github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-07 04:19:58 +00:00
Code Issues Projects Releases Wiki Activity
16,313 Commits 85 Branches 134 Tags 306 MiB
1a06bd1f08
Commit Graph

16313 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
alex.lyn
8c1482a221 runtime-rs: Introduce coco_data dir and initdata block 
Implement resource storage infrastructure with initial
initdata support:

1. Create dedicated `coco_data` directory for:
- Centralized management of CoCo resources;
- Future expansion of CoCo artifacts;

2. Atomic initdata block as foundational component in
`coco_data`, it will implement creation of compressed
initdata blocks with:
- Gzip compression with level customization (0-9)
- Sector-aligned (512B) image format with magic header
- Adaptive buffering (4KB-128KB) based on payload size
- Temp-file atomic writes with 0o600 permissions

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
9b21d062c9 kata-types: Implement InitData retrieval from Pod annotation 
This commit implements the retrieval and processing of InitData provided
via a Pod annotation. Specifically, it enables runtime-rs to:

(1) Parse the "io.katacontainers.config.hypervisor.cc_init_data"
annotation from the Pod YAML.
(2) Perform reverse operations on the annotation value: base64 decoding
followed by gzip decompression.
(3) Deserialize the decompressed data into the internal InitData
structure.
(4) Serialize the resulting InitData into a string and store it in the
Configuration.

This allows users to inject configuration data into the TEE Guest by
encoding and compressing it and passing it as an annotation in the Pod
configuration. This mechanism supports scenarios where dynamic config
is required for Confidential Containers.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
4ca394f4fc kata-types: Implement Initdata Spec and Digest Calculation Logic 
This commit introduces the Initdata Spec and the logic for
calculating its digest. It includes:

(1) Define a `ProtectedPlatform` enum to represent major TEE platform
types.
(2) Create an `InitData` struct to support building and serializing
initialization data in TOML format.
(3) Implement adaptation for SHA-256, SHA-384, and SHA-512 digest
algorithms.
(4) Provide a platform-specific mechanism for adjusting digest lengths
(zero-padding).
(5) Supporting the decoding and verification of base64+gzip encoded
Initdata.

The core functionality ensures the integrity of data injected by the
host through trusted algorithms, while also accommodating the
measurement requirements of different TEE platforms.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
alex.lyn
2603ee66b8 kata-types: Introduce initdata to SecurityInfo for data injection 
This commit introduces a new `initdata` field of type String to
hypervisor `SecurityInfo`.

In accordance with the Initdata Specification, this field will
facilitate the injection of well-defined data from an untrusted host
into the TEE. To ensure the integrity of this injected data, the TEE
evidence's hostdata capability or the (v)TPM dynamic measurement
capability will be leveraged, as outlined in the specification.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-06-24 10:25:57 +08:00
Dan Mihai
89dcc8fb27
Merge pull request #11444 from microsoft/danmihai1/k8s-policy-rc 
tests: k8s-policy-rc: print pod descriptions
 2025-06-23 16:14:56 -07:00
Dan Mihai
0a57e09259
Merge pull request #11426 from charludo/fix/genpolicy-corruption-of-layer-cache-file 
genpolicy: prevent corruption of the layer cache file
 2025-06-23 14:00:45 -07:00
Dan Mihai
8aecf14b34
Merge pull request #11405 from kata-containers/dependabot/cargo/src/agent/clap-77d1155c52 
build(deps): bump the clap group across 6 directories with 1 update
 2025-06-23 13:05:59 -07:00
Dan Mihai
62c9845623 tests: k8s-policy-rc: print pod descriptions 
Don't use local launched_pods variable in test_rc_policy(), because
teardown() needs to use this variable to print a description of the
pods, for debugging purposes.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-06-23 16:23:26 +00:00
stevenhorsman
649e31340b doc: Add scorecard badge 
Add our scorecard badge to our readme for transparency
and to help motivate us to update our score

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-23 16:22:59 +01:00
stevenhorsman
6dd025d0ed workflows: Add scorecard workflow 
Add a workflow to update our scorecard score on
each change

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-23 16:09:14 +01:00
Steve Horsman
4f245df4a0
Merge pull request #11420 from kata-containers/pin-gha-actions 
workflows: Pin action hashes
 2025-06-23 15:26:03 +01:00
charludo
4e57cc0ed2
genpolicy: keep layers cache in-memory to prevent corruption 
The locking mechanism around the layers cache file was insufficient to
prevent corruption of the file. This commit moves the layers cache's
management in-memory, only reading the cache file once at the beginning
of `genpolicy`, and only writing to it once, at the end of `genpolicy`.

