genpolicy: add containerd pull method

Add optional toggle to use existing containerd installation to pull and manage container images. This adds support to a wider set of images that are currently not supported by standard pull method, such as those that use v1 manifest. Fixes: #9144 Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
kata-containers · danmihai1 · Apr 9, 2024 · Feb 28, 2024 · Feb 29, 2024 · Apr 8, 2024
commit c96ebf237c93e93b34f96dc47c89951fc1e91996
diff --git a/src/tools/genpolicy/Cargo.lock b/src/tools/genpolicy/Cargo.lock
diff --git a/src/tools/genpolicy/Cargo.toml b/src/tools/genpolicy/Cargo.toml
@@ -59,3 +59,7 @@ sha2 = "0.10.6"
 tarindex = { git = "https://github.com/kata-containers/tardev-snapshotter", rev = "06183a5" }
 tempfile = "3.5.0"
 zerocopy = "0.6.1"
+k8s-cri = "0.7.0"
+tonic = "0.9.2"
+tower = "0.4.13"
+containerd-client = "0.4.0"
diff --git a/src/tools/genpolicy/src/config_map.rs b/src/tools/genpolicy/src/config_map.rs
@@ -10,6 +10,7 @@ use crate::obj_meta;
 use crate::pod;
 use crate::policy;
 use crate::settings;
+use crate::utils::Config;
 use crate::yaml;
 
 use async_trait::async_trait;
@@ -81,7 +82,7 @@ pub fn get_value(value_from: &pod::EnvVarSource, config_maps: &Vec<ConfigMap>) -
 impl yaml::K8sResource for ConfigMap {
     async fn init(
         &mut self,
-        _use_cache: bool,
+        _config: &Config,
         doc_mapping: &serde_yaml::Value,
         _silent_unsupported_fields: bool,
     ) {

diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs
@@ -11,6 +11,7 @@ use crate::pod;
 use crate::pod_template;
 use crate::policy;
 use crate::settings;
+use crate::utils::Config;
 use crate::yaml;
 
 use async_trait::async_trait;
@@ -72,11 +73,11 @@ struct RollingUpdateDaemonSet {
 impl yaml::K8sResource for DaemonSet {
     async fn init(
         &mut self,
-        use_cache: bool,
+        config: &Config,
         doc_mapping: &serde_yaml::Value,
         _silent_unsupported_fields: bool,
     ) {
-        yaml::k8s_resource_init(&mut self.spec.template.spec, use_cache).await;
+        yaml::k8s_resource_init(&mut self.spec.template.spec, config).await;
         self.doc_mapping = doc_mapping.clone();
     }
 

diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs
@@ -11,6 +11,7 @@ use crate::pod;
 use crate::pod_template;
 use crate::policy;
 use crate::settings;
+use crate::utils::Config;
 use crate::yaml;
 
 use async_trait::async_trait;
@@ -70,11 +71,11 @@ struct RollingUpdateDeployment {
 impl yaml::K8sResource for Deployment {
     async fn init(
         &mut self,
-        use_cache: bool,
+        config: &Config,
         doc_mapping: &serde_yaml::Value,
         _silent_unsupported_fields: bool,
     ) {
-        yaml::k8s_resource_init(&mut self.spec.template.spec, use_cache).await;
+        yaml::k8s_resource_init(&mut self.spec.template.spec, config).await;
         self.doc_mapping = doc_mapping.clone();
     }
 

diff --git a/src/tools/genpolicy/src/job.rs b/src/tools/genpolicy/src/job.rs
@@ -11,6 +11,7 @@ use crate::pod;
 use crate::pod_template;
 use crate::policy;
 use crate::settings;
+use crate::utils::Config;
 use crate::yaml;
 
 use async_trait::async_trait;
@@ -44,11 +45,11 @@ pub struct JobSpec {
 impl yaml::K8sResource for Job {
     async fn init(
         &mut self,
-        use_cache: bool,
+        config: &Config,
         doc_mapping: &serde_yaml::Value,
         _silent_unsupported_fields: bool,
     ) {
-        yaml::k8s_resource_init(&mut self.spec.template.spec, use_cache).await;
+        yaml::k8s_resource_init(&mut self.spec.template.spec, config).await;
         self.doc_mapping = doc_mapping.clone();
     }
 

diff --git a/src/tools/genpolicy/src/list.rs b/src/tools/genpolicy/src/list.rs
@@ -9,6 +9,7 @@
 use crate::pod;
 use crate::policy;
 use crate::settings;
+use crate::utils::Config;
 use crate::yaml;
 
 use async_trait::async_trait;
@@ -39,12 +40,12 @@ impl Debug for dyn yaml::K8sResource + Send + Sync {
 
