[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

genpolicy: Add optional toggle to pull images using containerd #9185

Merged
merged 2 commits into from
Apr 9, 2024
Merged

genpolicy: Add optional toggle to pull images using containerd #9185

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c96ebf2
genpolicy: add containerd pull method
Redent0r Feb 28, 2024
51498ba
genpolicy: toggle containerd pull in tests
Redent0r Feb 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
genpolicy: toggle containerd pull in tests 
- Add v1 image test case
- Install protobuf-compiler in build check
- Reset containerd config to default in kubernetes test if we are testing genpolicy
- Update docker_credential crate
- Add test that uses default pull method
- Use GENPOLICY_PULL_METHOD in test

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
  • Loading branch information
@Redent0r
Redent0r committed Apr 9, 2024
commit 51498ba99a7d173964dd60db3eaaecfe11511304
2 changes: 1 addition & 1 deletion .github/workflows/build-checks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ jobs:
echo "LIBSECCOMP_LINK_TYPE=static" >> $GITHUB_ENV
echo "LIBSECCOMP_LIB_PATH=${libseccomp_install_dir}/lib" >> $GITHUB_ENV
- name: Install protobuf-compiler
if: ${{ matrix.command != 'make vendor' && (matrix.component == 'agent' || matrix.component == 'runk') }}
if: ${{ matrix.command != 'make vendor' && (matrix.component == 'agent' || matrix.component == 'runk' || matrix.component == 'genpolicy') }}
Redent0r marked this conversation as resolved.
Show resolved Hide resolved
run: sudo apt-get -y install protobuf-compiler
- name: Install clang
if: ${{ matrix.command == 'make check' && matrix.component == 'agent' }}
Expand Down
4 changes: 2 additions & 2 deletions src/tools/genpolicy/Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion src/tools/genpolicy/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ serde_yaml = "0.8"
# Container repository.
anyhow = "1.0.32"
async-trait = "0.1.68"
docker_credential = "1.2.0"
docker_credential = "1.3.1"
flate2 = { version = "1.0.26", features = ["zlib-ng"], default-features = false }
oci-distribution = { version = "0.10.0" }
openssl = { version = "0.10.54" }
Expand All @@ -59,6 +59,8 @@ sha2 = "0.10.6"
tarindex = { git = "https://github.com/kata-containers/tardev-snapshotter", rev = "06183a5" }
tempfile = "3.5.0"
zerocopy = "0.6.1"

# containerd image pull support
k8s-cri = "0.7.0"
tonic = "0.9.2"
tower = "0.4.13"
Expand Down
13 changes: 13 additions & 0 deletions src/tools/genpolicy/genpolicy-advanced-command-line-parameters.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,19 @@ To enable caching, use the `-u` command line parameter - e.g.,
$ RUST_LOG=info genpolicy -u -y test.yaml
```

# Use containerd to pull and manage images
You may specify `-d` to use existing `containerd` installation as image manager. This method supports a wider set of images (e.g., older images with `v1` manifest). Needs `sudo` permission to access socket - e.g.,

```bash
$ sudo genpolicy -d -y test.yaml
```

This will use `/var/contaienrd/containerd.sock` as default socket path. Or you may specify your own socket path - e.g.,

