Skip to content

Commit 62ad4f2

Browse files
DomAyreDomAyre
committed
Prevent tests changing tracked files
1 parent 3a510cb commit 62ad4f2

File tree

5 files changed

+360
-12
lines changed

5 files changed

+360
-12
lines changed

src/confcom/azext_confcom/data/genpolicy-settings.json

Lines changed: 338 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,338 @@
1+
{
2+
"pause_container": {
3+
"Root": {
4+
"Path": "$(cpath)/$(bundle-id)",
5+
"Readonly": true
6+
},
7+
"Mounts": [
8+
{
9+
"destination": "/dev/shm",
10+
"type_": "bind",
11+
"source": "/run/kata-containers/sandbox/shm",
12+
"options": [
13+
"rbind"
14+
]
15+
},
16+
{
17+
"destination": "/etc/resolv.conf",
18+
"type_": "bind",
19+
"options": [
20+
"rbind",
21+
"ro",
22+
"nosuid",
23+
"nodev",
24+
"noexec"
25+
]
26+
}
27+
],
28+
"Annotations": {
29+
"io.kubernetes.cri.container-type": "sandbox",
30+
"io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$",
31+
"io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
32+
"io.katacontainers.pkg.oci.container_type": "pod_sandbox",
33+
"io.kubernetes.cri.sandbox-namespace": "default",
34+
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)"
35+
},
36+
"Process": {
37+
"Args": [
38+
"/pause"
39+
]
40+
},
41+
"Linux": {
42+
"MaskedPaths": [
43+
"/proc/acpi",
44+
"/proc/asound",
45+
"/proc/kcore",
46+
"/proc/keys",
47+
"/proc/latency_stats",
48+
"/proc/timer_list",
49+
"/proc/timer_stats",
50+
"/proc/sched_debug",
51+
"/sys/firmware",
52+
"/proc/scsi"
53+
],
54+
"ReadonlyPaths": [
55+
"/proc/bus",
56+
"/proc/fs",
57+
"/proc/irq",
58+
"/proc/sys",
59+
"/proc/sysrq-trigger"
60+
]
61+
}
62+
},
63+
"other_container": {
64+
"Root": {
65+
"Path": "$(cpath)/$(bundle-id)"
66+
},
67+
"Mounts": [
68+
{
69+
"destination": "/etc/hosts",
70+
"type_": "bind",
71+
"options": [
72+
"rbind",
73+
"rprivate",
74+
"rw"
75+
]
76+
},
77+
{
78+
"destination": "/dev/termination-log",
79+
"type_": "bind",
80+
"options": [
81+
"rbind",
82+
"rprivate",
83+
"rw"
84+
]
85+
},
86+
{
87+
"destination": "/etc/hostname",
88+
"type_": "bind",
89+
"options": [
90+
"rbind",
91+
"rprivate"
92+
]
93+
},
94+
{
95+
"destination": "/etc/resolv.conf",
96+
"type_": "bind",
97+
"options": [
98+
"rbind",
99+
"rprivate"
100+
]
101+
},
102+
{
103+
"destination": "/dev/shm",
104+
"type_": "bind",
105+
"source": "/run/kata-containers/sandbox/shm",
106+
"options": [
107+
"rbind"
108+
]
109+
},
110+
{
111+
"destination": "/var/run/secrets/kubernetes.io/serviceaccount",
112+
"type_": "bind",
113+
"options": [
114+
"rbind",
115+
"rprivate",
116+
"ro"
117+
]
118+
},
119+
{
120+
"destination": "/var/run/secrets/azure/tokens",
121+
"source": "$(sfprefix)tokens$",
122+
"type_": "bind",
123+
"options": [
124+
"rbind",
125+
"rprivate",
126+
"ro"
127+
]
128+
}
129+
],
130+
"Annotations": {
131+
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)",
132+
"io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$",
133+
"io.katacontainers.pkg.oci.container_type": "pod_container",
134+
"io.kubernetes.cri.container-type": "container"
135+
}
136+
},
137+
"volumes": {
138+
"emptyDir": {
139+
"mount_type": "local",
140+
"mount_source": "^$(cpath)/$(sandbox-id)/local/",
141+
