Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Align sources with upstream #122

Merged
merged 53 commits into from
Dec 19, 2023
Merged

Align sources with upstream #122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
d9fb0b9
Copy genpolicy from cc-msft-prototypes
sprt Nov 29, 2023
f450b70
Copy snapshotter bits from cc-msft-prototypes
sprt Nov 29, 2023
ea1f84e
runtime: enable configuring IGVM images
dallasd1 Jul 10, 2023
c1c97e8
runtime: add SNP related changes for CLH (#33)
dallasd1 Jul 10, 2023
7874623
Update clh-snp config and remove extra rootfs package definition (#38)
dallasd1 Jul 26, 2023
0de72d3
Enable SEV SNP and setting for host_data for CH-SNP (#42)
ms-mahuber Aug 22, 2023
31efd75
Re-enable seccomp in clh-snp config (#46)
dallasd1 Sep 1, 2023
8ea33f3
Always assign 10 PCI segments and modify IGVM config validation (#92)
ms-mahuber Oct 3, 2023
d0410ee
agent: Make /dev/sev-guest available to containers (#36)
sprt Jul 20, 2023
3c18603
osbuilder: add support to build enable dm-verity protected images (#55)
dallasd1 Sep 18, 2023
9703f6c
image: don't insert the DAX header (#56)
danmihai1 Sep 18, 2023
4609335
rootfs: delete some of the mariner packages (#45)
danmihai1 Aug 31, 2023
3d528e5
rootfs: add back bash to mariner's rootfs (#47)
danmihai1 Sep 14, 2023
da31fd3
rootfs: add back coreutils to mariner's image (#48)
danmihai1 Sep 14, 2023
2c583a2
rootfs: add back ps to mariner's rootfs (#49)
danmihai1 Sep 14, 2023
7ae21ef
runtime: agent: SNP HOST_DATA set-up (#43)
danmihai1 Aug 23, 2023
c1a4295
runtime: agent: validate policy contents (#50)
danmihai1 Sep 14, 2023
544bbe2
runtime: use 10 PCI segments for the Guest (#59)
danmihai1 Sep 19, 2023
ed598bc
policy: bypass empty response from OPA (#85)
danmihai1 Oct 1, 2023
24c86ea
osbuilder: install device-mapper and enable udevd
wedsonaf Mar 16, 2023
9f35029
runtime: add support for layer-src-prefix option
wedsonaf Jun 16, 2023
ae4a6dd
runtime: Allow disabling FS sharing for CLH/SNP
sprt Dec 1, 2023
eaaa722
runtime: Properly specify static resource mgmt
sprt Dec 1, 2023
c7c367d
runtime: decode layer string
wedsonaf Jun 18, 2023
5ff7f61
osbuilder: include tardev components to rootfs
wedsonaf Feb 20, 2023
c719d0a
agent: use dm-verity if io.katacontainers.fs-opt.root-hash is set
wedsonaf Jun 13, 2023
331235c
agent: change to layer directory when mounting overlays
wedsonaf Jun 16, 2023
0caaa1d
agent: add some context to device mapper error
wedsonaf Jun 23, 2023
e5f500b
agent: unmount storages in reverse order
wedsonaf Jun 23, 2023
0e66627
runtime: minimum 10 seconds timeout for bootvm (#37)
danmihai1 Jul 24, 2023
9e19088
runtime: accomodate slower than expected boot (#44)
danmihai1 Aug 31, 2023
2ec9760
Append systemd kernel cmdline params for initrd (#39)
dallasd1 Jul 26, 2023
4aa8998
tools: keep package zstd-libs in the UVM (#104)
dallasd1 Nov 6, 2023
25ee87f
runtime: enable confidential guest by default in non-SNP config (#112)
arc9693 Nov 29, 2023
58383c7
tools: pick up genpolicy improvements (#114)
danmihai1 Nov 28, 2023
48dc817
genpolicy: add topologySpreadConstraints support (#115)
danmihai1 Nov 29, 2023
e3711f1
docs: add agent policy how-to doc (#116)
danmihai1 Nov 29, 2023
7481a81
Add snapshotter build files to .gitignore
sprt Dec 4, 2023
c00a018
config: Add SEV SNP config
sprt Dec 5, 2023
533bc61
agent: skip mount options that start with "io.katacontainers."
sprt Dec 6, 2023
4fa810b
Add src/agent/samples/policy/test-input/ to .gitignore
sprt Dec 6, 2023
8343c04
genpolicy: Readd agent type definitions (#118)
Redent0r Dec 6, 2023
4b1c5a9
utarfs: implement the enumeration of xattrs (#119)
wedsonaf Dec 6, 2023
1848c95
runtime: use shared dir to mount rootfs
wedsonaf Jun 16, 2023
4e2b991
Add dev directories to .gitignore
sprt Dec 15, 2023
8059785
runtime: Resolve high UVM memory footprint
sprt Dec 15, 2023
6283540
genpolicy: allow empty env vars (#120)
Redent0r Dec 7, 2023
601c15c
fixup! runtime: use shared dir to mount rootfs
sprt Dec 15, 2023
edb476b
genpolicy: changing caching so the tool can run concurrently with itself
SethHollandsworth Nov 28, 2023
da50743
policy: Remove outdated samples
sprt Dec 18, 2023
ceea9aa
Revert "runtime: use 10 PCI segments for the Guest (#59)"
sprt Dec 18, 2023
8aec434
runtime: agent: use up to 10 PCI segments (#61)
sprt Dec 18, 2023
e2657fb
agent: Remove obsolete Rego samples
sprt Dec 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,19 @@ src/agent/protocols/src/*.rs
!src/agent/protocols/src/lib.rs
build
src/tools/log-parser/kata-log-parser

