diff --git a/.gitignore b/.gitignore index f8928ae22..166a6b8ac 100644 --- a/.gitignore +++ b/.gitignore @@ -8,7 +8,6 @@ src/cloud-api-adaptor/umoci src/cloud-api-adaptor/skopeo src/csi-wrapper/build src/csi-wrapper/vendor -src/cloud-api-adaptor/opa/ # Binaries src/cloud-api-adaptor/agent-protocol-forwarder @@ -20,7 +19,6 @@ src/cloud-api-adaptor/cluster-provisioner src/cloud-api-adaptor/confidential-data-hub src/cloud-api-adaptor/kata-agent src/cloud-api-adaptor/process-user-data -src/cloud-api-adaptor/opa # The code files under cmd are not ignored !src/cloud-api-adaptor/cmd/* diff --git a/src/cloud-api-adaptor/Makefile.defaults b/src/cloud-api-adaptor/Makefile.defaults index 86641f237..af77cf4aa 100644 --- a/src/cloud-api-adaptor/Makefile.defaults +++ b/src/cloud-api-adaptor/Makefile.defaults @@ -41,6 +41,4 @@ GUEST_COMPONENTS_REPO := $(or $(GUEST_COMPONENTS_REPO),$(call query,git.guest-co GUEST_COMPONENTS_VERSION := $(or $(GUEST_COMPONENTS_VERSION),$(call query,git.guest-components.reference)) PAUSE_REPO := $(or $(PAUSE_REPO),$(call query,oci.pause.registry)) PAUSE_VERSION := $(or $(PAUSE_VERSION),$(call query,oci.pause.tag)) -OPA_REPO := $(or $(OPA_REPO),$(call query,git.opa.url)) -OPA_VERSION := $(or $(OPA_VERSION),$(call query,git.opa.reference)) PACKER_VERSION := $(or $(PACKER_VERSION),$(call query,tools.packer)) diff --git a/src/cloud-api-adaptor/docker/image/Dockerfile b/src/cloud-api-adaptor/docker/image/Dockerfile index 5ae168fb6..19e54aa9e 100644 --- a/src/cloud-api-adaptor/docker/image/Dockerfile +++ b/src/cloud-api-adaptor/docker/image/Dockerfile @@ -17,7 +17,3 @@ COPY ./resources/binaries-tree/pause_bundle / RUN curl -LO https://raw.githubusercontent.com/confidential-containers/cloud-api-adaptor/main/src/cloud-api-adaptor/podvm/qcow2/misc-settings.sh RUN PODVM_DISTRO=ubuntu CLOUD_PROVIDER=generic DISABLE_CLOUD_CONFIG=true bash ./misc-settings.sh - -# Adjust the kata-opa systemd script to run inside container env -RUN sed -i '/StandardError=tty/ s/^/# /' /etc/systemd/system/kata-opa.service - diff --git a/src/cloud-api-adaptor/docs/policy.md b/src/cloud-api-adaptor/docs/policy.md index a3d80d029..b5969001e 100644 --- a/src/cloud-api-adaptor/docs/policy.md +++ b/src/cloud-api-adaptor/docs/policy.md @@ -2,7 +2,7 @@ Agent Policy is a Kata Containers feature that enables the Guest VM to perform additional validation for each agent API request. -Note: For using agent policy with peer-pods, you'll need a kata shim with agent-policy support. +Note: For using agent policy with peer-pods, you'll need a kata shim with agent-policy support. # Enabling the Kata Agent Policy @@ -17,14 +17,10 @@ The following makefile options are available When compiled with default settings, the following happens -1. The [`Open Policy Agent (OPA)`](https://www.openpolicyagent.org/) binary gets built and installed in the VM image. +1. A default policy which allows all api is enabled -2. The `kata-opa` service gets included in the VM image - -3. A default policy which allows all api is enabled - -Two additional policy example files are provided: -1. allow-all-except-exec-process.rego: This policy disables the `ExecProcess` API, thereby preventing `kubectl exec` against the pod. +Two additional policy example files are provided: +1. allow-all-except-exec-process.rego: This policy disables the `ExecProcess` API, thereby preventing `kubectl exec` against