-
Notifications
You must be signed in to change notification settings - Fork 997
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: add agent policy and genpolicy docs
Add docs for the Agent Policy and for the genpolicy tool. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
- Loading branch information
Showing
6 changed files
with
822 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,29 +1,72 @@ | ||
# Agent Policy generation tool | ||
|
||
The Kata Containers policy generation tool (`genpolicy`): | ||
The Kata Containers Policy generation tool (`genpolicy`): | ||
|
||
1. Reads user's Kubernetes YAML file. | ||
1. Reads user's Kubernetes (`K8s`) `YAML` file. | ||
|
||
1. Infers user's intentions based on the contents of that file. | ||
|
||
1. Generates a Kata Containers Agent (`kata-agent`) policy file | ||
corresponding to the input YAML, using the Rego/Open Policy Agent | ||
format. | ||
1. Generates a Kata Containers Agent (`kata-agent`) Policy file corresponding to the input `YAML`, using the [Open Policy Agent format](https://www.openpolicyagent.org/docs/latest/policy-language/). | ||
|
||
1. Appends the policy as an annotation to user's YAML file. | ||
1. Encodes the auto-generated Policy text in base64 format and appends the encoded string as an annotation to user's `YAML` file. | ||
|
||
When the user deploys that YAML file, the Kata Agent uses the attached | ||
policy to reject possible Agent API calls that are not consistent with | ||
the policy. | ||
When the user deploys that `YAML` file through `K8s`, the Kata Agent uses the Policy specified by the `YAML` annotation to reject possible Agent API calls that are not consistent with the policy. For additional information, see [How to use the Kata Agent Policy](../../../docs/how-to/how-to-use-the-kata-agent-policy.md). | ||
|
||
The Policy auto-generated by `genpolicy` is typically used for implementing confidential containers, where the Kata Shim and the Kata Agent have different trust properties. | ||
|
||
**Warning** Users should review carefully the automatically-generated Policy, and modify the Policy file if needed to match better their use case, before using this Policy. | ||
|
||
# Building `genpolicy` from source code | ||
|
||
## Install build dependencies | ||
|
||
Example for Ubuntu 22.04.3: | ||
|
||
```bash | ||
$ sudo apt-get update | ||
$ sudo apt-get install -y build-essential cmake curl git musl-dev musl-tools | ||
$ curl --proto '=https' --tlsv1.3 https://sh.rustup.rs -sSf | sh | ||
$ source "$HOME/.cargo/env" | ||
$ arch=$(uname -m) | ||
$ rustup target add "${arch}-unknown-linux-musl" | ||
``` | ||
|
||
# Build `genpolicy` | ||
|
||
```bash | ||
$ git clone https://github.com/kata-containers/kata-containers.git | ||
$ cd kata-containers/src/tools/genpolicy | ||
$ source "$HOME/.cargo/env" | ||
$ make && make install | ||
``` | ||
|
||
If you want to use `LIBC=gnu` instead of the default `LIBC=musl`, change the last step above to: | ||
|
||
```bash | ||
$ LIBC=gnu make && LIBC=gnu make install | ||
``` | ||
|
||
# Executing `genpolicy` | ||
|
||
Example: | ||
|
||
```sh | ||
$ genpolicy -y samples/pod-one-container.yaml | ||
$ genpolicy -y test.yaml | ||
``` | ||
|
||
For a usage statement, run: | ||
|
||
```sh | ||
$ genpolicy --help | ||
``` | ||
|
||
For advanced command line parameters, see [`genpolicy` advanced command line parameters](genpolicy-advanced-command-line-parameters.md). | ||
|
||
|
||
# Supported Kubernetes `YAML` file types | ||
|
||
`genpolicy` has support for automatic Policy generation based on Kubernetes `DaemonSet`, `Deployment`, `Job`, `Pod`, `ReplicaSet`, `ReplicationController`, and `StatefulSet` input `YAML` files. | ||
|
||
# Policy details | ||
|
||
See [auto-generated Policy details](genpolicy-auto-generated-policy-details.md). |
Oops, something went wrong.