podvm: add agent-policy README.md

and example files Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
openshift · Jul 24, 2024 · 93432fc · 93432fc
1 parent b90618e
commit 93432fc
Show file tree

Hide file tree

Showing 3 changed files with 130 additions and 0 deletions.
diff --git a/config/peerpods/podvm/agent-policy/README.md b/config/peerpods/podvm/agent-policy/README.md
@@ -0,0 +1,53 @@
+# Kata Agent Policy
+
+Agent Policy is a Kata Containers feature that enables the Guest VM to perform additional validation
+for each agent API request. A custom agent policy can be set either by a policy file provided at
+image creation time or through pod annotations.
+
+## Set Policy At Image Creation
+
+By default Openshift Sandboxed Container sets preconfigured policy, Peer-Pods images will be set with an
+allow-all policy while CoCo images will be set with an allow-all exept for the `ReadStreamRequest` and
+`ExecProcessRequest` calls.
+
+To set custom policy at image creation time, make sure to encode the policy file (e.g.,
+[allow-all-except-exec-process.rego](allow-all-except-exec-process.rego)) in base64 format and set it as
+the value for the AGENT_POLICY key in your `<azure/aws-podvm>-image-cm` ConfigMap.
+
+```sh
+ENCODED_POLICY=$(cat allow-all-except-exec-process.rego | base64 -w 0)
+kubectl patch cm aws-podvm-image-cm -p "{\"data\":{\"AGENT_POLICY\":\"${ENCODED_POLICY}\"}}" -n openshift-sandboxed-containers-operator
+```
+
+## Set Policy Via Pod Annotation
+
+As long as the `SetPolicyRequest` call was not disabled at image creation time, users set custom
+policy through annotation at pod creation time. To set policy through annotation, encode your policy
+file (e.g., [allow-all-except-exec-process.rego](allow-all-except-exec-process.rego)) in base64 format
+and set it to the `io.katacontainers.config.agent.policy` annotation.
+
+**note:** annotation policy will override any previous policy (as long as `SetPolicyRequest` is allowed)
+
+```sh
+ENCODED_POLICY=$(cat allow-all-except-exec-process.rego | base64 -w 0)
+cat <<-EOF | kubectl apply -f -
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sleep
+  annotations:
+    io.containerd.cri.runtime-handler: kata-remote
+    io.katacontainers.config.agent.policy: ${ENCODED_POLICY}
+spec:
+  runtimeClassName: kata-remote
+  containers:
+    - name: sleeping
+      image: fedora
+      command: ["sleep"]
+      args: ["infinity"]
+EOF
+```
+
+## Example Policies
+- [allow-all.rego](allow-all.rego)
+- [allow-all-except-exec-process.rego](allow-all-except-exec-process.rego)
diff --git a/config/peerpods/podvm/agent-policy/allow-all-except-exec-process.rego b/config/peerpods/podvm/agent-policy/allow-all-except-exec-process.rego
@@ -0,0 +1,39 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+
+default ExecProcessRequest := false
diff --git a/config/peerpods/podvm/agent-policy/allow-all.rego b/config/peerpods/podvm/agent-policy/allow-all.rego
@@ -0,0 +1,38 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true