[confcom] Updating katapolicygen to support new node image (#7849)

* changing containers to be hosted on mcr

* changing input args for genpolicy

* some containers use empty string env vars. this allows for that

* updating tests and readme for new kata interface

* updating images and getting rid of unused code

* moving import statement

* using MCR images

* updating test to have empty command

src/confcom/HISTORY.rst

@@ -2,6 +2,13 @@
 
 Release History
 ===============
+0.3.6
+++++++
+* updating genpolicy version up through 3.2.0.azl1.genpolicy0. Please note that this is a breaking change for deploying older policies. With the new node image, 0.3.6 or newer will be required.
+* changing genpolicy flags to give full path to config files instead of path as a flag
+* adding genpolicy flags for --containerd-pull, --containerd-socket-path, --rules-file-name, and --print-version
+* `-c` flag for katapolicygen now supports persistent volume claims
+
 0.3.5
 ++++++
 * making diff mode more robust

src/confcom/azext_confcom/_help.py

@@ -127,6 +127,23 @@
           type: bool
           short-summary: 'Path to custom settings file'
 
+        - name: --rules-file-name -p
+          type: bool
+          short-summary: 'Path to custom rules file'
+
+        - name: --print-version -v
+          type: bool
+          short-summary: 'Print the version of genpolicy tooling'
+
+        - name: --containerd-pull -d
+          type: string
+          short-summary: 'Use containerd to pull the image. This option is only supported on Linux'
+
+        - name: --containerd-socket-path
+          type: string
+          short-summary: 'Path to the containerd socket. This option is only supported on Linux'
+
+
     examples:
         - name: Input a Kubernetes YAML file to inject a base64 encoded Confidential Container Security Policy into the YAML file
           text: az confcom katapolicygen --yaml "./pod.json"
@@ -136,4 +153,8 @@
           text: az confcom katapolicygen --yaml "./pod.json" -j "./settings.json"
         - name: Input a Kubernetes YAML file and external config map file
           text: az confcom katapolicygen --yaml "./pod.json" --config-map-file "./configmap.json"
+        - name: Input a Kubernetes YAML file and custom rules file
+          text: az confcom katapolicygen --yaml "./pod.json" -p "./rules.rego"
+        - name: Input a Kubernetes YAML file with a custom containerd socket path
+          text: az confcom katapolicygen --yaml "./pod.json" --containerd-pull --containerd-socket-path "/my/custom/containerd.sock"
 """

src/confcom/azext_confcom/_params.py

@@ -132,7 +132,7 @@ def load_arguments(self, _):
         c.argument(
             "yaml_path",
             options_list=("--yaml", "-y"),
-            required=True,
+            required=False,
             help="Input YAML config file",
         )
         c.argument(
@@ -165,3 +165,27 @@ def load_arguments(self, _):
             required=False,
             help="Path for custom settings file",
         )
+        c.argument(
+            "rules_file_name",
+            options_list=("--rules-file-name", "-p"),
+            required=False,
+            help="Path for custom rules file",
+        )
+        c.argument(
+            "print_version",
+            options_list=("--print-version", "-v"),
+            required=False,
+            help="Print the version of the genpolicy tool",
+        )
+        c.argument(
+            "containerd_pull",
+            options_list=("--containerd-pull", "-d"),
+            required=False,
+            help="Use containerd to pull the image",
+        )
+        c.argument(
+            "containerd_socket_path",
+            options_list=("--containerd-socket-path"),
+            required=False,
+            help="Path to containerd socket if not using the default",
+        )

src/confcom/azext_confcom/custom.py

@@ -8,7 +8,7 @@
 
 from pkg_resources import parse_version
 from knack.log import get_logger
-from azext_confcom.config import DEFAULT_REGO_FRAGMENTS, DATA_FOLDER
+from azext_confcom.config import DEFAULT_REGO_FRAGMENTS
 from azext_confcom import os_util
 from azext_confcom.template_util import (
     pretty_print_func,
@@ -164,22 +164,27 @@ def katapolicygen_confcom(
     print_policy: bool = False,
     use_cached_files: bool = False,
     settings_file_name: str = None,
+    rules_file_name: str = None,
+    print_version: bool = False,
+    containerd_pull: str = False,
+    containerd_socket_path: str = None,
 ):
-
-    if settings_file_name:
-        if "genpolicy-settings.json" in settings_file_name:
-            error_out("Cannot use default settings file names")
-        os_util.copy_file(settings_file_name, DATA_FOLDER)
-
     kata_proxy = KataPolicyGenProxy()
 
