genpolicy: fix the sample/test scripts

Fix the scripts after rebase merge.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>

Author: danmihai1

src/tools/genpolicy/genpolicy-settings.json

@@ -341,7 +341,6 @@
     "cluster_config": {
         "pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6"
     },
-    "cluster_config": {},
     "request_defaults": {
         "CreateContainerRequest": {
             "allow_env_regex": [

src/tools/genpolicy/policy_samples.json

@@ -0,0 +1,81 @@
+{
+        "default": [
+                "configmap/pod-cm1.yaml",
+                "configmap/pod-cm2.yaml",
+                "configmap/pod-cm3.yaml",
+                "cron-job/test-cron-job.yaml",
+                "deployment/deployment-back.yaml",
+                "deployment/deployment-front.yaml",
+                "deployment/deployment-busybox.yaml",
+                "job/test-job.yaml",
+                "job/test-job2.yaml",
+                "kubernetes/conformance/conformance-e2e.yaml",
+                "kubernetes/conformance/csi-hostpath-plugin.yaml",
+                "kubernetes/conformance/csi-hostpath-testing.yaml",
+                "kubernetes/conformance/etcd-statefulset.yaml",
+                "kubernetes/conformance/hello-populator-deploy.yaml",
+                "kubernetes/conformance/netexecrc.yaml",
+                "kubernetes/conformance2/ingress-http-rc.yaml",
+                "kubernetes/conformance2/ingress-http2-rc.yaml",
+                "kubernetes/conformance2/ingress-multiple-certs-rc.yaml",
+                "kubernetes/conformance2/ingress-nginx-rc.yaml",
+                "kubernetes/conformance2/ingress-static-ip-rc.yaml",
+                "kubernetes/fixtures/appsv1deployment.yaml",
+                "kubernetes/fixtures/daemon.yaml",
+                "kubernetes/fixtures/deploy-clientside.yaml",
+                "kubernetes/fixtures/job.yaml",
+                "kubernetes/fixtures/multi-resource-yaml.yaml",
+                "kubernetes/fixtures/rc-lastapplied.yaml",
+                "kubernetes/fixtures/rc-noexist.yaml",
+                "kubernetes/fixtures/replication.yaml",
+                "kubernetes/fixtures2/rc-service.yaml",
+                "kubernetes/fixtures2/valid-pod.yaml",
+                "pod/pod-exec.yaml",
+                "pod/pod-lifecycle.yaml",
+                "pod/pod-one-container.yaml",
+                "pod/pod-persistent-volumes.yaml",
+                "pod/pod-same-containers.yaml",
+                "pod/pod-spark.yaml",
+                "pod/pod-three-containers.yaml",
+                "pod/pod-ubuntu.yaml",
+                "replica-set/replica-busy.yaml",
+                "replica-set/replica2.yaml",
+                "secrets/azure-file-secrets.yaml",
+                "stateful-set/web.yaml",
+                "stateful-set/web2.yaml"
+        ],
+        "incomplete_init": [
+                "kubernetes/incomplete-init/cassandra-statefulset.yaml",
+                "kubernetes/incomplete-init/controller.yaml"
+        ],
+        "silently_ignored": [
+                "webhook/webhook-pod1.yaml",
+                "webhook/webhook-pod2.yaml",
+                "webhook/webhook-pod3.yaml",
+                "webhook/webhook-pod4.yaml",
+                "webhook/webhook-pod5.yaml",
+                "webhook/webhook-pod6.yaml",
+                "webhook/webhook-pod7.yaml",
+                "webhook2/webhook-pod8.yaml",
+                "webhook2/webhook-pod9.yaml",
+                "webhook2/webhook-pod10.yaml",
+                "webhook2/webhook-pod11.yaml",
+                "webhook2/webhook-pod12.yaml",
+                "webhook2/webhook-pod13.yaml",
+                "webhook3/dns-test.yaml",
+                "webhook3/many-layers.yaml"
+        ],
+        "no_policy": [
+                "kubernetes/fixtures/limits.yaml",
+                "kubernetes/fixtures/namespace.yaml",
+                "kubernetes/fixtures/quota.yaml"
+        ],
+        "needs_containerd_pull": [
+                "pod/pod-many-layers.yaml"
+        ],
+        "common_images": [
+                "mcr.microsoft.com/azurelinux/busybox:1.36",
+                "mcr.microsoft.com/azurelinux/base/nginx:1.25",
+                "mcr.microsoft.com/mirror/docker/library/ubuntu:noble"
+        ]
+}