the pod. 2. disallow-all-except-setpolicy.rego: This policy only enables the `SetPolicy` API. The pod should provide the required policy via annotation. You can configure the base policy for the VM image by using the `DEFAULT_AGENT_POLICY_FILE` option. @@ -64,7 +60,7 @@ metadata: name: policy-exec-rejected annotations: io.katacontainers.config.agent.policy: cGFja2FnZSBhZ2VudF9wb2xpY3kKCmRlZmF1bHQgQWRkQVJQTmVpZ2hib3JzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBDb3B5RmlsZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEdldE1ldHJpY3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IExpc3RJbnRlcmZhY2VzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdFJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IE1lbUhvdHBsdWdCeVByb2JlUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgT25saW5lQ1BVTWVtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUGF1c2VDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQdWxsSW1hZ2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZWFkU3RyZWFtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlU3RhbGVWaXJ0aW9mc1NoYXJlTW91bnRzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzZWVkUmFuZG9tRGV2UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzdW1lQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2V0R3Vlc3REYXRlVGltZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNldFBvbGljeVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNpZ25hbFByb2Nlc3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdGFydENvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0VHJhY2luZ1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXRzQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RvcFRyYWNpbmdSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBUdHlXaW5SZXNpemVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSB0cnVlCgpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSBmYWxzZQo= - io.containerd.cri.runtime-handler: kata-remote + io.containerd.cri.runtime-handler: kata-remote spec: runtimeClassName: kata-remote containers: diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-coco.preset b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-coco.preset index faf7643e8..21a84f325 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-coco.preset +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-coco.preset @@ -6,7 +6,6 @@ enable kata-agent.service enable netns@.service enable process-user-data.service enable setup-nat-for-imds.service -enable kata-opa.service enable gen-issue.service enable image-env.service diff --git a/src/cloud-api-adaptor/podvm/Makefile.inc b/src/cloud-api-adaptor/podvm/Makefile.inc index 12ec831b6..d9c48b1b1 100644 --- a/src/cloud-api-adaptor/podvm/Makefile.inc +++ b/src/cloud-api-adaptor/podvm/Makefile.inc @@ -71,13 +71,11 @@ ATTESTATION_AGENT = $(FILES_DIR)/usr/local/bin/attestation-agent CONFIDENTIAL_DATA_HUB = $(FILES_DIR)/usr/local/bin/confidential-data-hub API_SERVER_REST = $(FILES_DIR)/usr/local/bin/api-server-rest PROCESS_USER_DATA = $(FILES_DIR)/usr/local/bin/process-user-data -OPA = $(FILES_DIR)/usr/local/bin/opa # Allow BINARIES to be overriden externally -BINARIES ?= $(AGENT_PROTOCOL_FORWARDER) $(KATA_AGENT) $(PAUSE) $(ATTESTATION_AGENT) $(CONFIDENTIAL_DATA_HUB) $(API_SERVER_REST) $(PROCESS_USER_DATA) \ - $(OPA) +BINARIES ?