+    if not (yaml_path or print_version):
+        error_out("Either --yaml-path or --print-version is required")
+
     output = kata_proxy.kata_genpolicy(
         yaml_path,
         config_map_file=config_map_file,
         outraw=outraw,
         print_policy=print_policy,
         use_cached_files=use_cached_files,
         settings_file_name=settings_file_name,
+        rules_file_name=rules_file_name,
+        print_version=print_version,
+        containerd_pull=containerd_pull,
+        containerd_socket_path=containerd_socket_path,
     )
     print(output)
     sys.exit(0)

src/confcom/azext_confcom/data/internal_config.json

@@ -1,5 +1,5 @@
 {
-    "version": "0.3.5",
+    "version": "0.3.6",
     "hcsshim_config": {
         "maxVersion": "1.0.0",
         "minVersion": "0.0.1"

src/confcom/azext_confcom/init_checks.py

@@ -18,10 +18,6 @@ def is_linux():
     return sys.platform in ("linux", "linux2")
 
 
-if is_linux():
-    import grp  # pylint: disable=import-error
-
-
 def is_admin() -> bool:
     admin = False
     try:
@@ -53,6 +49,7 @@ def docker_permissions() -> str:
     if is_linux() and not is_admin():
         client = None
         try:
+            import grp  # pylint: disable=import-error
             docker_group = grp.getgrnam("docker")
             client = docker.from_env()
             # need any command that will show the docker daemon is

src/confcom/azext_confcom/kata_proxy.py

@@ -103,16 +103,25 @@ def __init__(self):
             os.chmod(self.policy_bin, st.st_mode | stat.S_IXUSR)
 
     def kata_genpolicy(
-        self, yaml_path,
+        self,
+        yaml_path,
         config_map_file=None,
         outraw=False,
         print_policy=False,
         use_cached_files=False,
         settings_file_name=None,
+        rules_file_name=None,
+        print_version=False,
+        containerd_pull=False,
+        containerd_socket_path=None
     ) -> List[str]:
         policy_bin_str = str(self.policy_bin)
         # get path to data and rules folder
-        arg_list = [policy_bin_str, "-y", yaml_path, "-i", DATA_FOLDER]
+        arg_list = [policy_bin_str]
+
+        if yaml_path:
+            arg_list.append("-y")
+            arg_list.append(yaml_path)
 
         if config_map_file is not None:
             arg_list.append("-c")
@@ -127,16 +136,31 @@ def kata_genpolicy(
         if use_cached_files:
             arg_list.append("-u")
 
+        arg_list.append("-j")
         if settings_file_name:
-            arg_list.append("-j")
-            # only take the last part of the path for the settings file
-            settings_file_name = os.path.basename(settings_file_name)
             arg_list.append(settings_file_name)
+        else:
+            arg_list.append(os.path.join(DATA_FOLDER, "genpolicy-settings.json"))
+
+        arg_list.append("-p")
+        if rules_file_name:
+            arg_list.append(rules_file_name)
+        else:
+            arg_list.append(os.path.join(DATA_FOLDER, "rules.rego"))
+
+        if print_version:
+            arg_list.append("-v")
+
+        if containerd_pull:
+            item_to_append = "-d"
+            # -d by itself will use default path: /var/run/containerd/containerd.sock
+            # -d=my/path/my_containerd.sock will use the specified path
+            if containerd_socket_path:
+                item_to_append += f"={containerd_socket_path}"
+            arg_list.append(item_to_append)
 
         item = subprocess.run(
             arg_list,
-            # stdout=sys.stdout,
-            # stderr=sys.stderr,
             check=False,
         )
 

src/confcom/azext_confcom/security_policy.py

@@ -737,8 +737,6 @@ def load_policy_from_image_name(
         {
             config.ACI_FIELD_VERSION: "1.0",
             config.ACI_FIELD_CONTAINERS: containers,
-            # fallback to default fragments if the policy is not present
-            config.POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS: config.DEFAULT_REGO_FRAGMENTS,
         },
         debug_mode=debug_mode,
         disable_stdio=disable_stdio,

src/confcom/azext_confcom/template_util.py

@@ -188,7 +188,10 @@ def process_env_vars_from_template(params: dict,
     if template_env_vars:
         for env_var in template_env_vars:
             name = case_insensitive_dict_get(env_var, "name")
-            value = case_insensitive_dict_get(env_var, "value") or case_insensitive_dict_get(env_var, "secureValue")
+            value = case_insensitive_dict_get(env_var, "value")
+            # "value" is allowed to be empty string
+            if value is None:
+                value = case_insensitive_dict_get(env_var, "secureValue")
 
             if not name:
                 eprint(