mirror of
https://github.com/aljazceru/kata-containers.git
synced 2026-02-15 03:24:30 +01:00
ef1614edb2
Fixes: #7573
To enable this feature, build your rootfs using AGENT_POLICY=yes. The
default is AGENT_POLICY=no.
Building rootfs using AGENT_POLICY=yes has the following effects:
1. The kata-opa service gets included in the Guest image.
2. The agent gets built using AGENT_POLICY=yes.
After this patch, the shim calls SetPolicy if and only if a Policy
annotation is attached to the sandbox/pod. When creating a sandbox/pod
that doesn't have an attached Policy annotation:
1. If the agent was built using AGENT_POLICY=yes, the new sandbox uses
the default agent settings, that might include a default Policy too.
2. If the agent was built using AGENT_POLICY=no, the new sandbox is
executed the same way as before this patch.
Any SetPolicy calls from the shim to the agent fail if the agent was
built using AGENT_POLICY=no.
If the agent was built using AGENT_POLICY=yes:
1. The agent reads the contents of a default policy file during sandbox
start-up.
2. The agent then connects to the OPA service on localhost and sends
the default policy to OPA.
3. If the shim calls SetPolicy:
a. The agent checks if SetPolicy is allowed by the current
policy (the current policy is typically the default policy
mentioned above).
b. If SetPolicy is allowed, the agent deletes the current policy
from OPA and replaces it with the new policy it received from
the shim.
A typical new policy from the shim doesn't allow any future SetPolicy
calls.
4. For every agent rpc API call, the agent asks OPA if that call
should be allowed. OPA allows or not a call based on the current
policy, the name of the agent API, and the API call's inputs. The
agent rejects any calls that are rejected by OPA.
When building using AGENT_POLICY_DEBUG=yes, additional Policy logging
gets enabled in the agent. In particular, information about the inputs
for agent rpc API calls is logged in /tmp/policy.txt, on the Guest VM.
These inputs can be useful for investigating API calls that might have
been rejected by the Policy. Examples:
1. Load a failing policy file test1.rego on a different machine:
opa run --server --addr 127.0.0.1:8181 test1.rego
2. Collect the API inputs from Guest's /tmp/policy.txt and test on the
machine where the failing policy has been loaded:
curl -X POST http://localhost:8181/v1/data/agent_policy/CreateContainerRequest \
--data-binary @test1-inputs.json
Signed-off-by: Dan Mihai <dmihai@microsoft.com>
(cherry picked from commit ab829d1038)
Note: this is cherrypicked to help with the following:
- Provide a building block to continue experimenting with policy and identify issues at the earliest.
This is especially helpful for remote hypervisor (peer-pods) as currently we have no way to test
this feature and identify areas of improvements as part of merge to main.
- Provide a building building block to prototype and understand any potential gaps or integration
issues with the initdata specification discussed in the following issue - https://github.com/confidential-containers/confidential-containers/issues/171
There are no tests for this feature in CCv0 branch and you should use it at your own risk.
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
423 lines
14 KiB
YAML
423 lines
14 KiB
YAML
#
|
|
# Copyright (c) 2018 Intel Corporation
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
---
|
|
description: |
|
|
This file contains version details that are used by various
|
|
repositories for setting up the correct environment to run
|
|
tests and package components.
|
|
|
|
format: |
|
|
Each entry in this file MUST conform to the following format:
|
|
|
|
<group>:
|
|
description: "<brief-description>"
|
|
notes: "<notes>"
|
|
|
|
<project>:
|
|
description: "<brief-description>"
|
|
notes: "<notes>"
|
|
url: "<project-url>"
|
|
issue: "<bug-url>"
|
|
commit: "<commit>"
|
|
version: "<version>"
|
|
uscan-opts: "<optional uscan options>"
|
|
uscan-url: "<url regex for uscan to list versions>"
|
|
release: "<version>"
|
|
branch: "<git-branch>"
|
|
meta:
|
|
<key-1>: "<value-1>"
|
|
<key-n>: "<value-n>"
|
|
|
|
Notes:
|
|
|
|
- All sections (except "meta") MUST include a description where
|
|
applicable. This is expected to be a brief summary.
