Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[confcom] Updating katapolicygen to support new node image #7849

Merged
merged 8 commits into from
Aug 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions src/confcom/HISTORY.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@

Release History
===============
0.3.6
++++++
* updating genpolicy version up through 3.2.0.azl1.genpolicy0. Please note that this is a breaking change for deploying older policies. With the new node image, 0.3.6 or newer will be required.
* changing genpolicy flags to give full path to config files instead of path as a flag
* adding genpolicy flags for --containerd-pull, --containerd-socket-path, --rules-file-name, and --print-version
* `-c` flag for katapolicygen now supports persistent volume claims

0.3.5
++++++
* making diff mode more robust
Expand Down
21 changes: 21 additions & 0 deletions src/confcom/azext_confcom/_help.py
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,23 @@
type: bool
short-summary: 'Path to custom settings file'

- name: --rules-file-name -p
type: bool
short-summary: 'Path to custom rules file'

- name: --print-version -v
type: bool
short-summary: 'Print the version of genpolicy tooling'

- name: --containerd-pull -d
type: string
short-summary: 'Use containerd to pull the image. This option is only supported on Linux'

- name: --containerd-socket-path
type: string
short-summary: 'Path to the containerd socket. This option is only supported on Linux'


examples:
- name: Input a Kubernetes YAML file to inject a base64 encoded Confidential Container Security Policy into the YAML file
text: az confcom katapolicygen --yaml "./pod.json"
Expand All @@ -136,4 +153,8 @@
text: az confcom katapolicygen --yaml "./pod.json" -j "./settings.json"
- name: Input a Kubernetes YAML file and external config map file
text: az confcom katapolicygen --yaml "./pod.json" --config-map-file "./configmap.json"
- name: Input a Kubernetes YAML file and custom rules file
text: az confcom katapolicygen --yaml "./pod.json" -p "./rules.rego"
- name: Input a Kubernetes YAML file with a custom containerd socket path
text: az confcom katapolicygen --yaml "./pod.json" --containerd-pull --containerd-socket-path "/my/custom/containerd.sock"
"""
26 changes: 25 additions & 1 deletion src/confcom/azext_confcom/_params.py
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ def load_arguments(self, _):
c.argument(
"yaml_path",
options_list=("--yaml", "-y"),
required=True,
required=False,
help="Input YAML config file",
)
c.argument(
Expand Down Expand Up @@ -165,3 +165,27 @@ def load_arguments(self, _):
required=False,
help="Path for custom settings file",
)
c.argument(
"rules_file_name",
options_list=("--rules-file-name", "-p"),
required=False,
help="Path for custom rules file",
)
c.argument(
"print_version",
options_list=("--print-version", "-v"),
required=False,
help="Print the version of the genpolicy tool",
)
c.argument(
"containerd_pull",
options_list=("--containerd-pull", "-d"),
required=False,
help="Use containerd to pull the image",
)
c.argument(
"containerd_socket_path",
options_list=("--containerd-socket-path"),
required=False,
help="Path to containerd socket if not using the default",
)
19 changes: 12 additions & 7 deletions src/confcom/azext_confcom/custom.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

from pkg_resources import parse_version
from knack.log import get_logger
from azext_confcom.config import DEFAULT_REGO_FRAGMENTS, DATA_FOLDER
from azext_confcom.config import DEFAULT_REGO_FRAGMENTS
from azext_confcom import os_util
from azext_confcom.template_util import (
pretty_print_func,
Expand Down Expand Up @@ -164,22 +164,27 @@ def katapolicygen_confcom(
print_policy: bool = False,
use_cached_files: bool = False,
settings_file_name: str = None,
rules_file_name: str = None,
print_version: bool = False,
containerd_pull: str = False,
containerd_socket_path: str = None,
):

if settings_file_name:
if "genpolicy-settings.json" in settings_file_name:
error_out("Cannot use default settings file names")
os_util.copy_file(settings_file_name, DATA_FOLDER)

kata_proxy = KataPolicyGenProxy()

if not (yaml_path or print_version):
error_out("Either --yaml-path or --print-version is required")