"mount_point": "^$(cpath)/$(sandbox-id)/local/",
142+
"driver": "local",
143+
"source": "local",
144+
"fstype": "local",
145+
"options": [
146+
"mode=0777"
147+
]
148+
},
149+
"emptyDir_memory": {
150+
"mount_type": "bind",
151+
"mount_source": "^/run/kata-containers/sandbox/ephemeral/",
152+
"mount_point": "^/run/kata-containers/sandbox/ephemeral/",
153+
"driver": "ephemeral",
154+
"source": "tmpfs",
155+
"fstype": "tmpfs",
156+
"options": []
157+
},
158+
"configMap": {
159+
"mount_type": "bind",
160+
"mount_source": "$(sfprefix)",
161+
"mount_point": "^$(cpath)/watchable/$(bundle-id)-[a-z0-9]{16}-",
162+
"driver": "watchable-bind",
163+
"fstype": "bind",
164+
"options": [
165+
"rbind",
166+
"rprivate",
167+
"ro"
168+
]
169+
},
170+
"confidential_configMap": {
171+
"mount_type": "bind",
172+
"mount_source": "$(sfprefix)",
173+
"mount_point": "$(sfprefix)",
174+
"driver": "local",
175+
"fstype": "bind",
176+
"options": [
177+
"rbind",
178+
"rprivate",
179+
"ro"
180+
]
181+
}
182+
},
183+
"mount_destinations": [
184+
"/sys/fs/cgroup",
185+
"/etc/hosts",
186+
"/dev/termination-log",
187+
"/etc/hostname",
188+
"/etc/resolv.conf",
189+
"/dev/shm",
190+
"/var/run/secrets/kubernetes.io/serviceaccount",
191+
"/var/run/secrets/azure/tokens"
192+
],
193+
"sandbox": {
194+
"storages": [
195+
{
196+
"driver": "ephemeral",
197+
"driver_options": [],
198+
"source": "shm",
199+
"fstype": "tmpfs",
200+
"options": [
201+
"noexec",
202+
"nosuid",
203+
"nodev",
204+
"mode=1777",
205+
"size=67108864"
206+
],
207+
"mount_point": "/run/kata-containers/sandbox/shm",
208+
"fs_group": null
209+
}
210+
]
211+
},
212+
"common": {
213+
"cpath": "/run/kata-containers/shared/containers",
214+
"sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-",
215+
"spath": "/run/kata-containers/sandbox/storage",
216+
"ip_p": "[0-9]{1,5}",
217+
"ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}",
218+
"svc_name": "[A-Z0-9_\\.\\-]+",
219+
"dns_label": "[a-zA-Z0-9_\\.\\-]+",
220+
"s_source1": "^..2[0-9]{3}_[0-1][0-9]_[0-3][0-9]_[0-2][0-9]_[0-5][0-9]_[0-5][0-9]\\.[0-9]{1,10}$",
221+
"s_source2": "^..data/",
222+
"default_caps": [
223+
"CAP_CHOWN",
224+
"CAP_DAC_OVERRIDE",
225+
"CAP_FSETID",
226+
"CAP_FOWNER",
227+
"CAP_MKNOD",
228+
"CAP_NET_RAW",
229+
"CAP_SETGID",
230+
"CAP_SETUID",
231+
"CAP_SETFCAP",
232+
"CAP_SETPCAP",
233+
"CAP_NET_BIND_SERVICE",
234+
"CAP_SYS_CHROOT",
235+
"CAP_KILL",
236+
"CAP_AUDIT_WRITE"
237+
],
238+
"privileged_caps": [
239+
"CAP_CHOWN",
240+
"CAP_DAC_OVERRIDE",
241+
"CAP_DAC_READ_SEARCH",
242+
"CAP_FOWNER",
243+
"CAP_FSETID",
244+
"CAP_KILL",
245+
"CAP_SETGID",
246+
"CAP_SETUID",
247+
"CAP_SETPCAP",
248+
"CAP_LINUX_IMMUTABLE",
249+
"CAP_NET_BIND_SERVICE",
250+
"CAP_NET_BROADCAST",
251+
"CAP_NET_ADMIN",
252+
"CAP_NET_RAW",
253+
"CAP_IPC_LOCK",
254+
"CAP_IPC_OWNER",
255+
"CAP_SYS_MODULE",
256+
"CAP_SYS_RAWIO",
257+
"CAP_SYS_CHROOT",
258+
"CAP_SYS_PTRACE",
259+
"CAP_SYS_PACCT",
260+
"CAP_SYS_ADMIN",
261+
"CAP_SYS_BOOT",
262+
"CAP_SYS_NICE",
263+
"CAP_SYS_RESOURCE",
264+
"CAP_SYS_TIME",
265+
"CAP_SYS_TTY_CONFIG",
266+
"CAP_MKNOD",
267+
"CAP_LEASE",
268+
"CAP_AUDIT_WRITE",
269+
"CAP_AUDIT_CONTROL",
270+
"CAP_SETFCAP",
271+
"CAP_MAC_OVERRIDE",
272+
