-
Notifications
You must be signed in to change notification settings - Fork 94
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
podvm: Provide an example Open Policy Agent (opa) addon
This commit adds an example opa addon to support kata agent policy that can be included in the packer built podvm image Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
- Loading branch information
Showing
5 changed files
with
149 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| ## Introduction | ||
|
|
||
| This is a skeleton addon | ||
|
|
||
| To enable an addon, create a file `.enable` in the current addon directory as | ||
| well as in the top-level `podvm/addons` dir. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| package agent_policy | ||
|
|
||
| default AddARPNeighborsRequest := true | ||
| default AddSwapRequest := true | ||
| default CloseStdinRequest := true | ||
| default CopyFileRequest := true | ||
| default CreateContainerRequest := true | ||
| default CreateSandboxRequest := true | ||
| default DestroySandboxRequest := true | ||
| default GetMetricsRequest := true | ||
| default GetOOMEventRequest := true | ||
| default GuestDetailsRequest := true | ||
| default ListInterfacesRequest := true | ||
| default ListRoutesRequest := true | ||
| default MemHotplugByProbeRequest := true | ||
| default OnlineCPUMemRequest := true | ||
| default PauseContainerRequest := true | ||
| default PullImageRequest := true | ||
| default ReadStreamRequest := true | ||
| default RemoveContainerRequest := true | ||
| default RemoveStaleVirtiofsShareMountsRequest := true | ||
| default ReseedRandomDevRequest := true | ||
| default ResumeContainerRequest := true | ||
| default SetGuestDateTimeRequest := true | ||
| default SetPolicyRequest := true | ||
| default SignalProcessRequest := true | ||
| default StartContainerRequest := true | ||
| default StartTracingRequest := true | ||
| default StatsContainerRequest := true | ||
| default StopTracingRequest := true | ||
| default TtyWinResizeRequest := true | ||
| default UpdateContainerRequest := true | ||
| default UpdateEphemeralMountsRequest := true | ||
| default UpdateInterfaceRequest := true | ||
| default UpdateRoutesRequest := true | ||
| default WaitProcessRequest := true | ||
| default WriteStreamRequest := true | ||
|
|
||
| default ExecProcessRequest := false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| package agent_policy | ||
|
|
||
| default AddARPNeighborsRequest := true | ||
| default AddSwapRequest := true | ||
| default CloseStdinRequest := true | ||
| default CopyFileRequest := true | ||
| default CreateContainerRequest := true | ||
| default CreateSandboxRequest := true | ||
| default DestroySandboxRequest := true | ||
| default ExecProcessRequest := true | ||
| default GetMetricsRequest := true | ||
| default GetOOMEventRequest := true | ||
| default GuestDetailsRequest := true | ||
| default ListInterfacesRequest := true | ||
| default ListRoutesRequest := true | ||
| default MemHotplugByProbeRequest := true | ||
| default OnlineCPUMemRequest := true | ||
| default PauseContainerRequest := true | ||
| default PullImageRequest := true | ||
| default ReadStreamRequest := true | ||
| default RemoveContainerRequest := true | ||
| default RemoveStaleVirtiofsShareMountsRequest := true | ||
| default ReseedRandomDevRequest := true | ||
| default ResumeContainerRequest := true | ||
| default SetGuestDateTimeRequest := true | ||
| default SetPolicyRequest := true | ||
| default SignalProcessRequest := true | ||
| default StartContainerRequest := true | ||
| default StartTracingRequest := true | ||
| default StatsContainerRequest := true | ||
| default StopTracingRequest := true | ||
| default TtyWinResizeRequest := true | ||
| default UpdateContainerRequest := true | ||
| default UpdateEphemeralMountsRequest := true | ||
| default UpdateInterfaceRequest := true | ||
| default UpdateRoutesRequest := true | ||
| default WaitProcessRequest := true | ||
| default WriteStreamRequest := true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| # | ||
| # Copyright (c) 2023 Microsoft Corporation | ||
| # | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| # | ||
|
|
||
| [Unit] | ||
| Description=Open Policy Agent for Kata Containers | ||
| Documentation=https://github.com/kata-containers | ||
| ConditionPathExists=/etc/kata-opa/default-policy.rego | ||
|
|
||
| # kata-agent connects to OPA while starting up. | ||
| Before=kata-agent.service | ||
|
|
||
| [Service] | ||
| Type=simple | ||
| ExecStart=/usr/local/bin/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info | ||
| DynamicUser=yes | ||
| RuntimeDirectory=kata-opa | ||
| LimitNOFILE=1048576 | ||
|
|
||
| # Don't restart because there may be an active policy that would be lost. | ||
| Restart=no | ||
|
|
||
| # Send log output to tty to allow capturing debug logs from a VM vsock port. | ||
| StandardError=tty | ||
|
|
||
| # Discourage OOM-killer from touching the policy service. | ||
| OOMScoreAdjust=-997 | ||
|
|
||
| [Install] | ||
| WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| #!/bin/bash | ||
|
|
||
|
|
||
| #This is the dir in the pod vm image during build | ||
| ADDONS_DIR="/tmp/addons" | ||
|
|
||
|
|
||
| # Copy policy file | ||
| mkdir -p /etc/kata-opa | ||
|
|
||
| cp ${ADDONS_DIR}/opa/allow-all.rego /etc/kata-opa | ||
| cp ${ADDONS_DIR}/opa/allow-all-except-exec-process.rego /etc/kata-opa | ||
|
|
||
| # Create default rego policy | ||
| ln -s /etc/kata-opa/allow-all.rego /etc/kata-opa/default-policy.rego | ||
|
|
||
|
|
||
| # Create service file | ||
|
|
||
| cp ${ADDONS_DIR}/opa/kata-opa.service /etc/systemd/system/kata-opa.service | ||
|
|
||
| systemctl enable kata-opa.service | ||
|
|
||
| # PODVM_DISTRO variable is set as part of the podvm image build process | ||
| # and available inside the packer VM | ||
| if [[ "$PODVM_DISTRO" == "ubuntu" ]] || [[ "$PODVM_DISTRO" == "rhel" ]]; then | ||
| # Copy opa binary in /usr/local/bin | ||
| curl -L -o opa https://openpolicyagent.org/downloads/v0.58.0/opa_linux_amd64_static | ||
| install -D -o root -g root -m 0755 opa -T /usr/local/bin/opa | ||
|
|
||
| fi | ||
|
|
||
|
|
||
|
|