Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podvm: agent policy support #430

Merged
merged 1 commit into from
Jul 18, 2024
Merged

podvm: agent policy support #430

merged 1 commit into from
Jul 18, 2024

Conversation

snir911
Copy link
Contributor

@snir911 snir911 commented Jul 17, 2024
edited by openshift-ci bot
Loading

@snir911 snir911 requested a review from bpradipt July 17, 2024 12:10
@snir911 snir911 self-assigned this Jul 17, 2024
@openshift-ci openshift-ci bot requested review from cpmeadors and gkurz July 17, 2024 12:11
@snir911
podvm: Set default restricted policy for CoCo
d8f7bc0 
by default it will block exec and setPolicy calls

Signed-off-by: Snir Sheriber <[email protected]>
gkurz
gkurz approved these changes Jul 17, 2024
View reviewed changes
Copy link
Member

@gkurz gkurz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Thanks Snir !

Is there a jira to link to BTW ?

config/peerpods/podvm/lib.sh

if [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
sed 's/default SetPolicyRequest := true/default SetPolicyRequest := false/; s/default ExecProcessRequest := true/default ExecProcessRequest := false/' \
"${podvm_dir}"/files/etc/kata-opa/default-policy.rego > "${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming that default-policy.rego comes from https://github.com/confidential-containers/cloud-api-adaptor/tree/main/src/cloud-api-adaptor/podvm/files/etc/kata-opa, this looks good to me.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 17, 2024
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 17, 2024
@snir911
Copy link
Contributor Author

snir911 commented Jul 17, 2024

I removed the option for custom policy ATM as it messes something and i do not want to block the more essential part of this PR

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 17, 2024

@snir911: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/check d8f7bc0 link false /test check
ci/prow/sandboxed-containers-operator-e2e d8f7bc0 link false /test sandboxed-containers-operator-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

bpradipt
bpradipt approved these changes Jul 17, 2024
View reviewed changes
Copy link
Contributor

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 17, 2024
@snir911 snir911 merged commit 1193e44 into openshift:devel Jul 18, 2024
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gkurz gkurz gkurz approved these changes

@bpradipt bpradipt bpradipt approved these changes

@cpmeadors cpmeadors Awaiting requested review from cpmeadors

Assignees

@gkurz gkurz

@bpradipt bpradipt

@snir911 snir911

Labels
lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@snir911 @gkurz @bpradipt