output = kata_proxy.kata_genpolicy(
yaml_path,
config_map_file=config_map_file,
outraw=outraw,
print_policy=print_policy,
use_cached_files=use_cached_files,
settings_file_name=settings_file_name,
rules_file_name=rules_file_name,
print_version=print_version,
containerd_pull=containerd_pull,
containerd_socket_path=containerd_socket_path,
)
print(output)
sys.exit(0)
Expand Down
2 changes: 1 addition & 1 deletion src/confcom/azext_confcom/data/internal_config.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"version": "0.3.5",
"version": "0.3.6",
"hcsshim_config": {
"maxVersion": "1.0.0",
"minVersion": "0.0.1"
Expand Down
5 changes: 1 addition & 4 deletions src/confcom/azext_confcom/init_checks.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,6 @@ def is_linux():
return sys.platform in ("linux", "linux2")


if is_linux():
import grp # pylint: disable=import-error


def is_admin() -> bool:
admin = False
try:
Expand Down Expand Up @@ -53,6 +49,7 @@ def docker_permissions() -> str:
if is_linux() and not is_admin():
client = None
try:
import grp # pylint: disable=import-error
docker_group = grp.getgrnam("docker")
client = docker.from_env()
# need any command that will show the docker daemon is
Expand Down
38 changes: 31 additions & 7 deletions src/confcom/azext_confcom/kata_proxy.py
Original file line number Diff line number Diff line change
Expand Up @@ -103,16 +103,25 @@ def __init__(self):
os.chmod(self.policy_bin, st.st_mode | stat.S_IXUSR)

def kata_genpolicy(
self, yaml_path,
self,
yaml_path,
config_map_file=None,
outraw=False,
print_policy=False,
use_cached_files=False,
settings_file_name=None,
rules_file_name=None,
print_version=False,
containerd_pull=False,
containerd_socket_path=None
) -> List[str]:
policy_bin_str = str(self.policy_bin)
# get path to data and rules folder
arg_list = [policy_bin_str, "-y", yaml_path, "-i", DATA_FOLDER]
arg_list = [policy_bin_str]

if yaml_path:
arg_list.append("-y")
arg_list.append(yaml_path)

if config_map_file is not None:
arg_list.append("-c")
Expand All @@ -127,16 +136,31 @@ def kata_genpolicy(
if use_cached_files:
arg_list.append("-u")

arg_list.append("-j")
if settings_file_name:
arg_list.append("-j")
# only take the last part of the path for the settings file
settings_file_name = os.path.basename(settings_file_name)
arg_list.append(settings_file_name)
else:
arg_list.append(os.path.join(DATA_FOLDER, "genpolicy-settings.json"))

arg_list.append("-p")
if rules_file_name:
arg_list.append(rules_file_name)
else:
arg_list.append(os.path.join(DATA_FOLDER, "rules.rego"))

if print_version:
arg_list.append("-v")

if containerd_pull:
item_to_append = "-d"
# -d by itself will use default path: /var/run/containerd/containerd.sock
# -d=my/path/my_containerd.sock will use the specified path
if containerd_socket_path:
item_to_append += f"={containerd_socket_path}"
arg_list.append(item_to_append)

item = subprocess.run(
arg_list,
# stdout=sys.stdout,
# stderr=sys.stderr,
check=False,
)

Expand Down
2 changes: 0 additions & 2 deletions src/confcom/azext_confcom/security_policy.py
Original file line number Diff line number Diff line change
Expand Up @@ -737,8 +737,6 @@ def load_policy_from_image_name(
{
config.ACI_FIELD_VERSION: "1.0",
config.ACI_FIELD_CONTAINERS: containers,
# fallback to default fragments if the policy is not present
config.POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS: config.DEFAULT_REGO_FRAGMENTS,
},
debug_mode=debug_mode,
disable_stdio=disable_stdio,
Expand Down
5 changes: 4 additions & 1 deletion src/confcom/azext_confcom/template_util.py
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,10 @@ def process_env_vars_from_template(params: dict,
if template_env_vars:
for env_var in template_env_vars:
name = case_insensitive_dict_get(env_var, "name")
value = case_insensitive_dict_get(env_var, "value") or case_insensitive_dict_get(env_var, "secureValue")
value = case_insensitive_dict_get(env_var, "value")
# "value" is allowed to be empty string
if value is None:
value = case_insensitive_dict_get(env_var, "secureValue")

if not name:
eprint(
Expand Down
Loading
Loading