= $(AGENT_PROTOCOL_FORWARDER) $(KATA_AGENT) $(PAUSE) $(ATTESTATION_AGENT) $(CONFIDENTIAL_DATA_HUB) $(API_SERVER_REST) $(PROCESS_USER_DATA) $(shell sed -i "s|\(aa_kbc_params = \)\"[^\"]*\"|\1\"${AA_KBC}::${KBC_URI}\"|g" $(FILES_DIR)/etc/agent-config.toml) @@ -90,9 +88,6 @@ SKOPEO_BIN ?= $(SKOPEO_SRC)/bin/skopeo UMOCI_SRC = umoci -OPA_SRC = opa -OPA_BUILD_TARGET := "opa_linux_$(DEB_ARCH)" - # Embed the pause container image # https://github.com/arronwy/kata-containers/commit/75b9f3fa3caaae62f49b4733f65cbab0cc87dbee PAUSE_SRC = pause @@ -184,21 +179,6 @@ $(API_SERVER_REST): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC) mkdir -p "$(@D)" install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/api-server-rest" "$@" -# OPA binaries are not available for s390x. Hence build from source -$(OPA_SRC): - $(call git_clone_repo_ref,$(OPA_REPO),$(OPA_SRC),$(OPA_VERSION)) - -$(OPA): $(FORCE_TARGET) | $(OPA_SRC) -ifeq ($(AGENT_POLICY),yes) - cd "$(OPA_SRC)" && $(MAKE) GOARCH=$(DEB_ARCH) GOOS=linux WASM_ENABLED=0 CGO_ENABLED=0 go-build - install --compare "$(OPA_SRC)/$(OPA_BUILD_TARGET)" "$@" - # Set default policy - cd $(AGENT_POLICY_PATH) && ln -s -f "$(DEFAULT_AGENT_POLICY_FILE)" default-policy.rego - # Enable the service - cd $(FILES_DIR)/etc/systemd/system/multi-user.target.wants && ln -s -f ../kata-opa.service kata-opa.service - -endif - clean_sources: [ -d "$(GUEST_COMPONENTS_SRC)" ] && cd "$(GUEST_COMPONENTS_SRC)" && git clean -xfd [ -d "$(KATA_AGENT_SRC)" ] && cd "$(KATA_AGENT_SRC)" && git clean -xfd @@ -206,7 +186,6 @@ clean_sources: [ -d "$(PAUSE_SRC)" ] && cd "$(PAUSE_SRC)" && rm -rf * [ -d "$(UMOCI_SRC)" ] && cd "$(UMOCI_SRC)" && git clean -xfd -e umoci [ -d "$(KATA_CONTAINERS_SRC)" ] && cd "$(KATA_CONTAINERS_SRC)" && git clean -xfd - [ -d "$(OPA_SRC)" ] && cd "$(OPA_SRC)" && git clean -xfd .PHONY: force always always force: diff --git a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-opa.service b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-opa.service deleted file mode 100644 index 5b7598f9f..000000000 --- a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-opa.service +++ /dev/null @@ -1,33 +0,0 @@ -# -# Copyright (c) 2023 Microsoft Corporation -# -# SPDX-License-Identifier: Apache-2.0 -# - -[Unit] -Description=Open Policy Agent for Kata Containers -Documentation=https://github.com/kata-containers -ConditionPathExists=/etc/kata-opa/default-policy.rego - -# kata-agent connects to OPA while starting up. -Before=kata-agent.service - -[Service] -Type=simple -ExecStart=/usr/local/bin/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info -DynamicUser=yes -RuntimeDirectory=kata-opa -LimitNOFILE=1048576 - -# Don't restart because there may be an active policy that would be lost. -Restart=no - -# Send log output to tty to allow capturing debug logs from a VM vsock port. -StandardError=tty - -# Discourage OOM-killer from touching the policy service. -OOMScoreAdjust=-997 - -[Install] -WantedBy=multi-user.target -RequiredBy=kata-agent.service diff --git a/src/cloud-api-adaptor/versions.yaml b/src/cloud-api-adaptor/versions.yaml index 5f9479d59..78641746c 100644 --- a/src/cloud-api-adaptor/versions.yaml +++ b/src/cloud-api-adaptor/versions.yaml @@ -39,9 +39,6 @@ git: skopeo: url: https://github.com/containers/skopeo reference: v1.5.0 - opa: - url: https://github.com/open-policy-agent/opa - reference: v0.58.0 kbs: url: https://github.com/confidential-containers/trustee reference: dc01f454264fb4350e5f69eba05683a9a1882c41