 #[async_trait]
 impl yaml::K8sResource for List {
-    async fn init(&mut self, use_cache: bool, _doc_mapping: &serde_yaml::Value, silent: bool) {
+    async fn init(&mut self, config: &Config, _doc_mapping: &serde_yaml::Value, silent: bool) {
         // Create K8sResource objects for each item in this List.
         for item in &self.items {
             let yaml_string = serde_yaml::to_string(&item).unwrap();
             let (mut resource, _kind) = yaml::new_k8s_resource(&yaml_string, silent).unwrap();
-            resource.init(use_cache, item, silent).await;
+            resource.init(config, item, silent).await;
             self.resources.push(resource);
         }
     }

diff --git a/src/tools/genpolicy/src/main.rs b/src/tools/genpolicy/src/main.rs
@@ -19,6 +19,7 @@ mod pod;
 mod pod_template;
 mod policy;
 mod registry;
+mod registry_containerd;
 mod replica_set;
 mod replication_controller;
 mod secret;

diff --git a/src/tools/genpolicy/src/no_policy.rs b/src/tools/genpolicy/src/no_policy.rs
@@ -9,6 +9,7 @@
 use crate::pod;
 use crate::policy;
 use crate::settings;
+use crate::utils::Config;
 use crate::yaml;
 
 use async_trait::async_trait;
@@ -24,7 +25,7 @@ pub struct NoPolicyResource {
 impl yaml::K8sResource for NoPolicyResource {
     async fn init(
         &mut self,
-        _use_cache: bool,
+        _config: &Config,
         _doc_mapping: &serde_yaml::Value,
         _silent_unsupported_fields: bool,
     ) {

diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
@@ -12,6 +12,7 @@ use crate::policy;
 use crate::registry;
 use crate::secret;
 use crate::settings;
+use crate::utils::Config;
 use crate::volume;
 use crate::yaml;
 
@@ -480,11 +481,9 @@ struct PodDNSConfigOption {
 }
 
 impl Container {
-    pub async fn init(&mut self, use_cache: bool) {
+    pub async fn init(&mut self, config: &Config) {
         // Load container image properties from the registry.
-        self.registry = registry::get_container(use_cache, &self.image)
-            .await
-            .unwrap();
+        self.registry = registry::get_container(config, &self.image).await.unwrap();
     }
 
     pub fn get_env_variables(
@@ -691,8 +690,8 @@ impl EnvVar {
 
 #[async_trait]
 impl yaml::K8sResource for Pod {
-    async fn init(&mut self, use_cache: bool, doc_mapping: &serde_yaml::Value, _silent: bool) {
-        yaml::k8s_resource_init(&mut self.spec, use_cache).await;
+    async fn init(&mut self, config: &Config, doc_mapping: &serde_yaml::Value, _silent: bool) {
+        yaml::k8s_resource_init(&mut self.spec, config).await;
         self.doc_mapping = doc_mapping.clone();
     }
 
@@ -832,7 +831,7 @@ fn compress_capabilities(capabilities: &mut Vec<String>, defaults: &policy::Comm
     }
 }
 
-pub async fn add_pause_container(containers: &mut Vec<Container>, use_cache: bool) {
+pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Config) {
     debug!("Adding pause container...");
     let mut pause_container = Container {
         // TODO: load this path from the settings file.
@@ -849,7 +848,7 @@ pub async fn add_pause_container(containers: &mut Vec<Container>, use_cache: boo
         }),
         ..Default::default()
     };
-    pause_container.init(use_cache).await;
+    pause_container.init(config).await;
     containers.insert(0, pause_container);
     debug!("pause container added.");
 }
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
@@ -381,7 +381,7 @@ impl AgentPolicy {
                 let yaml_string = serde_yaml::to_string(&doc_mapping)?;
                 let silent = config.silent_unsupported_fields;
                 let (mut resource, kind) = yaml::new_k8s_resource(&yaml_string, silent)?;
-                resource.init(config.use_cache, &doc_mapping, silent).await;
+                resource.init(config, &doc_mapping, silent).await;
 
