Merge branch 'main' into skuznets/aks-bastion-fix-kubeconfig

Author: FumingZhang

src/aks-preview/HISTORY.rst

@@ -13,9 +13,13 @@ Pending
 +++++++
 * `az aks bastion`: Correctly configure `$KUBECONFIG` values for tunneling traffic into a private AKS cluster.
 
+19.0.0b16
++++++++
+* Update --enable-container-network-logs DCR to ContainerNetworkLogs instead of RetinaNetworkFlowLogs
+
 19.0.0b15
 +++++++
-* Fix `NoneType` error when performing operations on automatic clusters that have hosted system components enabled
+* Fix `NoneType` error when performing operations on automatic clusters that have hosted system components enabled.
 
 19.0.0b14
 +++++++

src/aks-preview/azext_aks_preview/addonconfiguration.py

@@ -58,7 +58,7 @@
     "Microsoft-ContainerInventory",
     "Microsoft-ContainerNodeInventory",
     "Microsoft-Perf",
-    "Microsoft-RetinaNetworkFlowLogs",
+    "Microsoft-ContainerNetworkLogs",
 ]
 
 

src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py

@@ -18252,7 +18252,7 @@ def test_aks_create_acns_with_flow_logs(
         get_cmd = f'rest --method get --url https://management.azure.com{dcr_resource_id}?api-version=2022-06-01'
         self.cmd(get_cmd, checks=[
             self.check('properties.destinations.logAnalytics[0].workspaceResourceId', f'{workspace_resource_id}'),
-            self.check('properties.dataFlows[0].streams[-1]', 'Microsoft-RetinaNetworkFlowLogs'),
+            self.check('properties.dataFlows[0].streams[-1]', 'Microsoft-ContainerNetworkLogs'),
         ])
 
         disable_cmd = "aks update --resource-group={resource_group} --name={name} --disable-container-network-logs -o json"

src/aks-preview/setup.py

@@ -9,7 +9,7 @@
 
 from setuptools import find_packages, setup
 
-VERSION = "19.0.0b15"
+VERSION = "19.0.0b16"
 
 CLASSIFIERS = [
     "Development Status :: 4 - Beta",

src/confcom/.gitignore

@@ -36,3 +36,5 @@ azext_confcom/bin/*
 **/.coverage
 
 **/htmlcov
+
+!lib/

src/confcom/HISTORY.rst

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+1.4.0
+++++++
+* Add --with-containers flag to acipolicygen and acifragmentgen to allow passing container policy definitions directly
+
 1.3.1
 ++++++
 * bugfix for --exclude-default-fragments flag not working as intended

src/confcom/azext_confcom/_params.py

@@ -4,6 +4,7 @@
 # --------------------------------------------------------------------------------------------
 # pylint: disable=line-too-long
 
+import json
 from knack.arguments import CLIArgumentType
 from azext_confcom._validators import (
     validate_params_file,
@@ -198,6 +199,14 @@ def load_arguments(self, _):
             required=False,
             help="Exclude default fragments in the generated policy",
         )
+        c.argument(
+            "container_definitions",
+            options_list=['--with-containers'],
+            action='append',
+            type=json.loads,
+            required=False,
+            help='Container definitions to include in the policy'
+        )
 
     with self.argument_context("confcom acifragmentgen") as c:
         c.argument(
@@ -345,6 +354,14 @@ def load_arguments(self, _):
             help="Path to JSON file to write fragment import information. This is used with --generate-import. If not specified, the import statement will print to the console",
             validator=validate_fragment_json,
         )
+        c.argument(
+            "container_definitions",
+            options_list=['--with-containers'],
+            action='append',
+            required=False,
+            type=json.loads,
+            help='Container definitions to include in the policy'
+        )
 
     with self.argument_context("confcom katapolicygen") as c:
         c.argument(

src/confcom/azext_confcom/_validators.py

@@ -38,7 +38,8 @@ def validate_aci_source(namespace):
         namespace.input_path,
         namespace.arm_template,
         namespace.image_name,
-        namespace.virtual_node_yaml_path
+        namespace.virtual_node_yaml_path,
+        namespace.container_definitions is not None,
     ])) != 1:
         raise CLIError("Can only generate CCE policy from one source at a time")
 
