with fully qualified syntax `fs2::FileExt::unlock(...)` to keep using the current method
    = note: `-D unstable-name-collisions` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(unstable_name_collisions)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
366d293141 genpolicy: Fix clippy manual_unwrap_or_default 
Manually fix `manual_unwrap_or_default` clippy warning reported by rust
1.85.1.

```console
error: if let can be simplified with `.unwrap_or_default()`
   --> src/registry.rs:619:37
    |
619 |       let mut data: Vec<ImageLayer> = if let Ok(vec) = serde_json::from_reader(read_file) {
    |  _____________________________________^
620 | |         vec
621 | |     } else {
...   |
624 | |     };
    | |_____^ help: replace it with: `serde_json::from_reader(read_file).unwrap_or_default()`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_unwrap_or_default
    = note: `-D clippy::manual-unwrap-or-default` implied by `-D warnings`
    = help: to override `-D warnings` add `#[allow(clippy::manual_unwrap_or_default)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
a71a77bfa3 genpolicy: Fix clippy manual_div_ceil 
Manually fix `manual_div_ceil` clippy warning reported by rust 1.85.1.

```console
error: manually reimplementing `div_ceil`
  --> src/verity.rs:73:25
   |
73 |             let count = (data_size + entry_size - 1) / entry_size;
   |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: consider using `.div_ceil()`: `data_size.div_ceil(entry_size)`
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_div_ceil
   = note: `-D clippy::manual-div-ceil` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(clippy::manual_div_ceil)]`
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00
Ruoqing He
5d491bd4f4 genpolicy: Bump ttrpc-codegen related dependencies 
Bump `ttrpc-codegen` related dependencies in response to `ttrpc-codegen`
bump in `libs/protocol`.

Relates: #11376

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-11 13:50:10 +00:00