mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-06-23 22:17:19 +00:00
c2a55552b2
1. Use the new value of AllowRequestsFailingPolicy after setting up a
new Policy. Before this change, the only way to enable
AllowRequestsFailingPolicy was to change the default Policy file,
built into the Guest rootfs image.
2. Ignore errors returned by regorus while evaluating Policy rules, if
AllowRequestsFailingPolicy was enabled. For example, trying to
evaluate the UpdateInterfaceRequest rules using a policy that didn't
define any UpdateInterfaceRequest rules results in a "not found"
error from regorus. Allow AllowRequestsFailingPolicy := true to
bypass that error.
3. Add simple CI test for AllowRequestsFailingPolicy.
These changes are restoring functionality that was broken recently by
commmit df23eb09a6.
Signed-off-by: Dan Mihai <dmihai@microsoft.com>
70 lines
2.2 KiB
Bash
70 lines
2.2 KiB
Bash
#!/usr/bin/env bats
|
|
#
|
|
# Copyright (c) 2023 Microsoft.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
load "${BATS_TEST_DIRNAME}/../../common.bash"
|
|
load "${BATS_TEST_DIRNAME}/tests_common.sh"
|
|
|
|
setup() {
|
|
hard_coded_policy_tests_enabled || skip "Policy tests are disabled."
|
|
|
|
get_pod_config_dir
|
|
pod_name="hard-coded-policy-pod"
|
|
pod_yaml="${pod_config_dir}/k8s-policy-hard-coded.yaml"
|
|
}
|
|
|
|
@test "Kubectl exec rejected by policy" {
|
|
# Add to the YAML file a policy that rejects ExecProcessRequest.
|
|
allow_all_except_exec_policy=$(base64 -w 0 "${pod_config_dir}/allow-all-except-exec-process.rego")
|
|
yq -i \
|
|
".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${allow_all_except_exec_policy}\"" \
|
|
"${pod_yaml}"
|
|
|
|
# Create the pod
|
|
kubectl create -f "${pod_yaml}"
|
|
|
|
# Wait for pod to start
|
|
echo "timeout=${timeout}"
|
|
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
|
|
|
|
# Try executing a command in the Pod - an action rejected by the agent policy.
|
|
exec_output=$(kubectl exec "$pod_name" -- date 2>&1) || true
|
|
echo "$exec_output"
|
|
|
|
echo "$exec_output" | grep "ExecProcessRequest is blocked by policy"
|
|
}
|
|
|
|
@test "AllowRequestsFailingPolicy := true" {
|
|
# Add to the YAML file a policy using just AllowRequestsFailingPolicy := true. Evaluating the rules
|
|
# for any Kata Agent request will return false, but AllowRequestsFailingPolicy := true will allow
|
|
# those request to be executed.
|
|
#
|
|
# Warning: this is an insecure policy that shouldn't be used when protecting the confidentiality
|
|
# of a pod is important. However, this policy could be useful while debugging a pod.
|
|
policy_text=$(printf "package agent_policy\ndefault AllowRequestsFailingPolicy := true")
|
|
policy_base64=$(echo "${policy_text}" | base64 -w 0 -)
|
|
|
|
yq -i \
|
|
".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${policy_base64}\"" \
|
|
"${pod_yaml}"
|
|
|
|
# Create the pod
|
|
kubectl create -f "${pod_yaml}"
|
|
|
|
# Wait for pod to start
|
|
echo "timeout=${timeout}"
|
|
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
|
|
}
|
|
|
|
teardown() {
|
|
hard_coded_policy_tests_enabled || skip "Policy tests are disabled."
|
|
|
|
# Debugging information
|
|
kubectl describe "pod/$pod_name"
|
|
|
|
kubectl delete pod "$pod_name"
|
|
}
|