|
|
|
|
- A section MAY specify a "notes" section which may be multi-line.
|
|
It is expected to be expand on the information specified in
|
|
"description".
|
|
|
|
- All sections (except "meta") MUST include a URL where applicable.
|
|
|
|
- A section MAY specify a bug URL using the "issue" field.
|
|
|
|
- A section MAY define a "meta" section to store additional
|
|
information about a project or group.
|
|
|
|
- Each entry MUST specify ATLEAST one of "commit", "version", "release"
|
|
and "branch".
|
|
|
|
- WARNING: Gotcha alert! Remember to double-quote all strings
|
|
(except multi-line strings)! This avoids the possibility of a
|
|
version containing a period being treated as a floating point
|
|
number (and truncated!)
|
|
|
|
- NOTE: For the uscan related entries, refer to the following uscan pages:
|
|
https://manpages.debian.org/stretch/devscripts/uscan.1.en.html
|
|
https://wiki.debian.org/debian/watch
|
|
Particularly note the 'Common mistakes' section.
|
|
Also note, if you place the uscan strings on single lines in this file then
|
|
'\'s need to be '\'d, so are replaced with '\\', but this does not apply
|
|
for '>-' multi line entries, which can then use the normal uscan syntax.
|
|
|
|
assets:
|
|
description: "Additional required system elements"
|
|
|
|
hypervisor:
|
|
description: "Component used to create virtual machines"
|
|
|
|
cloud_hypervisor:
|
|
# yamllint disable-line rule:line-length
|
|
description: "Cloud Hypervisor is an open source Virtual Machine Monitor -- DO NOT TOUCH on main -> CCv0 merges"
|
|
url: "https://github.com/cloud-hypervisor/cloud-hypervisor"
|
|
uscan-url: >-
|
|
https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz
|
|
version: "v29.0"
|
|
|
|
firecracker:
|
|
description: "Firecracker micro-VMM"
|
|
url: "https://github.com/firecracker-microvm/firecracker"
|
|
uscan-url: >-
|
|
https://github.com/firecracker-microvm/firecracker/tags
|
|
.*/v?(\d\S+)\.tar\.gz
|
|
version: "v1.4.0"
|
|
|
|
qemu:
|
|
description: "VMM that uses KVM"
|
|
url: "https://github.com/qemu/qemu"
|
|
version: "v7.1.0"
|
|
tag: "v7.1.0"
|
|
# Do not include any non-full release versions
|
|
# Break the line *without CR or space being appended*, to appease
|
|
# yamllint, and note the deliberate ' ' at the end of the expression.
|
|
uscan-opts: "opts=uversionmangle=s/(\\d)[_\\.\\-\\+]?\
|
|
((RC|rc|pre|dev|beta|alpha)\\d*)$/$1~$2/ "
|
|
uscan-url: >-
|
|
https://github.com/qemu/qemu/tags
|
|
.*/v?(\d\S+)\.tar\.gz
|
|
|
|
qemu-experimental:
|
|
description: "QEMU with virtiofs support"
|
|
url: "https://github.com/qemu/qemu"
|
|
version: "7a800cf9496fddddf71b21a00991e0ec757a170a"
|
|
|
|
qemu-tdx-experimental:
|
|
# yamllint disable-line rule:line-length
|
|
description: "QEMU with TDX support - DO NOT TOUCH on main -> CCv0 merges"
|
|
url: "https://github.com/kata-containers/qemu"
|
|
tag: "TDX-v3.1"
|
|
|
|
qemu-snp-experimental:
|
|
description: "QEMU with experimental SNP support (no UPM)"
|
|
url: "https://github.com/AMDESE/qemu"
|
|
tag: "3b6a2b6b7466f6dea53243900b7516c3f29027b7"
|
|
|
|
image:
|
|
description: |
|
|
Root filesystem disk image used to boot the guest virtual
|
|
machine.
