Open stevenhorsman opened 1 week ago
In our initial investigation it looks like there are potentially two problems:
AgentConfig:{KernelModules:[] ContainerPipeSize:0 DialTimeout:0 LongLiveConn:true Debug:false Trace:false EnableDebugConsole:false Policy:}
. We probably need some more logging here to debug
OK, I create a local branch which fixed part 2 and even though Policy wasn't logged in the AgentConfig
that worked, so maybe it's missing for security reasons or something? I'll create the kata-containers PR and hopefully fix the problem soon.
9881 has been merged now, so I've created https://github.com/confidential-containers/cloud-api-adaptor/pull/1876 to add the e2e tests for this
As a peer pods workload owner I want to have be able to block certain endpoints so that I can restrict the interactions that users can have with my workloads
Description In https://github.com/confidential-containers/cloud-api-adaptor/pull/1607 Pradipta added policy based on the
CCv0
stream, however after some testing that @snir911 and I have done, we've found it doesn't work with the changed implementation on kata-containersmain
branch.We should investigate this, try and get it working and ideally add the e2e test that were supposed to come following that PR.
Acceptance Criteria
Scenario: Block exec command Given a peer pods set-up including the "latest" kata-containers
main
codebase and a pod created, which includes the annotationio.katacontainers.config.agent.policy:
which is set to the base64 versions ofallow-all-except-exec-process.rego
When we runkubectl exec <pod_name> -- <command>
Then The request is blocked with an error that includes:failed to exec in container
andValidation failed for data.policy.ExecProcess
Scenario: Fully permission policy Given a peer pods set-up including the "latest" kata-containers
main
codebase and a pod created, which includes the annotationio.katacontainers.config.agent.policy:
which is set to the base64 versions ofallow-all.rego
When we runkubectl exec <pod_name> -- <command>
Then The request is successfulScenario: Check default policy is permissive Given a peer pods set-up including the "latest" kata-containers
main
codebase and a pod created, with noio.katacontainers.config.agent.policy:
annotation When we runkubectl exec <pod_name> -- <command>
Then The request is successful