podvm: allow setting custom agent-policy

by having custom.rego file set as agent policy CM

kubectl create configmap agent-policy --from-file=<path/to/custom.rego>

Signed-off-by: Snir Sheriber <[email protected]>

Author: snir911

config/peerpods/podvm/lib.sh

@@ -196,11 +196,16 @@ function prepare_source_code() {
             error_exit "Failed to enable fips mode"
     fi
 
-    if [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
+    if [[ -e /tmp/kata-opa/custom.rego ]] ; then
+        echo "Setting custom agent policy according to file found"
+        ln -sf /tmp/kata-opa/custom.rego  "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
+    elif [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]] ; then
+        echo "Setting custom agent policy to CoCo's recommended policy"
         sed 's/default SetPolicyRequest := true/default SetPolicyRequest := false/; s/default ExecProcessRequest := true/default ExecProcessRequest := false/' \
             "${podvm_dir}"/files/etc/kata-opa/default-policy.rego > "${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
         ln -sf "${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego  "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
     fi
+    echo "\nCurrent Agent Policy:\n" && cat "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
 }
 
 # Download and extract pause container image

config/peerpods/podvm/osc-podvm-create-job.yaml

@@ -55,10 +55,16 @@ spec:
               mountPath: /payload
             - name: regauth
               mountPath: /tmp/regauth
+            - name: agent-policy
+              mountPath: /tmp/kata-opa
       volumes:
         - name: payload
           emptyDir: {}
         - name: regauth
           secret:
             secretName: auth-json-secret
+        - name: agent-policy
+          configMap:
+            name: agent-policy
+            optional: true
       restartPolicy: Never