New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
genpolicy: mount source for non-confidential guest #9029
genpolicy: mount source for non-confidential guest #9029
Conversation
The emergent Kata CI tests for Policy use confidential_guest = false in genpolicy-settings.json. That value is inconsistent with the following mount settings: "emptyDir": { "mount_type": "local", "mount_source": "^$(cpath)/$(sandbox-id)/local/", "mount_point": "^$(cpath)/$(sandbox-id)/local/", "driver": "local", "source": "local", "fstype": "local", "options": [ "mode=0777" ] }, We need to keep those settings for confidential_guest = true, and change confidential_guest = false to use: "emptyDir": { "mount_type": "local", "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/", "mount_point": "^$(cpath)/$(sandbox-id)/local/", "driver": "local", "source": "local", "fstype": "local", "options": [ "mode=0777" ] }, The value of the mount_source field is different. This change unblocks testing using Kata CI's pod-empty-dir.yaml: genpolicy -u -y pod-empty-dir.yaml kubectl apply -f pod-empty-dir.yaml k get pod sharevol-kata NAME READY STATUS RESTARTS AGE sharevol-kata 1/1 Running 0 53s Fixes: kata-containers#8887 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Hi @danmihai1 ! I didn't follow the initial CI implementation for testing the agent policy so I'm trying to understand it now. If I got it right, the yamls for the k8s tests are transformed (i.e. added annotations) for certain The following jobs met those conditions:
The aforementioned "yamls transformation" don't use the |
Yes:
|
Perfect. Got it! |
/test |
Ok, I think I understood how the I was thinking on how to remove the conditionals
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on my limited knowledge of genpolicy: LGTM!
That is correct. Sorry these settings are confusing - I agree we need to clean them up. |
The emergent Kata CI tests for Policy use confidential_guest = false in genpolicy-settings.json. That value is inconsistent with the following mount settings:
We need to keep those settings for confidential_guest = true, and change confidential_guest = false to use:
The value of the mount_source field is different.
This change unblocks testing using Kata CI's pod-empty-dir.yaml:
genpolicy -u -y pod-empty-dir.yaml
kubectl apply -f pod-empty-dir.yaml
k get pod sharevol-kata
NAME READY STATUS RESTARTS AGE
sharevol-kata 1/1 Running 0 53s
Fixes: #8887