build(deps): bump rustix from 0.36.11 to 0.36.17 in /src/tools/log-parser-rs #297
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Update pod-three-containers.yaml image reference to an existing one Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
genpolicy: update samples
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
…_paths genpolicy: block all relative paths for copyFile requests
Disable env variable verification to unblock CI, until container images that don't specify the Env variables will be handled correctly (see kata-containers#9239). Also, mark the image config Env field as optional, thus allowing policy generation for these container images. Fixes: kata-containers#9240 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Use containerd's default environment for container images that don't specify the Env field. Also, re-enable policy env variable verification, now that these uncommon images are supported too. Fixes: kata-containers#9239 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
genpolicy: fix optional docker image config Env support
Add metadata containing the Policy annotation if the user didn't provide any metadata in the input yaml file. For a simple sanity test using a Kata CI YAML file: genpolicy -u -y job.yaml kubectl apply -f job.yaml kubectl get pods | grep job job-pi-test-64dxs 0/1 Completed 0 14s Fixes: kata-containers#8891 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Validating the node name is currently outside the scope of the CoCo policy. This change unblocks testing using Kata CI's test-pod-file-volume.yaml and pv-pod.yaml. Fixes: kata-containers#8888 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Allow Kata CI's pod-nested-configmap-secret.yaml to work with genpolicy and current cbl-mariner images: 1. Ignore the optional type field of Secret input YAML files. It's possible that CoCo will need a more sophisticated Policy for Secrets, but this change at least unblocks CI testing for already-existing genpolicy features. Simple sanity testing for these changes: genpolicy -u -y pod-nested-configmap-secret.yaml kubectl apply -f pod-nested-configmap-secret.yaml kubectl get pods | grep config nested-configmap-secret-pod 1/1 Running 0 26s Fixes: kata-containers#8892 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
The auto-generated Policy already allows these volumes to be mounted, regardless if they are: - Present, or - Missing and optional Fixes: kata-containers#8893 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
genpolicy sync with upstream [1/3]
Using custom input paths with -i is counter-intuitive. Simplify path handling with explicit flags for rules.rego and genpolicy-settings.json. Fixes: kata-containers#8568 Signed-Off-By: Malte Poll <1780588+malt3@users.noreply.github.com>
Allow users to specify in genpolicy-settings.json a default cluster namespace other than "default". For example, Kata CI uses as default namespace: "kata-containers-k8s-tests". Fixes: kata-containers#8976 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Kata CI's pod-sandbox-vcpus-allocation.yaml ends with "---", so the empty YAML document following that line should be ignored. To test this fix: genpolicy -u -y pod-sandbox-vcpus-allocation.yaml Fixes: kata-containers#8895 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
genpolicy sync upstream [2/3]
1. Remove PullImageRequest because that is not used in the main branch. It was used in the CCv0 branch. 2. Add default false values for the remaining Kata Agent ttrpc requests. These changes don't change the functionality of the auto generated Policy, but they help with easier understanding the Policy text and the logging from the Rego rules. Fixes: kata-containers#9049 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
For example, Kata CI's k8s-copy-file.bats transfers files between the Host and the Guest using "kubectl exec", and that results in CloseStdinRequest being called from the Host. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Additional logging from the ExecProcessRequest rules, for easier debugging. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Improve logging, for easier debugging. Fixes: kata-containers#9072 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Based on kata-containers/runtime#2812 Fixes: kata-containers#9145 Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
This adds support for sidecar container introduced in Kubernetes 1.28 Fixes: kata-containers#9220 Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
Kata CI has full debug output enabled for the cbl-mariner k8s tests, and the test AKS node is relatively slow. So debug prints from policy are expensive during CI. Fixes: kata-containers#9296 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
genpolicy sync upstream [3/3]
Adds a new storage handler in kata agent for SMB mounts. As of now this calls into the baremount function using default defintion of storage handler. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
This commit introduces support for SMB mounts. It handles parsing of mount objects in pod OCI spec to filter out SMB/CIFS mounts and create appropriate volume object for the same, having target path set to a path inside pod VM (i.e guest UVM). The changes, further modify the container mount objects to bind-mount to the target path. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
Add optional toggle to use existing containerd installation to pull and manage container images. This adds support to a wider set of images that are currently not supported by standard pull method, such as those that use v1 manifest. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
- similar to the static_sandbox_default_workload_mem option, assign a default number of vcpus to the VM when no limits are given, 1 vcpu in this case - similar to commit c7b8ee9, do not allocate additional vcpus when limits are provided Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Ensure bundle id read from annotation matches expected format Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Update sample annotations Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
…id_validation policy: strengthen bundle id validation
Bump genpolicy version to 3.2.0-azl3.genpolicy3 Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
…sion chore: bump genpolicy version
64Mi limit is insufficient after the changes from c7b8ee9. The lowest supported memory limit is 192Mi. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
samples: use 256Mi pod memory limit
Use regorous engine's add_data method to add state to the policy. This data can later be accessed inside rego context through the data namespace. Support state modifications (json-patches) that may be returned as a result from policy evaluation. Also initialize a policy engine data slice "pstate" dedicated for storing state. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Make sure all container sandbox names match the sandbox name of the first container. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Before this patch there was a mismatch between the JSON path under which the state of the rule evaluation is set in comparison to under which it is retrieved. This resulted in the behavior that each time the policy was evaluated, it thought it was the _first_ time the policy was evaluated. This also means that the consistency check for the `sandbox_name` was ineffective. Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
Reuse constants where applicable Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
- Remove default_namespace from settings - Ensure container namespaces in a pod match each other in case no namespace is specified in the YAML Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Update samples policy annotations Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
runtime: Allocate default workload vcpus
policy: cherry pick state policy changes from upstream
take_prints takes and clear prints per https://github.com/microsoft/regorus/blob/748c11cfa1319c808977194c1657e0fd866269be/src/engine.rs#L848 Add back error logs by not calling take_prints twice. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
…r_logs agent: add back rego error logs
Bumps [rustix](https://github.com/bytecodealliance/rustix) from 0.36.11 to 0.36.17. - [Release notes](https://github.com/bytecodealliance/rustix/releases) - [Changelog](https://github.com/bytecodealliance/rustix/blob/main/CHANGELOG.md) - [Commits](bytecodealliance/rustix@v0.36.11...v0.36.17) --- updated-dependencies: - dependency-name: rustix dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps rustix from 0.36.11 to 0.36.17.
Commits
76c998cchore: Release rustix version 0.36.171c6013aFix p{read,write}v{,v2}'s encoding of the offset argument on Linux. (#896) (#...6534992chore: Release rustix version 0.36.164928cf7Disable riscv64 testing.8cc159cFix thetest_ttyname_oktest when /dev/stdin is inaccessable. (#821)6dc7ba9Downgrade dependencies and disable tests to compile under Rust 1.48.ded8986Disable MIPS in CI. (#793)739f9c3Fixes forDiron macOS, FreeBSD, and WASI.87481a9Merge pull request from GHSA-c827-hfw6-qwvm5b764b5chore: Release rustix version 0.36.15You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.