Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podvm: allow setting custom agent-policy #434

Merged
merged 4 commits into from
Jul 24, 2024
Merged

podvm: allow setting custom agent-policy #434

merged 4 commits into from
Jul 24, 2024

Conversation

snir911
Copy link
Contributor

@snir911 snir911 commented Jul 18, 2024

by having custom.rego file set as agent policy CM

kubectl create configmap agent-policy --from-file=<path/to/custom.rego> -n openshift-sandboxed-containers-operator

also use relative links is it essential when passed to packer

do not merge

I failed to test yet due to (probably) unaltered issues

@snir911 snir911 requested review from gkurz and bpradipt July 18, 2024 12:58
@snir911 snir911 self-assigned this Jul 18, 2024
@bpradipt
Copy link
Contributor

Tested this successfully by building a new image

oc exec -it hello-b -- sh
error: Internal error occurred: error executing command in container: cannot enter container 6d9c0d50f7640003baed372f0804ada60e8f04ce8222a0de8ab6b6f48de6411c, with err rpc error: code = PermissionDenied desc = "ExecProcessRequest is blocked by policy: ": unknown

@bpradipt bpradipt mentioned this pull request Jul 19, 2024
Merged
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 22, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 24, 2024
@snir911 snir911 requested a review from bpradipt July 24, 2024 09:24
@snir911 snir911 force-pushed the agent_policyB branch 2 times, most recently from 7ce69eb to e2d6db5 Compare July 24, 2024 09:29
gkurz
gkurz reviewed Jul 24, 2024
View reviewed changes
config/peerpods/podvm/lib.sh
if [[ "${AGENT_POLICY}" ]]; then
echo "Custom agent policy is being set through the AGENT_POLICY value"
echo ${AGENT_POLICY} | base64 -d > "${podvm_dir}"/files/etc/kata-opa/custom.rego
if [[ $? == 0 ]] && grep -q "agent_policy" "${podvm_dir}"/files/etc/kata-opa/custom.rego; then # checks policy validity
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't there a better way to validate the syntax than grepping ? Couldn't https://www.openpolicyagent.org/docs/latest/cli/#opa-check be used here ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, my intention wasn't to actually validate the format rather to validate the output isn't ruined because of missing couple of characters when copied the encoded string.
This opa check is indeed an option, it will require to install the binary in the container, can certainly be done at future point.

gkurz
gkurz approved these changes Jul 24, 2024
View reviewed changes
Copy link
Member

@gkurz gkurz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grep is really a poor man's tool to validate user input but we can start with this and improve later. Rest looks good to me.

Thanks @snir911 !

snir911 added 4 commits July 24, 2024 15:45
@snir911
podvm: fix agent policy
6180a58 
by using relative path
and disable ReadStreamRequest and ExecProcessRequest for CoCo by default

Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
@snir911
podvm: allow setting custom agent-policy
f70e745 
by setting base64 encoded policy file string to the AGENT_POLICY key in the
<azure/aws-podvm>-image-cm ConfigMap

$ ENCODED_POLICY=$(cat allow-all-except-exec-process.rego | base64 -w 0)
$ kubectl patch cm aws-podvm-image-cm -p "{\"data\":{\"AGENT_POLICY\":\"${ENCODED_POLICY}\"}}" -n openshift-sandboxed-containers-operator

Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
@snir911
podvm: add agent-policy README.md
223ed90 
and example files

Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
@snir911
podvm: disable set -x by default
63fa0f9 
to avoid unwanted printings

Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
bpradipt
bpradipt approved these changes Jul 24, 2024
View reviewed changes
Copy link
Contributor

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
Thanks @snir911

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 24, 2024
@snir911 snir911 merged commit 8bcea2e into openshift:devel Jul 24, 2024
2 of 4 checks passed
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 24, 2024

@snir911: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/check 63fa0f9 link false /test check

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bpradipt bpradipt bpradipt approved these changes

@gkurz gkurz gkurz approved these changes

Assignees

@bpradipt bpradipt

@snir911 snir911

Labels
lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@snir911 @bpradipt @gkurz @openshift-merge-robot