policy: support policy versioning #326
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
samples: change job.yaml to an mcr container image
Add the new category for tests we want to run genpolicy against, but not run them in deployments (as the name suggests, we cannot run those). Signed-off-by: Manuel Huber <mahuber@microsoft.com>
samples: introduce incomplete_init category
Cherry-pick upstream PR kata-containers#9825: osbuilder: allow rootfs builds w/o git or version file deps
- Support for Mariner 3 builds using OS_VERSION variable - Improvements to IGVM build process and flow as described in README - Adoption of using only cloud-hypervisor-cvm on CBL-Mariner Signed-off-by: Manuel Huber <mahuber@microsoft.com>
tools: Improve igvm-builder and node-builder/azure-linux scripting
At the moment, we have circular dependencies between tardev-snapshotter.service and containerd.service. Specifically, containerd.service needs tardev-snapshotter.service to run any CC pods, while tardev-snapshotter.service needs containerd.service to download image layers. This dependency will be eliminated once we switch to using remote-snapshotter. Currently, tardev-snapshotter.service's binding to containerd.service gets delayed, and we won't be able to run any CC pods until the boot process is completed. It doesn't matter which service starts first. Based on the current logic, it makes more sense to use WantedBy=kubelet.service in tardev-snapshotter.service, as we won't be able to start any CC pods without kubelet. In the future, once tardev-snapshotter becomes a remote snapshotter again, it will make more sense to use WantedBy=containerd.service. Signed-off-by: Mitch Zhu <mitchzhu@microsoft.com>
tardev: update tardev-snapshotter.service
Use container image sources from ACR/MCR. Signed-off-by: Manuel Huber <mahuber@microsoft.com>
samples: reduce dependencies to docker hub
1. Use the new value of AllowRequestsFailingPolicy after setting up a new Policy. Before this change, the only way to enable AllowRequestsFailingPolicy was to change the default Policy file, built into the Guest rootfs image. 2. Ignore errors returned by regorus while evaluating Policy rules, if AllowRequestsFailingPolicy was enabled. For example, trying to evaluate the UpdateInterfaceRequest rules using a policy that didn't define any UpdateInterfaceRequest rules results in a "not found" error from regorus. Allow AllowRequestsFailingPolicy := true to bypass that error. 3. Add simple CI test for AllowRequestsFailingPolicy. These changes are restoring functionality that was broken recently by commmit 11f78ae. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
agent: fix the AllowRequestsFailingPolicy functionality
This adds a public guide on how to install and test the new storage CSI drivers for AKS confidential pods. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
docs: add guide to install new CSI drivers
Add support for cron jobs Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Use up-to-date AzL references Signed-off-by: Manuel Huber <mahuber@microsoft.com>
samples: update image references
genpolicy: add support for cron jobs
Reject CreateContainerRequest field values that are not tested by
Kata CI and that might impact the confidentiality of CoCo Guests.
This change uses a "better safe than sorry" approach to untested
fields. It is very possible that in the future we'll encounter
reasonable use cases that will either:
- Show that some of these fields are benign and don't have to be
verified by Policy, or
- Show that Policy should verify legitimate values of these fields
These are the new CreateContainerRequest Policy rules:
count(input.shared_mounts) == 0
is_null(input.string_user)
i_oci := input.OCI
is_null(i_oci.Hooks)
is_null(i_oci.Linux.Seccomp)
is_null(i_oci.Solaris)
is_null(i_oci.Windows)
i_linux := i_oci.Linux
count(i_linux.GIDMappings) == 0
count(i_linux.MountLabel) == 0
count(i_linux.Resources.Devices) == 0
count(i_linux.RootfsPropagation) == 0
count(i_linux.UIDMappings) == 0
is_null(i_linux.IntelRdt)
is_null(i_linux.Resources.BlockIO)
is_null(i_linux.Resources.Network)
is_null(i_linux.Resources.Pids)
is_null(i_linux.Seccomp)
i_linux.Sysctl == {}
i_process := i_oci.Process
count(i_process.SelinuxLabel) == 0
count(i_process.User.Username) == 0
Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Update annotations after reject untested CreateContainer field values Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
genpolicy: reject untested CreateContainer field values
This is a more stable tag. Previous tag got updated yesterday and requires to update the annotation. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
samples: update ubuntu sample to use 18.04
Bump release version to 3.2.0-azl1.genpolicy1 Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
chore: bump release version
- Add script to install kata-containers(-cc)-tools bits - Minor improvements in README.md - Minor fix in package_install - Remove echo outputs in package_build Signed-off-by: Manuel Huber <mahuber@microsoft.com>
tools: Add package-tools-install functionality
- Allow setting SVN parameter for IGVM build scripting Signed-off-by: Manuel Huber <mahuber@microsoft.com>
tools: Enable setting IGVM SVN
