# Agent Policy generation tool The Kata Containers Policy generation tool (`genpolicy`): 1. Reads user's Kubernetes (`K8s`) `YAML` file. 1. Infers user's intentions based on the contents of that file. 1. Generates a Kata Containers Agent (`kata-agent`) Policy file corresponding to the input `YAML`, using the [Open Policy Agent format](https://www.openpolicyagent.org/docs/latest/policy-language/). 1. Encodes the auto-generated Policy text in base64 format and appends the encoded string as an annotation to user's `YAML` file. When the user deploys that `YAML` file through `K8s`, the Kata Agent uses the Policy specified by the `YAML` annotation to reject possible Agent API calls that are not consistent with the policy. For additional information, see [How to use the Kata Agent Policy](../../../docs/how-to/how-to-use-the-kata-agent-policy.md). The Policy auto-generated by `genpolicy` is typically used for implementing confidential containers, where the Kata Shim and the Kata Agent have different trust properties. **Warning** Users should review carefully the automatically-generated Policy, and modify the Policy file if needed to match better their use case, before using this Policy. # Building `genpolicy` from source code Build in docker container: ```sh $ git clone https://github.com/kata-containers/kata-containers.git $ cd kata-containers $ tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh --build=genpolicy ``` # Executing `genpolicy` Example: ```sh $ genpolicy -y test.yaml ``` For a usage statement, run: ```sh $ genpolicy --help ``` For advanced command line parameters, see [`genpolicy` advanced command line parameters](genpolicy-advanced-command-line-parameters.md). # Supported Kubernetes `YAML` file types `genpolicy` has support for automatic Policy generation based on Kubernetes `DaemonSet`, `Deployment`, `Job`, `Pod`, `ReplicaSet`, `ReplicationController`, and `StatefulSet` input `YAML` files. # Settings directory and drop-ins You can pass a **directory** to `-j` instead of a single file. In that case `genpolicy` loads `genpolicy-settings.json` from that directory and applies all `genpolicy-settings.d/*.json` files (sorted by name) in order. Each drop-in must be an [RFC 6902 JSON Patch](https://datatracker.ietf.org/doc/html/rfc6902): a JSON array of operations (`add`, `remove`, `replace`, `move`, `copy`, `test`). This gives precise control (e.g. array indices) and optional `test` for assertions. - **`genpolicy-settings.d/`** — empty by default; add your drop-in JSON Patch files here. - **`drop-in-examples/`** — example scenario drop-ins (`10-*.json` platform base, `20-*.json` overlays), each a JSON Patch array. Copy the ones you need into your own `genpolicy-settings.d/`. See the [drop-in examples documentation](drop-in-examples/README.md). These examples are tested in Kata Containers CI. # Policy details See [auto-generated Policy details](genpolicy-auto-generated-policy-details.md).