From 93432fc460b3d18c705e6c9bbe138cee50e174ee Mon Sep 17 00:00:00 2001
From: Snir Sheriber <ssheribe@redhat.com>
Date: Wed, 24 Jul 2024 12:14:31 +0300
Subject: [PATCH] podvm: add agent-policy README.md

and example files

Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
---
 config/peerpods/podvm/agent-policy/README.md  | 53 +++++++++++++++++++
 .../allow-all-except-exec-process.rego        | 39 ++++++++++++++
 .../podvm/agent-policy/allow-all.rego         | 38 +++++++++++++
 3 files changed, 130 insertions(+)
 create mode 100644 config/peerpods/podvm/agent-policy/README.md
 create mode 100644 config/peerpods/podvm/agent-policy/allow-all-except-exec-process.rego
 create mode 100644 config/peerpods/podvm/agent-policy/allow-all.rego

diff --git a/config/peerpods/podvm/agent-policy/README.md b/config/peerpods/podvm/agent-policy/README.md
new file mode 100644
index 00000000..7c259a4c
--- /dev/null
+++ b/config/peerpods/podvm/agent-policy/README.md
@@ -0,0 +1,53 @@
+# Kata Agent Policy
+
+Agent Policy is a Kata Containers feature that enables the Guest VM to perform additional validation
+for each agent API request. A custom agent policy can be set either by a policy file provided at
+image creation time or through pod annotations.
+
+## Set Policy At Image Creation
+
+By default Openshift Sandboxed Container sets preconfigured policy, Peer-Pods images will be set with an
+allow-all policy while CoCo images will be set with an allow-all exept for the `ReadStreamRequest` and
+`ExecProcessRequest` calls.
+
+To set custom policy at image creation time, make sure to encode the policy file (e.g.,
+[allow-all-except-exec-process.rego](allow-all-except-exec-process.rego)) in base64 format and set it as
+the value for the AGENT_POLICY key in your `<azure/aws-podvm>-image-cm` ConfigMap.
+
+```sh
+ENCODED_POLICY=$(cat allow-all-except-exec-process.rego | base64 -w 0)
+kubectl patch cm aws-podvm-image-cm -p "{\"data\":{\"AGENT_POLICY\":\"${ENCODED_POLICY}\"}}" -n openshift-sandboxed-containers-operator
+```
+
+## Set Policy Via Pod Annotation
+
+As long as the `SetPolicyRequest` call was not disabled at image creation time, users set custom
+policy through annotation at pod creation time. To set policy through annotation, encode your policy
+file (e.g., [allow-all-except-exec-process.rego](allow-all-except-exec-process.rego)) in base64 format
+and set it to the `io.katacontainers.config.agent.policy` annotation.
+
+**note:** annotation policy will override any previous policy (as long as `SetPolicyRequest` is allowed)
+
+```sh
+ENCODED_POLICY=$(cat allow-all-except-exec-process.rego | base64 -w 0)
+cat <<-EOF | kubectl apply -f -
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sleep
+  annotations:
+    io.containerd.cri.runtime-handler: kata-remote
+    io.katacontainers.config.agent.policy: ${ENCODED_POLICY}
+spec:
+  runtimeClassName: kata-remote
+  containers:
+    - name: sleeping
+      image: fedora
+      command: ["sleep"]
+      args: ["infinity"]
+EOF
+```
+
+## Example Policies
+- [allow-all.rego](allow-all.rego)
+- [allow-all-except-exec-process.rego](allow-all-except-exec-process.rego)
diff --git a/config/peerpods/podvm/agent-policy/allow-all-except-exec-process.rego b/config/peerpods/podvm/agent-policy/allow-all-except-exec-process.rego
new file mode 100644
index 00000000..ec3bf15a
--- /dev/null
+++ b/config/peerpods/podvm/agent-policy/allow-all-except-exec-process.rego
@@ -0,0 +1,39 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+
+default ExecProcessRequest := false
diff --git a/config/peerpods/podvm/agent-policy/allow-all.rego b/config/peerpods/podvm/agent-policy/allow-all.rego
new file mode 100644
index 00000000..7ac8134f
--- /dev/null
+++ b/config/peerpods/podvm/agent-policy/allow-all.rego
@@ -0,0 +1,38 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true