"CAP_MAC_ADMIN",
273+
"CAP_SYSLOG",
274+
"CAP_WAKE_ALARM",
275+
"CAP_BLOCK_SUSPEND",
276+
"CAP_AUDIT_READ",
277+
"CAP_PERFMON",
278+
"CAP_BPF",
279+
"CAP_CHECKPOINT_RESTORE"
280+
],
281+
"virtio_blk_storage_classes": [
282+
"cc-local-csi",
283+
"cc-managed-csi",
284+
"cc-managed-premium-csi"
285+
],
286+
"smb_storage_classes": [
287+
{
288+
"name": "azurefile-csi-kata-cc",
289+
"mount_options": [
290+
"dir_mode=0777",
291+
"file_mode=0777",
292+
"mfsymlinks",
293+
"cache=strict",
294+
"nosharesock",
295+
"actimeo=30",
296+
"nobrl"
297+
]
298+
}
299+
]
300+
},
301+
"kata_config": {
302+
"confidential_guest": true
303+
},
304+
"cluster_config": {
305+
"default_namespace": "default"
306+
},
307+
"request_defaults": {
308+
"CreateContainerRequest": {
309+
"allow_env_regex": [
310+
"^HOSTNAME=$(dns_label)$",
311+
"^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$",
312+
"^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$",
313+
"^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$",
314+
"^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$",
315+
"^$(svc_name)_SERVICE_HOST=$(ipv4_a)$",
316+
"^$(svc_name)_SERVICE_PORT=$(ip_p)$",
317+
"^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$",
318+
"^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$",
319+
"^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
320+
"^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
321+
"^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
322+
"^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
323+
"^TERM=xterm$"
324+
]
325+
},
326+
"CopyFileRequest": [
327+
"$(sfprefix)"
328+
],
329+
"ExecProcessRequest": {
330+
"commands": [],
331+
"regex": []
332+
},
333+
"CloseStdinRequest": false,
334+
"ReadStreamRequest": true,
335+
"UpdateEphemeralMountsRequest": false,
336+
"WriteStreamRequest": false
337+
}
338+
}

src/confcom/azext_confcom/data/rules.rego

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@ default AllowRequestsFailingPolicy := false
5454
# Constants
5555
S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
5656
S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
57+
BUNDLE_ID = "[a-z0-9]{64}"
5758

5859
CreateContainerRequest {
5960
# Check if the input request should be rejected even before checking the
@@ -468,6 +469,9 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
468469
bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]
469470
bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "")
470471

472+
bundle_id_format := concat("", ["^", BUNDLE_ID, "$"])
473+
regex.match(bundle_id_format, bundle_id)
474+
471475
key := "io.kubernetes.cri.sandbox-id"
472476

473477
p_regex := p_oci.Annotations[key]
@@ -1226,7 +1230,7 @@ CopyFileRequest {
12261230
some regex1 in policy_data.request_defaults.CopyFileRequest
12271231
regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
12281232
regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
1229-
regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}")
1233+
regex4 := replace(regex3, "$(bundle-id)", BUNDLE_ID)
12301234
print("CopyFileRequest: regex4 =", regex4)
12311235

12321236
regex.match(regex4, input.path)

0 commit comments

Comments
 (0)