Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

genpolicy: support raw block devices #9651

Open
burgerdev opened this issue May 16, 2024 · 0 comments · May be fixed by #9706
Open

genpolicy: support raw block devices #9651

burgerdev opened this issue May 16, 2024 · 0 comments · May be fixed by #9706
Labels
enhancement Improvement to an existing feature needs-review Needs to be assessed by the team.
Projects
Issue backlog

Comments

@burgerdev
Copy link
Contributor

Which feature do you think can be improved?

The genpolicy tool.

How can it be improved?

genpolicy should accept Kubernetes resources that use volumeDevice and create an appropriate policy for these devices.

Additional Information

This should work:

cargo run -- -p rules.rego -j genpolicy-settings.json -u <<EOF
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: voldev
spec:
  replicas: 1
  serviceName: voldev
  selector:
    matchLabels:
      app: voldev
  template:
    metadata:
      labels:
        app: voldev
    spec:
      containers:
      - command:
        - /bin/sh
        - -c
        - |
          stat /dev/csi0
          tail -f /dev/null
        image: alpine:3.19.1
        name: voldev
        volumeDevices:
        - devicePath: /dev/csi0
          name: state
      runtimeClassName: kata-cc-isolation
  volumeClaimTemplates:
  - metadata:
      name: state
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: default
      volumeMode: Block
EOF

Right now, it produces an error because some of the fields are not defined:

thread 'main' panicked at src/yaml.rs:341:9:
Unsupported field: spec.template.spec.containers.0.volumeDevices
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

The structs need to be modified to understand volumeDevices and the policy needs to be adjusted to allow the defined devices.

cc @danmihai1
@burgerdev burgerdev added enhancement Improvement to an existing feature needs-review Needs to be assessed by the team. labels May 16, 2024
burgerdev added a commit to burgerdev/kata-containers that referenced this issue May 24, 2024
@burgerdev
genpolicy: check requested devices
b9528d1 
CreateContainerRequest objects can specify devices to be created inside
the guest VM. This change ensures that requested devices have a
corresponding entry in the PodSpec.

Fixes: kata-containers#9651
Signed-off-by: Markus Rudy <mr@edgeless.systems>
@burgerdev burgerdev linked a pull request May 24, 2024 that will close this issue
Open
@katacontainersbot katacontainersbot moved this from To do to In progress in Issue backlog May 24, 2024
burgerdev added a commit to burgerdev/kata-containers that referenced this issue May 24, 2024
@burgerdev
genpolicy: check requested devices
dc70fbf 
CreateContainerRequest objects can specify devices to be created inside
the guest VM. This change ensures that requested devices have a
corresponding entry in the PodSpec.

Devices that are added to the pod dynamically, for example via the
Device Plugin architecture, can be allowlisted globally by adding their
definition to the settings file.

Fixes: kata-containers#9651
Signed-off-by: Markus Rudy <mr@edgeless.systems>
burgerdev added a commit to burgerdev/kata-containers that referenced this issue May 31, 2024
@burgerdev
genpolicy: check requested devices
09833b8 
CreateContainerRequest objects can specify devices to be created inside
the guest VM. This change ensures that requested devices have a
corresponding entry in the PodSpec.

Devices that are added to the pod dynamically, for example via the
Device Plugin architecture, can be allowlisted globally by adding their
definition to the settings file.

Fixes: kata-containers#9651
Signed-off-by: Markus Rudy <mr@edgeless.systems>
burgerdev added a commit to burgerdev/kata-containers that referenced this issue May 31, 2024
@burgerdev
genpolicy: check requested devices
8c691af 
CreateContainerRequest objects can specify devices to be created inside
the guest VM. This change ensures that requested devices have a
corresponding entry in the PodSpec.

Devices that are added to the pod dynamically, for example via the
Device Plugin architecture, can be allowlisted globally by adding their
definition to the settings file.

Fixes: kata-containers#9651
Signed-off-by: Markus Rudy <mr@edgeless.systems>
burgerdev added a commit to burgerdev/kata-containers that referenced this issue May 31, 2024
@burgerdev
genpolicy: check requested devices
1331058 
CreateContainerRequest objects can specify devices to be created inside
the guest VM. This change ensures that requested devices have a
corresponding entry in the PodSpec.

Devices that are added to the pod dynamically, for example via the
Device Plugin architecture, can be allowlisted globally by adding their
definition to the settings file.

Fixes: kata-containers#9651
Signed-off-by: Markus Rudy <mr@edgeless.systems>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Improvement to an existing feature needs-review Needs to be assessed by the team.
Projects
Issue backlog
  
In progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

genpolicy: add support for devices burgerdev/kata-containers
1 participant
@burgerdev