In the case that obtaining a lock on the cache file fails,
reading/writing to it is skipped, and the cache is not used/persisted.

Signed-off-by: charludo <git@charlotteharludo.com>
 2025-06-23 16:16:42 +02:00
RuoqingHe
8c1f6e827d
Merge pull request #11448 from RuoqingHe/remove-dup-ignore 
ci: Remove duplicated `rust-vmm` dependencies
 2025-06-23 10:34:30 +08:00
Ruoqing He
1d2d2cc3d5 ci: Remove duplicated rust-vmm dependencies 
`vmm-sys-util` was duplicated while updating the `ignore` list of
`rust-vmm` crates in #11431, remove duplicated one and sort the list.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-21 21:02:59 +00:00
stevenhorsman
9685e2aeca trace-forwarder: Replace removed clap functions 
When moving from clap v2 to v4 a bunch of
functions have been removed, so update the code
to handle these replacements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 17:15:12 +01:00
stevenhorsman
e204847df5 agent-ctl: Replace removed clap functions 
When moving from clap v2 to v4 a bunch of
functions have been removed, so update the code
to handle these replacements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 17:15:12 +01:00
stevenhorsman
e11fc3334e agent: Clap v4 updates 
AppSettings was removed, so refactor
based on new documentation

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 17:15:12 +01:00
dependabot[bot]
0aa80313eb build(deps): bump the clap group across 6 directories with 1 update 
Bumps the clap group with 1 update in the /src/agent directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/agent-ctl directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/genpolicy directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/kata-ctl directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/runk directory: [clap](https://github.com/clap-rs/clap).
Bumps the clap group with 1 update in the /src/tools/trace-forwarder directory: [clap](https://github.com/clap-rs/clap).

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.37
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.1.8 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 4.4.10 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 3.2.25 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

Updates `clap` from 2.34.0 to 4.5.40
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.25...clap_complete-v4.5.37)

---
updated-dependencies:
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.37
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
- dependency-name: clap
  dependency-version: 4.5.40
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: clap
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-21 17:15:12 +01:00
RuoqingHe
b22135f4e5
Merge pull request #11431 from RuoqingHe/udpate-rust-vmm-ignore-list 
ci: Update dependabot ignore list
 2025-06-21 18:20:41 +08:00
Ruoqing He
6628ba3208 ci: Update dependabot ignore list 
Update dependabot ignore list in cargo ecosystem to ignore upgrades from
rust-vmm crates, since those crates need to be managed carefully and
manually.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-06-21 08:18:20 +01:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes 
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-21 08:14:13 +01:00
Steve Horsman
4bfa74c2a5
Merge pull request #11331 from stevenhorsman/helm-ghcr-login-update 
workflow: Remove code injection in helm login
 2025-06-21 08:13:40 +01:00
Steve Horsman
353b4bc853
Merge pull request #11440 from stevenhorsman/osbuilder-fedora-42-update 
osbuilder: Update image-builder base to f42
 2025-06-21 08:11:12 +01:00
Steve Horsman
cac1cb75ce
Merge pull request #11378 from kata-containers/dependabot/cargo/src/tools/agent-ctl/rustix-0.37.28 
build(deps): bump rustix in various components
 2025-06-21 08:05:21 +01:00
stevenhorsman
900d9be55e build(deps): bump rustix in various components 
Bumps of rustix 0.36, 0.37 and 0.38 to resolve
CVE-2024-43806

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 14:52:43 -05:00
stevenhorsman
d9defd5102 osbuilder: Update image-builder base to f42 
Fedora 40 is EoL, and I've seen the registry pull fail
a few times recently, so let's bump to fedora 42 which
has 10 months of support left.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 20:52:30 +01:00
stevenhorsman
0f1c326ca0 versions: Bump protobuf to 3.7.2 
Now we are decoupled from the image-rs crate,
we can bump the protobuf version across our project
to resolve the GHSA-2gh3-rmm4-6rq5 advisory

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 20:52:04 +01:00
Saul Paredes
cc27966aa1
Merge pull request #11443 from microsoft/saulparedes/update_image 
tests: update container image for ci and unit test
 2025-06-20 12:50:42 -07:00
Archana Choudhary
e093919b42 tests: update container image for ci and unit test 
This patch updates the container image for the CI test workloads:
- `k8s-layered-sc-deployment.yaml`
- `k8s-pod-sc-deployment.yaml`
- `k8s-pod-sc-nobodyupdate-deployment.yaml`
- `k8s-pod-sc-supplementalgroups-deployment.yaml`
- `k8s-policy-deployment.yaml`

Also updates unit tests:
- `test_create_container_security_context`
- `test_create_container_security_context_supplemental_groups`