# Microsoft-specific
.cargo/
vendor/
src/agent/samples/policy/test-input/
src/tarfs/**/*.cmd
src/tarfs/**/*.ko
src/tarfs/**/*.mod
src/tarfs/**/*.mod.c
src/tarfs/**/*.o
src/tarfs/**/modules.order
src/tarfs/**/Module.symvers
src/tarfs-cvm/
tools/osbuilder/root_hash.txt
tools/osbuilder/kata-opa.service
tools/osbuilder/rootfs-builder/opa/
4 changes: 4 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ COMPONENTS += agent
COMPONENTS += dragonball
COMPONENTS += runtime
COMPONENTS += runtime-rs
COMPONENTS += tarfs
COMPONENTS += tardev-snapshotter
COMPONENTS += overlay
COMPONENTS += utarfs

# List of available tools
TOOLS =
Expand Down
4 changes: 3 additions & 1 deletion docs/how-to/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,6 @@
- [How to run Kata Containers with AMD SEV-SNP](how-to-run-kata-containers-with-SNP-VMs.md)
- [How to use EROFS to build rootfs in Kata Containers](how-to-use-erofs-build-rootfs.md)
- [How to run Kata Containers with kinds of Block Volumes](how-to-run-kata-containers-with-kinds-of-Block-Volumes.md)
- [How to use the Kata Agent Policy](how-to-use-the-kata-agent-policy.md)

## Confidential Containers
- [How to use the Kata Agent Policy](how-to-use-the-kata-agent-policy.md)
129 changes: 128 additions & 1 deletion docs/how-to/how-to-use-the-kata-agent-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ When compiled with default settings, the Kata Containers code doesn't include th

1. The Kata Agent gets built using `AGENT_POLICY=yes`, and therefore includes Policy support. If the `AGENT_INIT=yes` build parameter was specified in addition to `AGENT_POLICY=yes`, the Kata Agent will start `OPA` during the Kata Containers sandbox creation.

# Policy format

The Policy document is a text file using the [`Rego` policy language](https://www.openpolicyagent.org/docs/latest/policy-language/). See [Creating the Policy document](#creating-the-policy-document) for information related to creating Policy files.

# Providing the Policy to the Kata Agent

There are two methods for providing the Policy document to the Kata Agent:
Expand Down Expand Up @@ -66,4 +70,127 @@ While creating the Pod sandbox, the Kata Shim will notice the `io.katacontainers

# How is the Policy being enforced?

The Kata Agent is responsible for enforcing the Policy, working together with `OPA`. The Agent checks the Policy for each [ttRPC API](../../src/libs/protocols/protos/agent.proto) request. Before carrying out the actions corresponding to the request, the Agent uses the [`OPA REST API`](https://www.openpolicyagent.org/docs/latest/rest-api/) to check if the Policy allows or blocks the call. The Agent rejects requests that are not allowed by the Policy.
The Kata Agent is responsible for enforcing the Policy, working together with [`OPA`](https://www.openpolicyagent.org/). The Agent checks the Policy for each [ttRPC API](../../src/libs/protocols/protos/agent.proto) request. Before carrying out the actions corresponding to the request, the Agent uses the [`OPA REST API`](https://www.openpolicyagent.org/docs/latest/rest-api/) to check if the Policy allows or blocks the request. The Agent rejects requests that are not allowed by the Policy.

# Creating the Policy document

## Creating the Policy document manually

For relatively simple uses cases, users can write the Policy text using the [`Rego` policy language documentation](https://www.openpolicyagent.org/docs/latest/policy-language/) as reference.

See [Policy contents](#policy-contents) for additional information.