|
|
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
|
|
architecture:
|
|
aarch64:
|
|
name: &default-image-name "ubuntu"
|
|
version: &default-image-version "latest"
|
|
ppc64le:
|
|
name: *default-image-name
|
|
version: *default-image-version
|
|
s390x:
|
|
name: *default-image-name
|
|
version: *default-image-version
|
|
x86_64:
|
|
name: *default-image-name
|
|
version: *default-image-version
|
|
tdx:
|
|
name: *default-image-name
|
|
version: *default-image-version
|
|
meta:
|
|
image-type: *default-image-name
|
|
|
|
initrd:
|
|
description: |
|
|
Root filesystem initrd used to boot the guest virtual
|
|
machine.
|
|
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
|
|
architecture:
|
|
aarch64:
|
|
name: &default-initrd-name "ubuntu"
|
|
version: &default-initrd-version "20.04"
|
|
ppc64le:
|
|
name: &glibc-initrd-name "ubuntu"
|
|
version: &glibc-initrd-version "20.04"
|
|
s390x:
|
|
name: *glibc-initrd-name
|
|
version: *glibc-initrd-version
|
|
x86_64:
|
|
name: *default-initrd-name
|
|
version: *default-initrd-version
|
|
mariner:
|
|
name: "cbl-mariner"
|
|
version: "2.0"
|
|
sev:
|
|
name: *glibc-initrd-name
|
|
version: *glibc-initrd-version
|
|
|
|
kernel:
|
|
description: "Linux kernel optimised for virtual machines"
|
|
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
|
|
version: "v6.1.52"
|
|
sev:
|
|
description: "Linux kernel that supports SEV and SNP"
|
|
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
|
|
version: "v5.19.2"
|
|
snp:
|
|
description: "Linux kernel that supports AMD SEV-SNP for VMs"
|
|
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
|
|
version: "v5.19.2"
|
|
|
|
kernel-arm-experimental:
|
|
description: "Linux kernel with cpu/mem hotplug support on arm64"
|
|
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
|
|
version: "v5.15.7"
|
|
|
|
kernel-dragonball-experimental:
|
|
description: "Linux kernel with Dragonball VMM optimizations like upcall"
|
|
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
|
|
version: "v5.10.25"
|
|
|
|
kernel-tdx-experimental:
|
|
# yamllint disable-line rule:line-length
|
|
description: "Linux kernel with TDX support -- DO NOT TOUCH on main -> CCv0 merges"
|
|
url: "https://github.com/kata-containers/linux/archive/refs/tags"
|
|
version: "5.15-plus-TDX"
|
|
|
|
externals:
|
|
description: "Third-party projects used by the system"
|
|
|
|
attestation-agent:
|
|
description: "Provide attested key unwrapping for image decryption"
|
|
url: "https://github.com/confidential-containers/guest-components/"
|
|
version: "v0.8.0"
|
|
|
|
cni-plugins:
|
|
description: "CNI network plugins"
|
|
url: "https://github.com/containernetworking/plugins"
|
|
version: "v1.2.0"
|
|
|
|
conmon:
|
|
description: "An OCI container runtime monitor"
|
|
url: "https://github.com/containers/conmon"
|
|
version: "v2.0.10"
|
|
|
|
crio:
|
|
description: |
|
|
OCI-based Kubernetes Container Runtime Interface implementation
|
|
url: "https://github.com/cri-o/cri-o"
|
|
branch: "release-1.23"
|
|
|
|
containerd:
|
|
description: |
|
|
Containerd for Kubernetes Container Runtime Interface.
|
|
forked:
|
|
# CCv0 is using our fork of containerd as the changes can't be merged yet
|
|
# DO NOT TOUCH DURING MERGES FROM MAIN TO CCv0
|
|
url: "github.com/confidential-containers/containerd"
|
|
# yamllint disable-line rule:line-length
|
|
tarball_url: "https://github.com/confidential-containers/containerd/releases/download"
|
|
version: "v1.6.8.2"
|
|
# CCv0 needs to know about the specific branch for the integration tests
|
|
branch: "CC-main"
|
|
upstream:
|
|
# DO NOT TOUCH DURING MERGES FROM MAIN TO CCv0
|
|
url: "github.com/containerd/containerd"
|
|
# yamllint disable-line rule:line-length
|
|
tarball_url: "https://github.com/containerd/containerd/releases/download"
|
|
version: "v1.6.8"
|
|
# CCv0 needs to know about the specific branch for the integration tests
|
|
branch: "release/1.6"
|
|
|
|
critools:
|
|
description: "CLI tool for Container Runtime Interface (CRI)"
|
|
url: "https://github.com/kubernetes-sigs/cri-tools"
|
|
version: "1.23.0"