@@ -71,7 +72,11 @@ def validate_fragment_key_and_chain(namespace):
 
 
 def validate_fragment_source(namespace):
-    if not namespace.generate_import and sum(map(bool, [namespace.image_name, namespace.input_path])) != 1:
+    if not namespace.generate_import and sum(map(bool, [
+        namespace.image_name,
+        namespace.input_path,
+        namespace.container_definitions is not None,
+    ])) != 1:
         raise CLIError("Must provide either an image name or an input file to generate a fragment")
 
 

src/confcom/azext_confcom/custom.py

@@ -11,13 +11,13 @@
 from azext_confcom._validators import resolve_stdio
 from azext_confcom.config import (
     DEFAULT_REGO_FRAGMENTS, POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS,
-    REGO_IMPORT_FILE_STRUCTURE)
+    REGO_IMPORT_FILE_STRUCTURE, ACI_FIELD_VERSION, ACI_FIELD_CONTAINERS)
 from azext_confcom.cose_proxy import CoseSignToolProxy
 from azext_confcom.errors import eprint
 from azext_confcom.fragment_util import get_all_fragment_contents
 from azext_confcom.init_checks import run_initial_docker_checks
 from azext_confcom.kata_proxy import KataPolicyGenProxy
-from azext_confcom.security_policy import OutputType
+from azext_confcom.security_policy import AciPolicy, OutputType
 from azext_confcom.template_util import (
     get_image_name, inject_policy_into_template, inject_policy_into_yaml,
     pretty_print_func, print_existing_policy_from_arm_template,
@@ -37,6 +37,7 @@ def acipolicygen_confcom(
     virtual_node_yaml_path: str,
     infrastructure_svn: str,
     tar_mapping_location: str,
+    container_definitions: Optional[list] = None,
     approve_wildcards: str = False,
     outraw: bool = False,
     outraw_pretty_print: bool = False,
@@ -64,6 +65,9 @@ def acipolicygen_confcom(
             "For additional information, see http://aka.ms/clisecrets. \n",
         )
 
+    if container_definitions is None:
+        container_definitions = []
+
     stdio_enabled = resolve_stdio(enable_stdio, disable_stdio)
 
     if print_existing_policy and arm_template:
@@ -147,6 +151,16 @@ def acipolicygen_confcom(
             exclude_default_fragments=exclude_default_fragments,
             infrastructure_svn=infrastructure_svn,
         )
+    elif container_definitions:
+        container_group_policies = AciPolicy(
+            {
+                ACI_FIELD_VERSION: "1.0",
+                ACI_FIELD_CONTAINERS: [],
+            },
+            debug_mode=debug_mode,
+            disable_stdio=disable_stdio,
+            container_definitions=container_definitions,
+        )
 
     exit_code = 0
 
@@ -227,6 +241,7 @@ def acifragmentgen_confcom(
     key: str,
     chain: str,
     minimum_svn: str,
+    container_definitions: Optional[list] = None,
     image_target: str = "",
     algo: str = "ES384",
     fragment_path: str = None,
@@ -241,6 +256,8 @@ def acifragmentgen_confcom(
     no_print: bool = False,
     fragments_json: str = "",
 ):
+    if container_definitions is None:
+        container_definitions = []
 
     stdio_enabled = resolve_stdio(enable_stdio, disable_stdio)
 
@@ -299,13 +316,27 @@ def acifragmentgen_confcom(
         policy = security_policy.load_policy_from_image_name(
             image_name, debug_mode=debug_mode, disable_stdio=(not stdio_enabled)
         )
-    else:
+    elif input_path:
         # this is using --input
         if not tar_mapping:
             tar_mapping = os_util.load_tar_mapping_from_config_file(input_path)
         policy = security_policy.load_policy_from_json_file(
             input_path, debug_mode=debug_mode, disable_stdio=(not stdio_enabled)
         )
+    elif container_definitions:
+        policy = AciPolicy(
+            {
+                ACI_FIELD_VERSION: "1.0",
+                ACI_FIELD_CONTAINERS: [],
+            },
+            debug_mode=debug_mode,
+            disable_stdio=disable_stdio,
+            container_definitions=container_definitions,
+        )
+    else:
+        eprint("Either --image-name, --input, or --container-definitions must be provided", exit_code=2)
+        return
+
     # get all of the fragments that are being used in the policy
     # and associate them with each container group
     fragment_policy_list = []
@@ -321,7 +352,7 @@ def acifragmentgen_confcom(
 
