Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add policy support to peer-pods #1607

Merged
merged 8 commits into from
Jan 10, 2024
Merged

Add policy support to peer-pods #1607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
767fb0a
podvm: Add Open Policy Agent (opa) configs
bpradipt Nov 27, 2023
29a6c7c
build: Add support for policy
bpradipt Dec 1, 2023
01e43e5
caa: Add support for SetPolicy api
bpradipt Dec 1, 2023
bbf2c9e
caa: Update tests to include SetPolicy
bpradipt Dec 15, 2023
a92e87f
podvm-mkosi: Enable opa for policy support
bpradipt Dec 15, 2023
5e62c86
doc: Add description of the Kata agent policy
bpradipt Dec 20, 2023
f9f295f
podvm: Allow policy file specification in container builds
bpradipt Jan 8, 2024
ae9638a
podvm-mkosi: Allow policy file specification in container builds
bpradipt Jan 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ umoci
skopeo
volumes/csi-wrapper/build
volumes/csi-wrapper/vendor
opa/

# Binaries
agent-protocol-forwarder
Expand All @@ -19,6 +20,7 @@ cluster-provisioner
confidential-data-hub
kata-agent
process-user-data
opa

# The code files under cmd are not ignored
!/cmd/*
Expand Down
1 change: 1 addition & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,7 @@ podvm-binaries:
--build-arg PODVM_DISTRO=$(PODVM_DISTRO) \
--build-arg ARCH=$(ARCH) \
--build-arg AA_KBC=$(AA_KBC) \
--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE) \
$(DOCKER_OPTS) .

podvm-image:
Expand Down
2 changes: 2 additions & 0 deletions Makefile.defaults
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,5 @@ GUEST_COMPONENTS_REPO := $(or $(GUEST_COMPONENTS_REPO),$(call query,git.guest-co
GUEST_COMPONENTS_VERSION := $(or $(GUEST_COMPONENTS_VERSION),$(call query,git.guest-components.reference))
PAUSE_REPO := $(or $(PAUSE_REPO),$(call query,oci.pause.registry))
PAUSE_VERSION := $(or $(PAUSE_VERSION),$(call query,oci.pause.tag))
OPA_REPO := $(or $(OPA_REPO),$(call query,git.opa.url))
OPA_VERSION := $(or $(OPA_VERSION),$(call query,git.opa.reference))
92 changes: 92 additions & 0 deletions docs/policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
# Kata Agent Policy

Agent Policy is a Kata Containers feature that enables the Guest VM to perform additional validation for each agent API request.

Note: For using agent policy with peer-pods, you'll need a kata shim with agent-policy support.

# Enabling the Kata Agent Policy

The following makefile options are available

- AGENT_POLICY option for building the kata-agent with policy support.
This is enabled by default

- DEFAULT_AGENT_POLICY_FILE option to specify the policy file to be used as default.
The default policy file is allow-all.rego


When compiled with default settings, the following happens

1. The [`Open Policy Agent (OPA)`](https://www.openpolicyagent.org/) binary gets built and installed in the VM image.

2. The `kata-opa` service gets included in the VM image

3. A default policy which allows all api is enabled

Two additional policy example files are provided:
1. allow-all-except-exec-process.rego: This policy disables the `ExecProcess` API, thereby preventing `kubectl exec` against the pod.
2. disallow-all-except-setpolicy.rego: This policy only enables the `SetPolicy` API. The pod should provide the required policy via annotation.

You can configure the base policy for the VM image by using the `DEFAULT_AGENT_POLICY_FILE` option.

For example, to create the Azure VM image with the default policy as `disallow-all-except-setpolicy.rego`, you
can run the following command

```
cd azure/image
CLOUD_PROVIDER=azure PODVM_DISTRO=ubuntu DEFAULT_AGENT_POLICY_FILE=disallow-all-except-setpolicy.rego make image
```

## Specify Policy as a Kubernetes `YAML` annotation

Kubernetes users can encode in `base64` format their Policy documents, and add the encoded string as an annotation. Example:

### Encode a Policy file

For example, the
[`allow-all-except-exec-process.rego`](../podvm/files/etc/kata-opa/allow-all-except-exec-process.rego)
sample policy file is different from the [default
Policy](../podvm/files/etc/kata-opa/allow-all.rego) because it rejects any `ExecProcess`
requests. You can encode this policy file:

```bash
$ base64 -w 0 allow-all-except-exec-process.rego
cGFja2FnZSBhZ2VudF9wb2xpY3kKCmRlZmF1bHQgQWRkQVJQTmVpZ2hib3JzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBDb3B5RmlsZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEdldE1ldHJpY3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IExpc3RJbnRlcmZhY2VzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdFJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IE1lbUhvdHBsdWdCeVByb2JlUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgT25saW5lQ1BVTWVtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUGF1c2VDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQdWxsSW1hZ2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZWFkU3RyZWFtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlU3RhbGVWaXJ0aW9mc1NoYXJlTW91bnRzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzZWVkUmFuZG9tRGV2UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzdW1lQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2V0R3Vlc3REYXRlVGltZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNldFBvbGljeVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNpZ25hbFByb2Nlc3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdGFydENvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0VHJhY2luZ1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXRzQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RvcFRyYWNpbmdSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBUdHlXaW5SZXNpemVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSB0cnVlCgpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSBmYWxzZQo=
```

### Attach the Policy to a pod

Add the encoded Policy to your `YAML` file - e.g., `pod1.yaml`:

```yaml
apiVersion: v1
kind: Pod
metadata:
name: policy-exec-rejected
annotations:
io.katacontainers.config.agent.policy: cGFja2FnZSBhZ2VudF9wb2xpY3kKCmRlZmF1bHQgQWRkQVJQTmVpZ2hib3JzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBDb3B5RmlsZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEdldE1ldHJpY3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IExpc3RJbnRlcmZhY2VzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdFJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IE1lbUhvdHBsdWdCeVByb2JlUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgT25saW5lQ1BVTWVtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUGF1c2VDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQdWxsSW1hZ2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZWFkU3RyZWFtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlU3RhbGVWaXJ0aW9mc1NoYXJlTW91bnRzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzZWVkUmFuZG9tRGV2UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzdW1lQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2V0R3Vlc3REYXRlVGltZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNldFBvbGljeVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNpZ25hbFByb2Nlc3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdGFydENvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0VHJhY2luZ1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXRzQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RvcFRyYWNpbmdSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBUdHlXaW5SZXNpemVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSB0cnVlCgpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSBmYWxzZQo=
io.containerd.cri.runtime-handler: kata-remote
spec:
runtimeClassName: kata-remote
containers:
- name: first-test-container
image: quay.io/prometheus/busybox:latest
command:
- sleep
- "120"
```

Create the pod:

```bash
$ kubectl apply -f pod1.yaml
```

While creating the Pod sandbox, the Kata Shim will notice the
`io.katacontainers.config.agent.policy` annotation and will send the Policy
document to the Kata Agent - by sending a `SetPolicy` request. Note that this
request will fail if the default Policy, included in the Guest image, doesn't
allow this `SetPolicy` request. If the `SetPolicy` request is rejected by the
Guest, the Kata Shim will fail to start the Pod sandbox.


2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ require (
github.com/coreos/go-iptables v0.6.0
github.com/gogo/protobuf v1.3.2
github.com/google/uuid v1.3.0
github.com/kata-containers/kata-containers/src/runtime v0.0.0-20231130163424-59d733fafdf6
github.com/opencontainers/runtime-spec v1.1.0-rc.1
github.com/stretchr/testify v1.8.4
github.com/vishvananda/netlink v1.2.1-beta.2
Expand Down Expand Up @@ -50,7 +51,6 @@ require (
github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5
github.com/confidential-containers/cloud-api-adaptor/peerpod-ctrl v0.0.0-20230329054732-0d6eda047e81
github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f
github.com/kata-containers/kata-containers/src/runtime v0.0.0-20231109143605-6c2a2a14fe78
github.com/kdomanski/iso9660 v0.3.5
github.com/moby/sys/mountinfo v0.6.2
github.com/pelletier/go-toml/v2 v2.1.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1211,8 +1211,8 @@ github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaR
github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
github.com/karrick/godirwalk v1.15.3/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk=
github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk=
github.com/kata-containers/kata-containers/src/runtime v0.0.0-20231109143605-6c2a2a14fe78 h1:fnkxqwsxbHFB/wpeE4j3xzdWEUpr3udU7Higo7lvUVc=
github.com/kata-containers/kata-containers/src/runtime v0.0.0-20231109143605-6c2a2a14fe78/go.mod h1:4i+EBdCeAg34WOxQMjiJ9e7ZtwtI7C5ZSK4tg70hoeE=
github.com/kata-containers/kata-containers/src/runtime v0.0.0-20231130163424-59d733fafdf6 h1:d0LL5U1MfT9IpyAVU3nOetUJjxrFugwmlWop8Tyzs7o=
github.com/kata-containers/kata-containers/src/runtime v0.0.0-20231130163424-59d733fafdf6/go.mod h1:4i+EBdCeAg34WOxQMjiJ9e7ZtwtI7C5ZSK4tg70hoeE=
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
github.com/kdomanski/iso9660 v0.3.5 h1:LO1n75zPjLeDQkz0Pyk1eZ7JGinjKjk2C174GSABVwY=
github.com/kdomanski/iso9660 v0.3.5/go.mod h1:K+UlIGxKgtrdAWyoigPnFbeQLVs/Xudz4iztWFThBwo=
Expand Down
4 changes: 4 additions & 0 deletions pkg/adaptor/proxy/proxy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -382,3 +382,7 @@ func (m *agentMock) Check(ctx context.Context, req *pb.CheckRequest) (*pb.Health
func (m *agentMock) Version(ctx context.Context, req *pb.CheckRequest) (*pb.VersionCheckResponse, error) {
return &pb.VersionCheckResponse{}, nil
}