|
|
# As we don't want to disrupt what we have on the `tests` repo, let's
|
|
# create a "latest" entry and use that for the GitHub actions tests.
|
|
latest: "v1.27"
|
|
|
|
cryptsetup:
|
|
description: "A utility used to setup disk encryption, integrity protection"
|
|
url: "https://gitlab.com/cryptsetup/cryptsetup"
|
|
version: "v2.5.0"
|
|
|
|
gperf:
|
|
description: "GNU gperf is a perfect hash function generator"
|
|
url: "http://ftp.gnu.org/pub/gnu/gperf/"
|
|
version: "3.1"
|
|
|
|
lvm2:
|
|
description: "LVM2 and device-mapper tools and libraries"
|
|
url: "https://github.com/lvmteam/lvm2"
|
|
version: "v2_03_16"
|
|
|
|
kubernetes:
|
|
description: "Kubernetes project container manager"
|
|
url: "https://github.com/kubernetes/kubernetes"
|
|
# regexp formed to match 'd.tar.gz', deliberately to not match any alpha or
|
|
# beta type releases
|
|
uscan-url: >-
|
|
https://github.com/kubernetes/kubernetes/tags
|
|
.*/v?([\d\.]+)\.tar\.gz
|
|
version: "1.23.1-00"
|
|
|
|
libseccomp:
|
|
description: "High level interface to Linux seccomp filter"
|
|
url: "https://github.com/seccomp/libseccomp"
|
|
version: "2.5.4"
|
|
|
|
pause:
|
|
description: "Kubernetes pause container image"
|
|
repo: "docker://registry.k8s.io/pause"
|
|
version: "3.6"
|
|
|
|
runc:
|
|
description: "OCI CLI reference runtime implementation"
|
|
url: "https://github.com/opencontainers/runc"
|
|
# Oddly, here we do want rc versions, as there appears to be little else
|
|
# really for runc.
|
|
uscan-url: >-
|
|
https://github.com/opencontainers/runc/tags
|
|
.*/v?(\d\S+)\.tar\.gz
|
|
version: "v1.1.4"
|
|
|
|
skopeo:
|
|
description: "Utility for container images and image repositories"
|
|
url: "https://github.com/containers/skopeo"
|
|
version: "1.9.1"
|
|
|
|
nydus:
|
|
description: "Nydus image acceleration service"
|
|
url: "https://github.com/dragonflyoss/image-service"
|
|
version: "v2.2.3"
|
|
|
|
nydus-snapshotter:
|
|
description: "Snapshotter for Nydus image acceleration service"
|
|
url: "https://github.com/containerd/nydus-snapshotter"
|
|
version: "v0.12.0"
|
|
|
|
open-policy-agent:
|
|
description: "Open Policy Agent"
|
|
url: "https://github.com/open-policy-agent/opa"
|
|
version: "v0.55.0"
|
|
meta:
|
|
# - If an OPA package is available for the Guest image distro, that
|
|
# package is used instead of the binary below.
|
|
#
|
|
# - TODO: if an OPA package is not available for the Guest image distro,
|
|
# Kata should cache the OPA source code, toolchain information, etc.
|
|
# OPA should be built from the cached source code instead of downloading
|
|
# this binary.
|
|
#
|
|
# yamllint disable-line rule:line-length
|
|
binary: "https://github.com/open-policy-agent/opa/releases/download/v0.55.0/opa_linux_amd64_static"
|
|
|
|
ovmf:
|
|
description: "Firmware, implementation of UEFI for virtual machines."