This lets developers build and deploy Kata in debug mode without having to make manual edits to the build scripts. With BUILD_TYPE=debug (default is release): * The agent is built in debug mode. * The agent is built with a permissive policy (using allow-all.rego). * The shim debug config file is used, ie. we create the symlink configuration-clh-snp-debug.toml <- configuration-clh-snp.toml. For example, building and deploying Kata-CC in debug mode is now as simple as: make BUILD_TYPE=debug all-confpods deploy-confpods Also do note that make still lets you override the other variables even after setting BUILD_TYPE. For example, you can use the production shim config with BUILD_TYPE=debug: make BUILD_TYPE=debug SHIM_USE_DEBUG_CONFIG=no all-confpods deploy-confpods Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
manuelh-dev
reviewed
Mar 7, 2025
src/agent/src/policy.rs
Outdated
| Err(e) => { | ||
| warn!( | ||
| sl!(), | ||
| "policy: failed to parse policy version: {e}. Assuming default policy version" |
manuelh-dev
reviewed
Mar 7, 2025
src/agent/src/policy.rs
Outdated
| async fn allow_request(&mut self, ep: &str, ep_input: &str) -> Result<(bool, String)> { | ||
| match self.version { | ||
| PolicyVersions::V1 => self.allow_request_v1(ep, ep_input).await, | ||
| PolicyVersions::V2 => { |
There was a problem hiding this comment.
Are we introducing a behavior here that rejects anything that is any newer version? Someone can pass in higher than V2.
Introduce clean-rootfs target in osbuilder Makefile to facilitate building multiple subsequent UVM files with different compostitions. To this end, also pipe a new UVM_BUILD_TYPE flag for IGVM build type. Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
The policy module augments the policy generated with genpolicy by keeping and providing state to each invocation. Therefore, it is not sufficient anymore to test the passing of requests in the genpolicy crate. Since in Rust, integration tests cannot call functions that are not exposed publicly, this commit factors out the policy module of the agent into its own crate and exposes the necessary functions to be consumed by the agent and an integration tests. The integration test itself is implemented in the following commits. Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
This commit allows to programmatically invoke genpolicy. This allows for other rust tools that don't want to consume genpolicy as binary to generate policies. One such use-case is the policy integration test implemented in the following commits. Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
The generated rego policies for `CreateContainerRequest` are stateful and that state is handled in the policy crate. We use this policy crate in the genpolicy integration test to be able to test if those state changes are handled correctly without spinning up an agent or even a cluster. This also allows to easily test on a e.g., CreateContainerRequest level instead of relying on changing the yaml that is applied to a cluster. Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
Move PolicyCopyFile request to shared policy crate so we can test it Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Conditionally install kata-packages-uvm-debug metapackage Install image as kata-containers-debug.img if debug image is built; update debug config image field Make uvm_build/install build both release and debug images Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
Rework kata, kata-cc images into release and debug images with different package compositions.
policy: test through agent
Similar approach as in upstream PR kata-containers#11003 Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Useful for go dependency upgrades, so that we actually commit changes in the vendor folder Signed-off-by: Manuel Huber <mahuber@microsoft.com>
…56-3 runtime: upgrade grpc vendor dependency
Introduce rule to block routes from source addresses which are the loopback. Block routes added to the lo device. Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
Introduce rules for UpdateInterfaceRequest and genpolicy tests for them. Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
Update samples Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
…policy genpolicy: Introduce UpdateRoutesRequest, UpdateInterfaceRequest rules in genpolicy-settings
Add test cases for basic and legacy requests to create pause container Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
…er_tests policy: add tests for createContainerRequest
Validate sandbox name using a regex. If the YAML specifies metadata.name, use a regex that exact matches. If the YAML specifies metadata.generateName, use a regex that matches the prefix of the generated name. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
We only use protocols in the tests, so it should be a dev dependency. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Update samples Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
…_name policy: validate pod generated name
On genpolicy side, encode the policy docuemtn version being used. On the agent side, read the version from the policy document and allow request accordingly. This allows the agent to handle multiple policy document versions. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Redent0r
force-pushed
the
saulparedes/add_policy_versioning
branch
from
947eb71 to
6bf2c8c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
On genpolicy side, encode the policy version being used.
On the agent side, read the version from the policy document and allow request accordingly
Test Methodology