```bash
$ sudo genpolicy -d=/my/path/containerd.sock -y test.yaml
```

# Print the Policy text

To print the auto-generated Policy text, in addition to adding its `base64` encoding into the `YAML` file, specify the `-r` parameter - e.g.,
Expand Down
4 changes: 2 additions & 2 deletions src/tools/genpolicy/src/registry_containerd.rs
View file
Open in desktop
Redent0r marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright (c) 2023 Microsoft Corporation
// Copyright (c) 2024 Microsoft Corporation
//
// SPDX-License-Identifier: Apache-2.0
//
Expand Down Expand Up @@ -166,7 +166,7 @@ pub async fn pull_image(
image_ref: &Reference,
mut client: ImageServiceClient<tonic::transport::Channel>,
) -> Result<()> {
let auth = build_auth(&image_ref);
let auth = build_auth(image_ref);

debug!("cri auth: {:?}", auth);

Expand Down
1 change: 1 addition & 0 deletions tests/integration/kubernetes/filter_out_per_arch/aarch64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,4 @@ kubernetes:
- k8s-number-cpus
- k8s-oom
- k8s-qos-pods
- k8s-pod-manifest-v1.bats
1 change: 1 addition & 0 deletions tests/integration/kubernetes/filter_out_per_arch/ppc64le.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ kubernetes:
- k8s-limit-range
- k8s-number-cpus
- k8s-oom
- k8s-pod-manifest-v1.bats
1 change: 1 addition & 0 deletions tests/integration/kubernetes/filter_out_per_arch/s390x.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@ kubernetes:
- k8s-caps
- k8s-inotify
- k8s-sandbox-vcpus-allocation # see https://github.com/kata-containers/kata-containers/issues/9093
- k8s-pod-manifest-v1.bats
16 changes: 13 additions & 3 deletions tests/integration/kubernetes/gha-run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}"
NO_PROXY="${NO_PROXY:-${no_proxy:-}}"
export AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-no}"
export TEST_CLUSTER_NAMESPACE="${TEST_CLUSTER_NAMESPACE:-kata-containers-k8s-tests}"
export GENPOLICY_PULL_METHOD="${GENPOLICY_PULL_METHOD:-oci-distribution-client}"

function configure_devmapper() {
sudo mkdir -p /var/lib/containerd/devmapper
Expand Down Expand Up @@ -252,10 +253,19 @@ function run_tests() {
[ "$platform" = "kcli" ] && \
export KUBECONFIG="$HOME/.kcli/clusters/${CLUSTER_NAME:-kata-k8s}/auth/kubeconfig"

# Enable auto-generated policy for CI images that support policy.
#
# Enable auto-generated policy for CI images that support policy
# and enable cri plugin in containerd config.
# TODO: enable testing auto-generated policy for other types of hosts too.
[ "${KATA_HOST_OS}" = "cbl-mariner" ] && export AUTO_GENERATE_POLICY="yes"

if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then

export AUTO_GENERATE_POLICY="yes"

# set default containerd config
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GabyCT @fidencio , this looks reasonable to me - but pointing it out to you just in case I am missing something important.

sudo containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
echo "containerd config has been set to default"
sudo systemctl restart containerd && sudo systemctl is-active containerd
fi

set_test_cluster_namespace

Expand Down
31 changes: 31 additions & 0 deletions tests/integration/kubernetes/k8s-pod-manifest-v1.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/usr/bin/env bats
#
# Copyright (c) 2024 Microsoft.
#
# SPDX-License-Identifier: Apache-2.0
#

load "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/tests_common.sh"

setup() {
get_pod_config_dir
pod_name="nginxhttps"
pod_yaml="${pod_config_dir}/pod-manifest-v1.yaml"
auto_generate_policy "${pod_config_dir}" "${pod_yaml}"
}

@test "Deploy manifest v1 pod" {

kubectl create -f "${pod_yaml}"

# Wait for pod to start
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
}

teardown() {
# Debugging information
kubectl describe "pod/$pod_name"

kubectl delete pod "$pod_name"
}
4 changes: 4 additions & 0 deletions tests/integration/kubernetes/run_kubernetes_tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,10 @@ else
"k8s-nginx-connectivity.bats" \
)

if [ "${GENPOLICY_PULL_METHOD}" == "containerd" ]; then
K8S_TEST_SMALL_HOST_UNION+=("k8s-pod-manifest-v1.bats")
fi

K8S_TEST_NORMAL_HOST_UNION=( \
"k8s-number-cpus.bats" \
"k8s-parallel.bats" \
Expand Down
18 changes: 18 additions & 0 deletions tests/integration/kubernetes/runtimeclass_workloads/pod-manifest-v1.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#
# Copyright (c) 2024 Microsoft
#
# SPDX-License-Identifier: Apache-2.0
#
apiVersion: v1
kind: Pod
metadata:
name: nginxhttps

spec:
runtimeClassName: kata
terminationGracePeriodSeconds: 0
containers:
- name: nginxhttps
image: "docker.io/ymqytw/nginxhttps:1.5"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure docker.io is acceptable for CI testing. Let's see if more experienced reviewers have better ideas here - I will ping them after we agree on the rest of the changes.

Looks like pod-file-volume.yaml is using docker too - so maybe it is acceptable.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GabyCT @fidencio , do have to avoid CI testing using a container from docker.io?

The only similar test seems to be pod-file-volume.yaml (a.k.a. k8s-file-volume.bats). I noticed that most other tests are using images from quay.io.

Thanks!

ports:
- containerPort: 80
8 changes: 7 additions & 1 deletion tests/integration/kubernetes/tests_common.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,9 @@ create_common_genpolicy_settings() {

# Set the default namespace of Kata CI tests in the genpolicy settings.
set_namespace_to_policy_settings "${genpolicy_settings_dir}" "${TEST_CLUSTER_NAMESPACE}"

# allow genpolicy to access containerd without sudo
sudo chmod a+rw /var/run/containerd/containerd.sock
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GabyCT @fidencio this looks reasonable to me - please speak up in case you disagree.

}

# If auto-generated policy testing is enabled, make a copy of the common genpolicy settings
Expand Down Expand Up @@ -166,7 +169,6 @@ auto_generate_policy() {
declare -r config_map_yaml_file="$3"

auto_generate_policy_enabled || return 0

local genpolicy_command="RUST_LOG=info /opt/kata/bin/genpolicy -u -y ${yaml_file}"
genpolicy_command+=" -p ${settings_dir}/rules.rego"
genpolicy_command+=" -j ${settings_dir}/genpolicy-settings.json"
Expand All @@ -175,6 +177,10 @@ auto_generate_policy() {
genpolicy_command+=" -c ${config_map_yaml_file}"
fi

if [ "${GENPOLICY_PULL_METHOD}" == "containerd" ]; then
genpolicy_command+=" -d"
fi

info "Executing: ${genpolicy_command}"
eval "${genpolicy_command}"
}
Expand Down
Loading