## Using auto-generated Policy

The [`genpolicy`](../../src/tools/genpolicy/) application can be used to generate automatically a Policy matching an input Kubernetes `YAML` file. The Policy generated by this application is typically used for implementing confidential containers, where the Kata Shim and the Kata Agent have different trust properties.

**Warning** Users should review carefully the automatically-generated Policy, and modify the Policy file if needed to match better their use case, before using this Policy.

See the [`genpolicy` documentation](../../src/tools/genpolicy/README.md) and the [Policy contents examples](#policy-contents) for additional information.

## Policy contents

### The [`Rego`](https://www.openpolicyagent.org/docs/latest/policy-language/) package name

The name of the Kata Agent Policy package must be `agent_policy`. Therefore, all Agent Policy documents must start with:

```
package agent_policy
```
### Default values

When the Kata Shim sends a [ttRPC API](../../src/libs/protocols/protos/agent.proto) request to the Kata Agent, the [Policy rules](#rules) corresponding to that request type are evaluated. For example, when the Agent receives a `CopyFile` request, any rules defined in the Policy that are using the name `CopyFileRequest` are evaluated. [`OPA`](https://www.openpolicyagent.org/) evaluates these rules and tries to find at least one `CopyFileRequest` rule that returns value `true`:

1. If at least one `CopyFileRequest` rule returns `true`, `OPA` returns a `true` result to the Kata Agent, and the Agent carries out the file copy requested by the Shim.

1. If all the `CopyFileRequest` rules return `false`:
- If the Policy includes a default value for `CopyFileRequest`, `OPA` returns that value to the Agent.
- If the Policy doesn't include a default value for `CopyFileRequest`, `OPA` returns an empty response to the Agent. The Agent treats the empty response the same way as a `false` response, so it rejects the `CopyFile` request.

**Tip:** Although the Kata Agent treats empty responses from `OPA` similarly to `false` responses, it is recommended to always provide default values. With default values, the Policy document and the logs from `OPA` and Kata Agent are easier to understand.

Examples of default values:

```
default WaitProcessRequest := true
default ExecProcessRequest := false
```

### Policy data

Policy data is optional. It typically contains values that are compared by the [Policy rules](#rules) with the input parameters of a [ttRPC API](../../src/libs/protocols/protos/agent.proto) request. Based on this comparison, a rule can either allow or deny the request, by returning `true` or `false`.

Example of Policy data:

```
policy_data := {
"common": {
"cpath": "/run/kata-containers/shared/containers"
},
"request_defaults": {
"CopyFileRequest": [
"^$(cpath)/"
],
"ExecProcessRequest": {
"commands": [
"/bin/foo"
],
"regex": []
}
}
}
```

### Rules

Policy rules are optional. They typically compare the input parameters of a [ttRPC API](../../src/libs/protocols/protos/agent.proto) request with values from the [policy data](#policy-data). Based on this comparison, a rule can either allow or deny the request, by returning `true` or `false`.

Multiple rules having the same name can be defined in the same Policy. As described [above](#default-values), when the Kata Agent queries [`OPA`](https://www.openpolicyagent.org/) by using the [`OPA REST API`](https://www.openpolicyagent.org/docs/latest/rest-api/), `OPA` tries to find at least one rule having the same name as the request that returns `true` given the API input parameters defined by the [ttRPC API](../../src/libs/protocols/protos/agent.proto).

Examples of rules, corresponding to the Kata Agent `CopyFile` and `ExecProcess` requests:

```
import future.keywords.in
import input

CopyFileRequest {
print("CopyFileRequest: input.path =", input.path)

some regex1 in policy_data.request_defaults.CopyFileRequest
regex2 := replace(regex1, "$(cpath)", policy_data.common.cpath)
regex.match(regex2, input.path)

print("CopyFileRequest: true")
}

ExecProcessRequest {
print("ExecProcessRequest 1: input =", input)

i_command = concat(" ", input.process.Args)
print("ExecProcessRequest 1: i_command =", i_command)

some p_command in policy_data.request_defaults.ExecProcessRequest.commands
p_command == i_command

print("ExecProcessRequest 1: true")
}

ExecProcessRequest {
print("ExecProcessRequest 2: input =", input)

i_command = concat(" ", input.process.Args)
print("ExecProcessRequest 2: i_command =", i_command)

some p_regex in policy_data.request_defaults.ExecProcessRequest.regex
print("ExecProcessRequest 2: p_regex =", p_regex)

regex.match(p_regex, i_command)

print("ExecProcessRequest 2: true")
}

```

The `input` data from these examples is provided to `OPA` by the Kata Agent, as a ``JSON`` format representation of the API request parameters.

For additional examples of Policy rules, see [`rules.rego`](../../src/tools/genpolicy/rules.rego).
Loading
Loading