Files
kata-containers/src/tools/genpolicy/README.md
Fabiano Fidêncio d40afe592c genpolicy: add settings drop-in directory and RFC 6902 JSON Patch support
Allow genpolicy -j to accept a directory instead of a single file.
When given a directory, genpolicy loads genpolicy-settings.json from it
and applies all genpolicy-settings.d/*.json files (sorted by name) as
RFC 6902 JSON Patches. This gives precise control over settings with
explicit operations (add, remove, replace, move, copy, test), including
array index manipulation and assertions.

Ship composable drop-in examples in drop-in-examples/:
- 10-* files set platform base settings (non-CoCo, AKS, CBL-Mariner)
- 20-* files overlay specific adjustments (OCI version, guest pull)
Users copy the combination they need into genpolicy-settings.d/.

Replace the old adapt_common_policy_settings_* jq-patching functions
in tests_common.sh with install_genpolicy_drop_ins(), which copies the
right combination of 10-* and 20-* drop-ins for the CI scenario.
Tests still generate 99-test-overrides.json on the fly for per-test
request/exec overrides.

Packaging installs 10-* and 20-* drop-ins from drop-in-examples/ into
the tarball; the default genpolicy-settings.d/ is left empty.

Made-with: Cursor
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-03-04 20:13:21 +01:00

2.9 KiB

Agent Policy generation tool

The Kata Containers Policy generation tool (genpolicy):

  1. Reads user's Kubernetes (K8s) YAML file.

  2. Infers user's intentions based on the contents of that file.

  3. Generates a Kata Containers Agent (kata-agent) Policy file corresponding to the input YAML, using the Open Policy Agent format.

  4. Encodes the auto-generated Policy text in base64 format and appends the encoded string as an annotation to user's YAML file.

When the user deploys that YAML file through K8s, the Kata Agent uses the Policy specified by the YAML annotation to reject possible Agent API calls that are not consistent with the policy. For additional information, see How to use the Kata Agent Policy.

The Policy auto-generated by genpolicy is typically used for implementing confidential containers, where the Kata Shim and the Kata Agent have different trust properties.

Warning Users should review carefully the automatically-generated Policy, and modify the Policy file if needed to match better their use case, before using this Policy.

Building genpolicy from source code

Build in docker container:

$ git clone https://github.com/kata-containers/kata-containers.git
$ cd kata-containers
$ tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh --build=genpolicy

Executing genpolicy

Example:

$ genpolicy -y test.yaml

For a usage statement, run:

$ genpolicy --help

For advanced command line parameters, see genpolicy advanced command line parameters.

Supported Kubernetes YAML file types

genpolicy has support for automatic Policy generation based on Kubernetes DaemonSet, Deployment, Job, Pod, ReplicaSet, ReplicationController, and StatefulSet input YAML files.

Settings directory and drop-ins

You can pass a directory to -j instead of a single file. In that case genpolicy loads genpolicy-settings.json from that directory and applies all genpolicy-settings.d/*.json files (sorted by name) in order. Each drop-in must be an RFC 6902 JSON Patch: a JSON array of operations (add, remove, replace, move, copy, test). This gives precise control (e.g. array indices) and optional test for assertions.

  • genpolicy-settings.d/ — empty by default; add your drop-in JSON Patch files here.
  • drop-in-examples/ — example scenario drop-ins (10-*.json platform base, 20-*.json overlays), each a JSON Patch array. Copy the ones you need into your own genpolicy-settings.d/. See the drop-in examples documentation. These examples are tested in Kata Containers CI.

Policy details

See auto-generated Policy details.