func (m *agentMock) SetPolicy(ctx context.Context, req *pb.SetPolicyRequest) (res *types.Empty, err error) {
return &types.Empty{}, nil
}
13 changes: 13 additions & 0 deletions pkg/adaptor/proxy/service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,19 @@ func isNodePublishVolumeTargetPath(volumePath, directVolumesDir string) bool {
return err == nil
}

func (s *proxyService) SetPolicy(ctx context.Context, req *pb.SetPolicyRequest) (*types.Empty, error) {

logger.Printf("SetPolicy: policy:%s", req.Policy)

res, err := s.Redirector.SetPolicy(ctx, req)

if err != nil {
logger.Printf("SetPolicy fails: %v", err)
}

return res, err
}

func (s *proxyService) StartContainer(ctx context.Context, req *pb.StartContainerRequest) (*types.Empty, error) {

logger.Printf("StartContainer: containerID:%s", req.ContainerId)
Expand Down
4 changes: 4 additions & 0 deletions pkg/adaptor/shim_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -520,6 +520,10 @@ func (s *agentService) PullImage(ctx context.Context, req *agent.PullImageReques
log.Printf("agent call: PullImage %#v", req)
return &types.Empty{}, nil
}
func (s *agentService) SetPolicy(ctx context.Context, req *agent.SetPolicyRequest) (*types.Empty, error) {
log.Printf("agent call: SetPolicy %#v", req)
return &types.Empty{}, nil
}

type healthService struct{}

Expand Down
8 changes: 8 additions & 0 deletions pkg/util/agentproto/redirector.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -410,3 +410,11 @@ func (s *redirector) Version(ctx context.Context, req *pb.CheckRequest) (res *pb
}
return s.agentClient.Version(ctx, req)
}

func (s *redirector) SetPolicy(ctx context.Context, req *pb.SetPolicyRequest) (res *types.Empty, err error) {

if err := s.Connect(ctx); err != nil {
return nil, err
}
return s.agentClient.SetPolicy(ctx, req)
}
1 change: 1 addition & 0 deletions podvm-mkosi/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ binaries:
docker buildx build \
--build-arg BUILDER_IMG=fedora-binaries-builder \
--build-arg AA_KBC=$(AA_KBC) \
--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE) \
-o type=local,dest="./resources/binaries-tree" \
- < ../podvm/Dockerfile.podvm_binaries.fedora

Expand Down
1 change: 1 addition & 0 deletions podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-coco.preset
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ enable kata-agent.service
enable netns@.service
enable process-user-data.service
enable setup-nat-for-imds.service
enable kata-opa.service

enable gen-issue.service
enable image-env.service
5 changes: 5 additions & 0 deletions podvm/Dockerfile.podvm_binaries
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,14 @@ ARG PODVM_DISTRO=ubuntu
ARG AA_KBC=offline_fs_kbc
# If not provided, uses system architecture
ARG ARCH
#This is the name of the policy file under
#files/etc/kata-opa
ARG DEFAULT_AGENT_POLICY_FILE=allow-all.rego