                 // ConfigMap and Secret documents contain additional input for policy generation.
                 if kind.eq("ConfigMap") {

diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
@@ -10,6 +10,7 @@ use crate::containerd;
 use crate::policy;
 use crate::verity;
 
+use crate::utils::Config;
 use anyhow::{anyhow, bail, Result};
 use docker_credential::{CredentialRetrievalError, DockerCredential};
 use log::warn;
@@ -25,16 +26,16 @@ use tokio::{fs, io::AsyncWriteExt};
 /// Container image properties obtained from an OCI repository.
 #[derive(Clone, Debug, Default)]
 pub struct Container {
-    config_layer: DockerConfigLayer,
-    image_layers: Vec<ImageLayer>,
+    pub config_layer: DockerConfigLayer,
+    pub image_layers: Vec<ImageLayer>,
 }
 
 /// Image config layer properties.
 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
-struct DockerConfigLayer {
+pub struct DockerConfigLayer {
     architecture: String,
     config: DockerImageConfig,
-    rootfs: DockerRootfs,
+    pub rootfs: DockerRootfs,
 }
 
 /// Image config properties.
@@ -50,9 +51,9 @@ struct DockerImageConfig {
 
 /// Container rootfs information.
 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
-struct DockerRootfs {
+pub struct DockerRootfs {
     r#type: String,
-    diff_ids: Vec<String>,
+    pub diff_ids: Vec<String>,
 }
 
 /// This application's image layer properties.
@@ -260,25 +261,25 @@ async fn get_image_layers(
     Ok(layers)
 }
 
-fn get_verity_path(base_dir: &Path, file_name: &str) -> PathBuf {
+pub fn get_verity_path(base_dir: &Path, file_name: &str) -> PathBuf {
     let mut verity_path: PathBuf = base_dir.join(file_name);
     verity_path.set_extension("verity");
     verity_path
 }
 
-fn get_decompressed_path(verity_path: &Path) -> PathBuf {
+pub fn get_decompressed_path(verity_path: &Path) -> PathBuf {
     let mut decompressed_path = verity_path.to_path_buf().clone();
     decompressed_path.set_extension("tar");
     decompressed_path
 }
 
-fn get_compressed_path(decompressed_path: &Path) -> PathBuf {
+pub fn get_compressed_path(decompressed_path: &Path) -> PathBuf {
     let mut compressed_path = decompressed_path.to_path_buf().clone();
     compressed_path.set_extension("gz");
     compressed_path
 }
 
-async fn delete_files(base_dir: &Path, file_name: &str) {
+pub async fn delete_files(base_dir: &Path, file_name: &str) {
     let verity_path = get_verity_path(base_dir, file_name);
     let _ = fs::remove_file(&verity_path).await;
 
@@ -399,7 +400,7 @@ async fn create_decompressed_layer_file(
     Ok(())
 }
 
-fn do_create_verity_hash_file(decompressed_path: &PathBuf) -> Result<()> {
+pub fn do_create_verity_hash_file(decompressed_path: &PathBuf) -> Result<()> {
     info!("Calculating dm-verity root hash");
     let mut file = std::fs::File::open(decompressed_path)?;
     let size = file.seek(std::io::SeekFrom::End(0))?;
@@ -425,9 +426,11 @@ fn do_create_verity_hash_file(decompressed_path: &PathBuf) -> Result<()> {
 
     Ok(())
 }
-
-pub async fn get_container(use_cache: bool, image: &str) -> Result<Container> {
-    Container::new(use_cache, image).await
+pub async fn get_container(config: &Config, image: &str) -> Result<Container> {
+    if let Some(socket_path) = &config.containerd_socket_path {
+        return Container::new_containerd_pull(config.use_cache, image, socket_path).await;
+    }
+    Container::new(config.use_cache, image).await
 }
 
 fn build_auth(reference: &Reference) -> RegistryAuth {