|
|
url: "https://github.com/tianocore/edk2"
|
|
x86_64:
|
|
description: "Vanilla firmware build"
|
|
version: "edk2-stable202202"
|
|
package: "OvmfPkg/OvmfPkgX64.dsc"
|
|
package_output_dir: "OvmfX64"
|
|
sev:
|
|
description: "AmdSev build needed for SEV measured direct boot."
|
|
version: "edk2-stable202302"
|
|
package: "OvmfPkg/AmdSev/AmdSevX64.dsc"
|
|
package_output_dir: "AmdSev"
|
|
tdx:
|
|
url: "https://github.com/tianocore/edk2-staging"
|
|
# yamllint disable-line rule:line-length
|
|
description: "TDVF build needed for TDX measured direct boot. -- DO NOT TOUCH on main -> CCv0 merges"
|
|
version: "2022-tdvf-ww28.5"
|
|
package: "OvmfPkg/OvmfPkgX64.dsc"
|
|
package_output_dir: "OvmfX64"
|
|
|
|
td-shim:
|
|
# yamllint disable-line rule:line-length
|
|
description: "Confidential Containers Shim Firmware -- DO NOT TOUCH on main -> CCv0 merges"
|
|
url: "https://github.com/confidential-containers/td-shim"
|
|
version: "v0.8.0"
|
|
toolchain: "nightly-2023-08-28"
|
|
|
|
virtiofsd:
|
|
description: "vhost-user virtio-fs device backend written in Rust"
|
|
url: "https://gitlab.com/virtio-fs/virtiofsd"
|
|
version: "v1.6.1"
|
|
toolchain: "1.66.0"
|
|
meta:
|
|
# From https://gitlab.com/virtio-fs/virtiofsd/-/releases/v1.7.0,
|
|
# this is the link labelled virtiofsd-v1.7.0.zip
|
|
#
|
|
# yamllint disable-line rule:line-length
|
|
binary: "https://gitlab.com/virtio-fs/virtiofsd/uploads/dc56ecbf86ce1226bdc31f946cfded75/virtiofsd-v1.7.0.zip"
|
|
|
|
languages:
|
|
description: |
|
|
Details of programming languages required to build system
|
|
components.
|
|
|
|
golang:
|
|
description: "Google's 'go' language"
|
|
notes: "'version' is the default minimum version used by this project."
|
|
version: "1.19.3"
|
|
meta:
|
|
description: |
|
|
'newest-version' is the latest version known to work when
|
|
building Kata
|
|
newest-version: "1.19.3"
|
|
|
|
rust:
|
|
description: "Rust language"
|
|
notes: "'version' is the default minimum version used by this project."
|
|
version: "1.72.0"
|
|
meta:
|
|
description: |
|
|
'newest-version' is the latest version known to work when
|
|
building Kata
|
|
newest-version: "1.72.0"
|
|
|
|
golangci-lint:
|
|
description: "golangci-lint"
|
|
notes: "'version' is the default minimum version used by this project."
|
|
version: "1.50.1"
|
|
meta:
|
|
description: |
|
|
'newest-version' is the latest version known to work when
|
|
building Kata
|
|
newest-version: "1.50.1"
|
|
|
|
specs:
|
|
description: "Details of important specifications"
|
|
|
|
oci:
|
|
description: "Open Containers Initiative runtime specification"
|
|
url: "https://github.com/opencontainers/runtime-spec/releases"
|
|
uscan-url: >-
|
|
https://github.com/opencontainers/runtime-spec/tags
|
|
.*/v?(\d\S+)\.tar\.gz
|
|
version: "v1.0.2"
|
|
|
|
plugins:
|
|
description: |
|
|
Details of plugins required for the components or testing.
|
|
|
|
sriov-network-device:
|
|
description: |
|
|
The SR-IOV network device plugin is Kubernetes device plugin for
|
|
discovering and advertising SR-IOV virtual functions (VFs)
|
|
available on a Kubernetes host.
|
|
url: "https://github.com/k8snetworkplumbingwg/sriov-network-device-plugin"
|
|
version: "b7f6d3e0679796e907ecca88cfab0e32e326850d"
|