This fixes tests failing due to an image pull error as the previous image is no longer available in
the container registry.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-06-20 10:46:56 -07:00
stevenhorsman
776c89453c workflow: Remove code injection in helm login 
In theory `github.actor` could be used for code
injection, so swap it out.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-20 16:27:52 +01:00
Fabiano Fidêncio
6722ea2fd9
Merge pull request #11439 from stevenhorsman/multi-arch-manifest-permissions-fix 
release: Add more permissions
 2025-06-19 12:45:37 +02:00
stevenhorsman
8da75bf55d release: Add more permissions 
Add package: write to the multi-arch manifest upload
to ghcr.io

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-19 11:04:29 +01:00
Fabiano Fidêncio
d0c1ce1367
Merge pull request #11438 from stevenhorsman/helm-upload-fix 
release: Fix helm push typo
 2025-06-19 12:01:04 +02:00
stevenhorsman
eaf42b3e0f release: Fix helm push typo 
Switch the hyper for an underscore, so the ghcr
helm publish can work properly.

Co-authored-by: Fabiano Fidêncio <fidencio@northflank.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-19 10:56:50 +01:00
Fabiano Fidêncio
f7d3ea0c55
Merge pull request #11437 from kata-containers/release-flow-permissions-fixes-iii 
workflows: Release permissions
 2025-06-19 11:23:46 +02:00
stevenhorsman
19597b8950 workflows: Release permissions 
Add more permissions to the release workflow
in order to enable `gh release` commands to run

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-19 10:05:23 +01:00
Fabiano Fidêncio
254ada2f6a
Merge pull request #11436 from kata-containers/release-flow-permission-fix-ii 
workflows: Add extra permissions
 2025-06-19 10:45:26 +02:00
stevenhorsman
7c6c6f3c15 workflows: Add extra permissions 
Add permissions to the ppc release

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-19 09:39:01 +01:00
Steve Horsman
00c9e61b60
Merge pull request #11435 from kata-containers/release-flow-permissions-fix(es) 
workflows: Fix permissions
 2025-06-19 09:35:23 +01:00
stevenhorsman
9adf989555 workflows: Fix permissions 
Add extra permissions for reusable workflow calls
that need them later on

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-19 08:44:18 +01:00
Fabiano Fidêncio
e82de65d5d
Merge pull request #11425 from stevenhorsman/release-3.18.0-bump 
release: Bump version to 3.18.0
 2025-06-18 21:39:51 +02:00
stevenhorsman
6fc622ef0f release: Bump version to 3.18.0 
Bump VERSION and helm-chart versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-18 19:09:42 +01:00
Steve Horsman
060faa3d1a
Merge pull request #11433 from kata-containers/cri-containerd-test-fast-fail-false 
workflows: Add fail-fast: false to cri-containerd tests
 2025-06-18 19:08:59 +01:00
Steve Horsman
e0084a958c
Merge pull request #11432 from stevenhorsman/golang-1.23.10 
versions: Bump golang to 1.23.10
 2025-06-18 17:25:07 +01:00
Steve Horsman
4e3238b9dc
Merge pull request #11337 from zvonkok/fix-module-signing 
gpu: Fix module signing
 2025-06-18 17:23:51 +01:00
Steve Horsman
547b6c5781
Merge pull request #11429 from stevenhorsman/cri-containerd-required-test-rename 
Cri containerd required test rename
 2025-06-18 15:45:14 +01:00
Zvonko Kaiser
e2f18057a4 kernel: Add config option for signing 
Only sign the kernel if the user has provided the KBUILD_SIGN_PIN
otherwise ignore.

Whole here, let's move the functionality to the common fragments as it's
not a GPU specific functionality.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-06-18 15:32:26 +02:00
stevenhorsman
73d7b4f258 workflows: Add fail-fast: false to cri-containerd tests 
At the moment if any of the tests in the matric fails
then the rest of the jobs are cancelled, so we have to
re-run everything. Add `fail-fast: false` to stop this
behaviour.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-18 14:20:16 +01:00
stevenhorsman
aedbaa1545 versions: Bump golang to 1.23.10 
Bump golang to fix CVEs GO-2025-3751
and GO-2025-3563

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-18 11:11:32 +01:00
stevenhorsman
b20f89b775 ci: required-tests: Remove test skip 
Remove the rule that causes gatekeeper to skip tests
if we've only updated the required-tests.yaml list.
Although update to just the required-tests.yaml
doesn't change the outcome of any of the CI tests, it
does change whether gatekeeper will still pass with the new
rules. Although it's a bit of a hit to run the CI, it's probably
worth it to keep gatekeeper validated.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-06-18 10:52:03 +01:00