Merge pull request #315 from microsoft/sprt/fix-readstream

agent: clear log pipes if denied by policy

src/agent/src/rpc.rs

@@ -583,11 +583,11 @@ impl AgentService {
 
     async fn do_read_stream(
         &self,
-        req: protocols::agent::ReadStreamRequest,
+        req: &protocols::agent::ReadStreamRequest,
         stdout: bool,
     ) -> Result<protocols::agent::ReadStreamResponse> {
-        let cid = req.container_id;
-        let eid = req.exec_id;
+        let cid = &req.container_id;
+        let eid = &req.exec_id;
 
         let term_exit_notifier;
         let reader = {
@@ -802,17 +802,25 @@ impl agent_ttrpc::AgentService for AgentService {
         _ctx: &TtrpcContext,
         req: protocols::agent::ReadStreamRequest,
     ) -> ttrpc::Result<ReadStreamResponse> {
-        is_allowed(&req).await?;
-        self.do_read_stream(req, true).await.map_ttrpc_err(same)
+        let mut response = self.do_read_stream(&req, true).await.map_ttrpc_err(same)?;
+        if is_allowed(&req).await.is_err() {
+            // Policy does not allow reading logs, so we redact the log messages.
+            response.clear_data();
+        }
+        Ok(response)
     }
 
     async fn read_stderr(
         &self,
         _ctx: &TtrpcContext,
         req: protocols::agent::ReadStreamRequest,
     ) -> ttrpc::Result<ReadStreamResponse> {
-        is_allowed(&req).await?;
-        self.do_read_stream(req, false).await.map_ttrpc_err(same)
+        let mut response = self.do_read_stream(&req, false).await.map_ttrpc_err(same)?;
+        if is_allowed(&req).await.is_err() {
+            // Policy does not allow reading logs, so we redact the log messages.
+            response.clear_data();
+        }
+        Ok(response)
     }
 
     async fn close_stdin(

src/tools/genpolicy/genpolicy-settings.json

@@ -329,7 +329,7 @@
             "regex": []
         },
         "CloseStdinRequest": false,
-        "ReadStreamRequest": true,
+        "ReadStreamRequest": false,
         "UpdateEphemeralMountsRequest": false,
         "WriteStreamRequest": false
     }

tests/integration/kubernetes/k8s-policy-logs.bats

@@ -0,0 +1,37 @@
+#!/usr/bin/env bats
+# Copyright (c) 2025 Microsoft Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+load "${BATS_TEST_DIRNAME}/lib.sh"
+load "${BATS_TEST_DIRNAME}/../../common.bash"
+load "${BATS_TEST_DIRNAME}/confidential_common.sh"
+load "${BATS_TEST_DIRNAME}/tests_common.sh"
+
+setup() {
+    auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled"
+
+    setup_common
+    get_pod_config_dir
+
+    pod_name="test-pod-hostname"
+    yaml_file="${pod_config_dir}/pod-hostname.yaml"
+    policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+    # Assert that ReadStreamRequest is indeed blocked.
+    [[ "$(jq .request_defaults.ReadStreamRequest "${policy_settings_dir}/genpolicy-settings.json")" == "false" ]]
+
+    auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
+}
+
+@test "Logs empty when ReadStreamRequest is blocked" {
+    kubectl apply -f "${yaml_file}"
+    kubectl wait --for jsonpath=status.phase=Succeeded --timeout=$timeout pod "$pod_name"
+
+    # Verify that (1) the logs are empty and (2) the container does not deadlock.
+    [[ "$(kubectl logs "${pod_name}")" == "" ]]
+}
+
+teardown() {
+    auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled"
+    teardown_common "${node}" "${node_start_time:-}"
+}

tests/integration/kubernetes/run_kubernetes_tests.sh

@@ -45,6 +45,7 @@ else
 		"k8s-optional-empty-secret.bats" \
 		"k8s-pid-ns.bats" \
 		"k8s-pod-quota.bats" \
+		"k8s-policy-logs.bats" \
 		"k8s-port-forward.bats" \
 		"k8s-projected-volume.bats" \
 		"k8s-qos-pods.bats" \