     # make sure we have images to generate a fragment
     policy_images = policy.get_images()
-    if not policy_images:
+    if not policy_images and not container_definitions:
         eprint("No images found in the policy or all images are covered by fragments")
 
     if not feed:

src/confcom/azext_confcom/lib/policy.py

@@ -0,0 +1,118 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from dataclasses import dataclass, field, is_dataclass
+import inspect
+import sys
+from typing import Literal, Optional
+
+
+def get_default_capabilities():
+    return [
+        "CAP_AUDIT_WRITE",
+        "CAP_CHOWN",
+        "CAP_DAC_OVERRIDE",
+        "CAP_FOWNER",
+        "CAP_FSETID",
+        "CAP_KILL",
+        "CAP_MKNOD",
+        "CAP_NET_BIND_SERVICE",
+        "CAP_NET_RAW",
+        "CAP_SETFCAP",
+        "CAP_SETGID",
+        "CAP_SETPCAP",
+        "CAP_SETUID",
+        "CAP_SYS_CHROOT"
+    ]
+
+
+@dataclass
+class ContainerCapabilities:
+    ambient: list[str] = field(default_factory=list)
+    bounding: list[str] = field(default_factory=get_default_capabilities)
+    effective: list[str] = field(default_factory=get_default_capabilities)
+    inheritable: list[str] = field(default_factory=list)
+    permitted: list[str] = field(default_factory=get_default_capabilities)
+
+
+@dataclass
+class ContainerRule:
+    pattern: str
+    strategy: str
+    required: Optional[bool] = False
+
+
+@dataclass
+class ContainerExecProcesses:
+    command: list[str]
+    signals: Optional[list[str]] = None
+    allow_stdio_access: bool = True
+
+
+@dataclass
+class ContainerMount:
+    destination: str
+    source: str
+    type: str
+    options: list[str] = field(default_factory=list)
+
+
+@dataclass
+class ContainerUser:
+    group_idnames: list[ContainerRule] = field(default_factory=lambda: [ContainerRule(pattern="", strategy="any")])
+    umask: str = "0022"
+    user_idname: ContainerRule = field(default_factory=lambda: ContainerRule(pattern="", strategy="any"))
+
+
+@dataclass
+class FragmentReference:
+    feed: str
+    issuer: str
+    minimum_svn: str
+    includes: list[Literal["containers", "fragments", "namespace", "external_processes"]]
+    path: Optional[str] = None
+
+
+@dataclass
+class Container:
+    allow_elevated: bool = False
+    allow_stdio_access: bool = True
+    capabilities: ContainerCapabilities = field(default_factory=ContainerCapabilities)
+    command: Optional[list[str]] = None
+    env_rules: list[ContainerRule] = field(default_factory=list)
+    exec_processes: list[ContainerExecProcesses] = field(default_factory=list)
+    id: Optional[str] = None
+    layers: list[str] = field(default_factory=list)
+    mounts: list[ContainerMount] = field(default_factory=list)
+    name: Optional[str] = None
+    no_new_privileges: bool = False
+    seccomp_profile_sha256: str = ""
+    signals: list[str] = field(default_factory=list)
+    user: ContainerUser = field(default_factory=ContainerUser)
+    working_dir: str = "/"
+
+
+@dataclass
+class Policy:
+    package: str = "policy"
+    api_version: str = "0.10.0"
+    framework_version: str = "0.2.3"
+    fragments: list[FragmentReference] = field(default_factory=list)
+    containers: list[Container] = field(default_factory=list)
+    allow_properties_access: bool = True
+    allow_dump_stacks: bool = False
+    allow_runtime_logging: bool = False
+    allow_environment_variable_dropping: bool = True
+    allow_unencrypted_scratch: bool = False
+    allow_capability_dropping: bool = True
+
+
+@dataclass
+class Fragment:
+    package: str = "fragment"
+    svn: str = "0"
+    framework_version: str = "0.2.3"
+    fragments: list[FragmentReference] = field(default_factory=list)
+    containers: list[Container] = field(default_factory=list)