src/tools/genpolicy/tests/adapt_settings_for_tests.sh

@@ -6,8 +6,10 @@
 
 # usage: ./tests/adapt_settings_for_tests.sh
 
+set -x
+
 jq '.request_defaults.CreateContainerRequest.allow_env_regex_map = {  
   "JOB_COMPLETION_INDEX": "^[0-9]*$",
   "CPU_LIMIT": "^[0-9]+$",
   "MEMORY_LIMIT": "^[0-9]+$"
-}' genpolicy-settings.json > tmp-genpolicy-settings.json && mv tmp-genpolicy-settings.json genpolicy-settings.json
+}' genpolicy-settings.json > tmp-genpolicy-settings.json && mv tmp-genpolicy-settings.json genpolicy-settings.json

src/tools/genpolicy/update_policy_samples.py

@@ -0,0 +1,93 @@
+import concurrent.futures
+import os
+import subprocess
+import sys
+import json
+import time
+from pathlib import Path
+
+# runs genpolicy tools on the following files
+# should run this after any change to genpolicy
+# usage: python3 update_policy_samples.py
+
+with open('policy_samples.json') as f:
+    samples = json.load(f)
+
+default_yamls = samples["default"]
+incomplete_init = samples["incomplete_init"]
+silently_ignored = samples["silently_ignored"]
+no_policy = samples["no_policy"]
+needs_containerd_pull = samples["needs_containerd_pull"]
+
+file_base_path = "../../agent/samples/policy/yaml"
+
+def runCmd(arg):
+    log = [f"========== COMMAND: {arg}"]
+    return subprocess.run([arg], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True, input="", shell=True, check=True)
+
+def timeRunCmd(arg):
+    log = [f"========== COMMAND: {arg}"]
+    start = time.time()
+
+    try:
+        p = runCmd(arg)
+    except subprocess.CalledProcessError as e:
+        log.append(e.stdout)
+        log.append(f"+++++ Failed with exit code {e.returncode}")
+        raise
+    else:
+        if p.stdout:
+            log.append(p.stdout)
+    finally:
+        end = time.time()
+        log.append(f"Time taken: {round(end - start, 2)} seconds")
+        print("\n".join(log))
+
+# check we can access all files we are about to update
+for file in default_yamls + incomplete_init + silently_ignored + no_policy:
+    filepath = os.path.join(file_base_path, file)
+    if not os.path.exists(filepath):
+        sys.exit(f"filepath does not exists: {filepath}")
+
+# build tool
+next_command = "LIBC=gnu BUILD_TYPE= make"
+print("========== COMMAND: " + next_command)
+runCmd(next_command)
+
+# allow all users to pull container images by using containerd
+next_command = "sudo chmod a+rw /var/run/containerd/containerd.sock"
+print("========== COMMAND: " + next_command)
+runCmd(next_command)
+
+print("Modifying settings for testing")
+runCmd("cp genpolicy-settings.json default-genpolicy-settings.json")
+runCmd("./tests/adapt_settings_for_tests.sh")
+
+# update files
+genpolicy_path = "./target/x86_64-unknown-linux-gnu/debug/genpolicy"
+
+total_start = time.time()
+
+with concurrent.futures.ThreadPoolExecutor(max_workers=os.cpu_count()) as executor:
+    futures = []
+
+    for file in default_yamls + incomplete_init + no_policy + needs_containerd_pull:
+        rego_file = "/tmp/" + Path(os.path.basename(file)).stem + "-rego.txt"
+        cmd = f"{genpolicy_path} -r -d -u -y {os.path.join(file_base_path, file)} > {rego_file}"
+        futures.append(executor.submit(timeRunCmd, cmd))
+
+    for file in silently_ignored:
+        rego_file = "/tmp/" + Path(os.path.basename(file)).stem + "-rego.txt"
+        cmd = f"{genpolicy_path} -r -d -u -s -y {os.path.join(file_base_path, file)} > {rego_file}"
+        futures.append(executor.submit(timeRunCmd, cmd))
+
+    for future in concurrent.futures.as_completed(futures):
+        # Surface any potential exception thrown by the future.
+        future.result()
+
+total_end = time.time()
+
+print(f"Total time taken: {total_end - total_start} seconds")
+
+print("Restoring settings to default")
+runCmd("mv default-genpolicy-settings.json genpolicy-settings.json")