DNM: OCI layer signature support #304
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adapt code for vanilla Kata
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Saulparedes/fix ingress test
Enable tarindex to handle symlink names with special characters or length longer than the 100 limit. Signed-off-by: Mitch Zhu <mitchzhu@microsoft.com>
…nk_name_pr tarindex: Add special symlink name handling
Also set fix docker busybox image tag Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
genpolicy: update samples
Update pod-three-containers.yaml image reference to an existing one Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
genpolicy: update samples
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
…_paths genpolicy: block all relative paths for copyFile requests
Disable env variable verification to unblock CI, until container images that don't specify the Env variables will be handled correctly (see kata-containers#9239). Also, mark the image config Env field as optional, thus allowing policy generation for these container images. Fixes: kata-containers#9240 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Use containerd's default environment for container images that don't specify the Env field. Also, re-enable policy env variable verification, now that these uncommon images are supported too. Fixes: kata-containers#9239 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
genpolicy: fix optional docker image config Env support
Add metadata containing the Policy annotation if the user didn't provide any metadata in the input yaml file. For a simple sanity test using a Kata CI YAML file: genpolicy -u -y job.yaml kubectl apply -f job.yaml kubectl get pods | grep job job-pi-test-64dxs 0/1 Completed 0 14s Fixes: kata-containers#8891 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Validating the node name is currently outside the scope of the CoCo policy. This change unblocks testing using Kata CI's test-pod-file-volume.yaml and pv-pod.yaml. Fixes: kata-containers#8888 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Allow Kata CI's pod-nested-configmap-secret.yaml to work with genpolicy and current cbl-mariner images: 1. Ignore the optional type field of Secret input YAML files. It's possible that CoCo will need a more sophisticated Policy for Secrets, but this change at least unblocks CI testing for already-existing genpolicy features. Simple sanity testing for these changes: genpolicy -u -y pod-nested-configmap-secret.yaml kubectl apply -f pod-nested-configmap-secret.yaml kubectl get pods | grep config nested-configmap-secret-pod 1/1 Running 0 26s Fixes: kata-containers#8892 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
The auto-generated Policy already allows these volumes to be mounted, regardless if they are: - Present, or - Missing and optional Fixes: kata-containers#8893 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
genpolicy sync with upstream [1/3]
Using custom input paths with -i is counter-intuitive. Simplify path handling with explicit flags for rules.rego and genpolicy-settings.json. Fixes: kata-containers#8568 Signed-Off-By: Malte Poll <1780588+malt3@users.noreply.github.com>
Allow users to specify in genpolicy-settings.json a default cluster namespace other than "default". For example, Kata CI uses as default namespace: "kata-containers-k8s-tests". Fixes: kata-containers#8976 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Kata CI's pod-sandbox-vcpus-allocation.yaml ends with "---", so the empty YAML document following that line should be ignored. To test this fix: genpolicy -u -y pod-sandbox-vcpus-allocation.yaml Fixes: kata-containers#8895 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
genpolicy sync upstream [2/3]
1. Remove PullImageRequest because that is not used in the main branch. It was used in the CCv0 branch. 2. Add default false values for the remaining Kata Agent ttrpc requests. These changes don't change the functionality of the auto generated Policy, but they help with easier understanding the Policy text and the logging from the Rego rules. Fixes: kata-containers#9049 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
For example, Kata CI's k8s-copy-file.bats transfers files between the Host and the Guest using "kubectl exec", and that results in CloseStdinRequest being called from the Host. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Additional logging from the ExecProcessRequest rules, for easier debugging. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Improve logging, for easier debugging. Fixes: kata-containers#9072 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Extend layer decompression based on mediatype label from containerd
Improve tardev-snapshotter log levels
Add retry logic to image layer fetching and decompression
sprt
reviewed
Feb 5, 2025
There was a problem hiding this comment.
cc @ms-mahuber - these changes probably break the current dev flow.
There was a problem hiding this comment.
Sorry, should have clarified, this is not yet ready for merging. The current proposal is to:
- syphon out the changes to tardev-snapshotter and merge those (perhaps modulo the salt changes)
- refactor the new tool to better align with gen policy
There was a problem hiding this comment.
@jiria to confirm. we are going to close this one in favor of:
|
Yes, lets do that. For steamboat, we have already switched to using 305 and 306.
Sent from Outlook<http://aka.ms/weboutlook>
…________________________________
From: ms-mahuber ***@***.***>
Sent: Thursday, February 13, 2025 10:34 AM
To: microsoft/kata-containers ***@***.***>
Cc: Jiri Appl ***@***.***>; Mention ***@***.***>
Subject: Re: [microsoft/kata-containers] DNM: OCI layer signature support (PR #304)
@ms-mahuber commented on this pull request.
________________________________
On tools/osbuilder/node-builder/azure-linux/Makefile<#304 (comment)>:
@jiria<https://github.com/jiria> to confirm. we are going to close this one in favor of:
* #306<#306>
* #305<#305>
—
Reply to this email directly, view it on GitHub<#304 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEPAV4AJ6KGITFM5FWDNOKL2PTQTFAVCNFSM6AAAAABWP6GXY2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDMMJVHEYTQNRYGU>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
Test Methodology