ENV PODVM_DISTRO ${PODVM_DISTRO}
ENV AA_KBC ${AA_KBC}
ENV ARCH ${ARCH}
ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}

COPY . /src/cloud-api-adaptor

Expand Down
4 changes: 4 additions & 0 deletions podvm/Dockerfile.podvm_binaries.fedora
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,17 @@ ARG GUEST_COMPONENTS_REPO
ARG AA_KBC="offline_fs_kbc"
# If not provided, uses system architecture
ARG ARCH
#This is the name of the policy file under
#files/etc/kata-opa
ARG DEFAULT_AGENT_POLICY_FILE=allow-all.rego

ENV CLOUD_PROVIDER ${CLOUD_PROVIDER}
ENV PODVM_DISTRO ${PODVM_DISTRO}
ENV GUEST_COMPONENTS_VERSION ${GUEST_COMPONENTS_VERSION}
ENV GUEST_COMPONENTS_REPO ${GUEST_COMPONENTS_REPO}
ENV AA_KBC ${AA_KBC}
ENV ARCH ${ARCH}
ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}

# Set these as they are required in the Makefile
ENV IMAGE_URL "none"
Expand Down
5 changes: 5 additions & 0 deletions podvm/Dockerfile.podvm_binaries.rhel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,14 @@ ARG PODVM_DISTRO=rhel
ARG AA_KBC="offline_fs_kbc"
# If not provided, uses system architecture
ARG ARCH
#This is the name of the policy file under
#files/etc/kata-opa
ARG DEFAULT_AGENT_POLICY_FILE=allow-all.rego

ENV PODVM_DISTRO ${PODVM_DISTRO}
ENV AA_KBC ${AA_KBC}
ENV ARCH ${ARCH}
ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}

COPY . /src/cloud-api-adaptor

Expand Down
2 changes: 2 additions & 0 deletions podvm/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,4 +82,6 @@ $(IMAGE_FILE): $(BINARIES) $(FILES) setopts
clean:
rm -f "$(IMAGE_FILE)" "$(UBUNTU_IMAGE_FILE)" $(BINARIES)
rm -fr "$(SKOPEO_SRC)" "$(UMOCI_SRC)" "$(PAUSE_SRC)" "$(FILES_DIR)/$(PAUSE_BUNDLE)"
rm -fr "$(OPA_SRC)"


32 changes: 30 additions & 2 deletions podvm/Makefile.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,14 @@ RUST_TARGET := $(RUST_ARCH)-unknown-linux-$(LIBC)
CDH_RESOURCE_PROVIDER ?= kbs
SEALED_SECRET ?= yes

AGENT_POLICY ?= yes
mkulke marked this conversation as resolved.
Show resolved Hide resolved
AGENT_POLICY_PATH := $(FILES_DIR)/etc/kata-opa
DEFAULT_AGENT_POLICY_FILE ?= allow-all.rego


FORCE_TARGET := $(if $(FORCE),force,)


ifneq ($(HOST_ARCH),$(ARCH))
ifeq ($(CC),cc)
CC := $(ARCH)-linux-$(LIBC)-gcc
Expand Down Expand Up @@ -64,10 +70,13 @@ ATTESTATION_AGENT = $(FILES_DIR)/usr/local/bin/attestation-agent
CONFIDENTIAL_DATA_HUB = $(FILES_DIR)/usr/local/bin/confidential-data-hub
API_SERVER_REST = $(FILES_DIR)/usr/local/bin/api-server-rest
PROCESS_USER_DATA = $(FILES_DIR)/usr/local/bin/process-user-data
OPA = $(FILES_DIR)/usr/local/bin/opa


# Allow BINARIES to be overriden externally

BINARIES ?= $(AGENT_PROTOCOL_FORWARDER) $(KATA_AGENT) $(PAUSE) $(ATTESTATION_AGENT) $(CONFIDENTIAL_DATA_HUB) $(API_SERVER_REST) $(PROCESS_USER_DATA)
BINARIES ?= $(AGENT_PROTOCOL_FORWARDER) $(KATA_AGENT) $(PAUSE) $(ATTESTATION_AGENT) $(CONFIDENTIAL_DATA_HUB) $(API_SERVER_REST) $(PROCESS_USER_DATA) \
$(OPA)

