Add basic genpolicy support for container environment variables sourced from metadata.labels. In this implementation, the relevant labels must be available as input to the policy tool. This is slightly different from the way variables sourced from metadata.annotations are treated by the tool: when the relevant annotation is not available as input, the generated Policy allows any value. Depending on metadata.labels use cases that we might encounter maybe the labels will be handled the same way as the annotations in the future. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Agent Policy generation tool
The Kata Containers Policy generation tool (genpolicy):
-
Reads user's Kubernetes (
K8s)YAMLfile. -
Infers user's intentions based on the contents of that file.
-
Generates a Kata Containers Agent (
kata-agent) Policy file corresponding to the inputYAML, using the Open Policy Agent format. -
Encodes the auto-generated Policy text in base64 format and appends the encoded string as an annotation to user's
YAMLfile.
When the user deploys that YAML file through K8s, the Kata Agent uses the Policy specified by the YAML annotation to reject possible Agent API calls that are not consistent with the policy. For additional information, see How to use the Kata Agent Policy.
The Policy auto-generated by genpolicy is typically used for implementing confidential containers, where the Kata Shim and the Kata Agent have different trust properties.
Warning Users should review carefully the automatically-generated Policy, and modify the Policy file if needed to match better their use case, before using this Policy.
Building genpolicy from source code
Build in docker container:
$ git clone https://github.com/kata-containers/kata-containers.git
$ cd kata-containers
$ tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh --build=genpolicy
Executing genpolicy
Example:
$ genpolicy -y test.yaml
For a usage statement, run:
$ genpolicy --help
For advanced command line parameters, see genpolicy advanced command line parameters.
Supported Kubernetes YAML file types
genpolicy has support for automatic Policy generation based on Kubernetes DaemonSet, Deployment, Job, Pod, ReplicaSet, ReplicationController, and StatefulSet input YAML files.
Settings directory and drop-ins
You can pass a directory to -j instead of a single file. In that case genpolicy loads genpolicy-settings.json from that directory and applies all genpolicy-settings.d/*.json files (sorted by name) in order. Each drop-in must be an RFC 6902 JSON Patch: a JSON array of operations (add, remove, replace, move, copy, test). This gives precise control (e.g. array indices) and optional test for assertions.
genpolicy-settings.d/— empty by default; add your drop-in JSON Patch files here.drop-in-examples/— example scenario drop-ins (10-*.jsonplatform base,20-*.jsonoverlays), each a JSON Patch array. Copy the ones you need into your owngenpolicy-settings.d/. See the drop-in examples documentation. These examples are tested in Kata Containers CI.