$(shell sed -i "s|\(aa_kbc_params = \)\"[^\"]*\"|\1\"${AA_KBC}::${KBC_URI}\"|g" $(FILES_DIR)/etc/agent-config.toml)

Expand All @@ -80,6 +89,9 @@ SKOPEO_BIN ?= $(SKOPEO_SRC)/bin/skopeo

UMOCI_SRC = umoci

OPA_SRC = opa
OPA_BUILD_TARGET := "opa_linux_$(DEB_ARCH)"

# Embed the pause container image
# https://github.com/arronwy/kata-containers/commit/75b9f3fa3caaae62f49b4733f65cbab0cc87dbee
PAUSE_SRC = pause
Expand Down Expand Up @@ -119,7 +131,7 @@ $(PROCESS_USER_DATA): always
install -D --compare "$(ROOT_DIR)/process-user-data" "$@"

$(KATA_AGENT): $(FORCE_TARGET) | $(STATIC_LIBSECCOMP)
cd "$(KATA_AGENT_SRC)" && $(RUST_FLAGS) $(MAKE) BUILD_TYPE=$(KATA_AGENT_BUILD_TYPE) SEALED_SECRET=${SEALED_SECRET} LIBSECCOMP_LINK_TYPE=static LIBSECCOMP_LIB_PATH=$(dir $(STATIC_LIBSECCOMP))
cd "$(KATA_AGENT_SRC)" && $(RUST_FLAGS) $(MAKE) BUILD_TYPE=$(KATA_AGENT_BUILD_TYPE) SEALED_SECRET=${SEALED_SECRET} AGENT_POLICY=${AGENT_POLICY} LIBSECCOMP_LINK_TYPE=static LIBSECCOMP_LIB_PATH=$(dir $(STATIC_LIBSECCOMP))
install -D --compare "$(KATA_AGENT_SRC)/target/$(RUST_TARGET)/$(KATA_AGENT_BUILD_TYPE)/$(@F)" "$@"

$(STATIC_LIBSECCOMP): $(KATA_CONTAINERS_SRC)
Expand Down Expand Up @@ -166,13 +178,29 @@ $(API_SERVER_REST): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC)
mkdir -p "$(@D)"
install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/api-server-rest" "$@"

# OPA binaries are not available for s390x. Hence build from source
$(OPA_SRC):
$(call git_clone_repo_ref,$(OPA_REPO),$(OPA_SRC),$(OPA_VERSION))

$(OPA): $(FORCE_TARGET) | $(OPA_SRC)
ifeq ($(AGENT_POLICY),yes)
cd "$(OPA_SRC)" && $(MAKE) GOARCH=$(DEB_ARCH) GOOS=linux WASM_ENABLED=0 CGO_ENABLED=0 go-build
install --compare "$(OPA_SRC)/$(OPA_BUILD_TARGET)" "$@"
# Set default policy
cd $(AGENT_POLICY_PATH) && ln -s -f $(DEFAULT_AGENT_POLICY_FILE) default-policy.rego
# Enable the service
cd $(FILES_DIR)/etc/systemd/system/multi-user.target.wants && ln -s -f ../kata-opa.service kata-opa.service

endif

clean_sources:
[ -d "$(GUEST_COMPONENTS_SRC)" ] && cd "$(GUEST_COMPONENTS_SRC)" && git clean -xfd
[ -d "$(KATA_AGENT_SRC)" ] && cd "$(KATA_AGENT_SRC)" && git clean -xfd
[ -d "$(ROOT_DIR)" ] && cd "$(ROOT_DIR)" && git clean -xfd -e podvm
[ -d "$(PAUSE_SRC)" ] && cd "$(PAUSE_SRC)" && rm -rf *
[ -d "$(UMOCI_SRC)" ] && cd "$(UMOCI_SRC)" && git clean -xfd -e umoci
[ -d "$(KATA_CONTAINERS_SRC)" ] && cd "$(KATA_CONTAINERS_SRC)" && git clean -xfd
[ -d "$(OPA_SRC)" ] && cd "$(OPA_SRC)" && git clean -xfd

.PHONY: force always
always force:
5 changes: 3 additions & 2 deletions podvm/files/etc/agent-config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,5 +44,6 @@ allowed = [
"UpdateInterfaceRequest",
"UpdateRoutesRequest",
"WaitProcessRequest",
"WriteStreamRequest"
]
"WriteStreamRequest",
"SetPolicyRequest"
]
Loading
Loading