Open
Conversation
This adds our team as reviewers for PRs automatically again. Signed-off-by: Chris Co <chrco@microsoft.com> Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
github: copy CODEOWNERS from cc-msft-prototypes
Add SPDX license header to rules.rego. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Fixes: kata-containers#8816 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Clean up cargo clippy errors. Fixes: kata-containers#8818 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Package genpolicy and enable static checks for it. Fixes: kata-containers#8813 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Adjust genpolicy-settings.json to match the container root path from the main branch + cbl-mariner Guest VMs. This configuration might have to be adjusted again when other types of Guest VMs will be tested during CI using genpolicy, in the future. Also, improve logging from allow_root_path(), to easier debug these issues in the future. Fixes: kata-containers#8835 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Ignore pod DNS settings because policing the network traffic is currently outside the scope of the Agent Policy. Example from Kata CI: pod-custom-dns.yaml Fixes: kata-containers#8832 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Update sample files after genpolicy changes. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
genpolicy: pick up improvements from upstream
Validate the sandbox_pidns field value for CreateSandbox and CreateContainer. Fixes: kata-containers#8868 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Update samples with the new shareProcessNamespace support. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
genpolicy: add shareProcessNamespace support
Create the cache file if it's not present, instead of panicking. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
github: add `upstream-missing` label to PR checklist
genpolicy: don't panic without cache file
Add policy support for SecurityContext and PodSecurityContext runAsUser. Also, remove outdated UID rule workaround. Fixes: kata-containers#8879 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Update samples after adding support for runAsUser. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
genpolicy: add support for runAsUser
This fixes the below error when attempting to access the debug console when all debug_console_enabled=true and all 3 enable_debug options are true: level=error msg="error create pseudo tty" error="open /dev/ptmx: operation not permitted" Signed-off-by: Aurelien Bombo <abombo@microsoft.com>
Doesn't make sense for non-TEEs and was only a remnant of cc-msft-prototypes. This will have to be taken into account in microsoft/azurelinux#6942. [upstream-merged] Already done this way upstream. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Also block requests with seccomp until it gets tested with CoCo Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Update sample file after recent changes. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
…file genpolicy: Add support for seccompProfile field
This allows generation of policy for pods specifying priority classes. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
Adds priorityClassName to the test yaml file Signed-off-by: Archana choudhary <archana1@microsoft.com>
Prevent panic for PDB specs Signed-off-by: Archana Choudhary <archana1@microsoft.com>
genpolicy: add priorityClassName as a field in PodSpec interface
genpolicy: add support for PodDisruptionBudget spec
When the rootfs is built with AGENT_POLICY=no, the build fails at line 36 for us, since our package build does not have access to the entire source at once. Rather, we only copy the directories that we think we'll need (and we missed that one). TBA in a future packaging change. [upstream-not-needed] Upstream isn't affected as they build with the whole code base. Signed-off-by: Aurelien Bombo <abombo@microsoft.com>
Bumps google.golang.org/protobuf from 1.29.1 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps golang.org/x/net from v0.8.0 to v0.23.0. Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
Bumps [rustix](https://github.com/bytecodealliance/rustix) from 0.37.19 to 0.37.27 in src/tardev-snapshotter, src/utarfs & src/overlay. - [Release notes](https://github.com/bytecodealliance/rustix/releases) - [Changelog](https://github.com/bytecodealliance/rustix/blob/main/CHANGELOG.md) - [Commits](bytecodealliance/rustix@v0.37.19...v0.37.27) --- updated-dependencies: - dependency-name: rustix dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…ime/google.golang.org/protobuf-1.33.0 build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.33.0 in /src/runtime
build(deps): bump dependency golang.org/x/net to v0.23.0
…apshotter/rustix-0.37.27 build(deps): bump rustix from 0.37.19 to 0.37.27 in /src/tardev-snapshotter
ci: Fix make static-checks
mcr.microsoft.com/azurelinux/base/nginx:1 got updated again on 12/6 and caused test failures on our pipeline due to the policy annotation of images that depend on nginx getting outdated. Replicate this image to our private test images ACR so that is stable and doesn't get unknowingly updated or deleted. We will still test mcr.microsoft.com/azurelinux/base/nginx:1 under "common_images" category and detect any future possible image breaking changes. The result of this change will be more stable test results without loosing coverage. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
samples: replicate nginx image to private ACR
arc9693
added
the
upstream/not-needed
arc9693
force-pushed
the
archana1/vendor-crates
branch
2 times, most recently
from
cf07fbc to
cc7ce2f
Compare
sprt
reviewed
Dec 10, 2024
arc9693
force-pushed
the
archana1/vendor-crates
branch
from
cc7ce2f to
8e2cea3
Compare
sprt
reviewed
Dec 11, 2024
Redent0r
approved these changes
Dec 16, 2024
|
Thoughts on splitting this into separate PRs per target folder? it might still be a lot of file changes but we may be able to load them through github UI (up to 3000 file changes) |
Target rust folders: src/tardev-snapshotter, src/agent, src/utarfs, src/overlay The change involves vendoring Cargo dependencies to enhance build reproducibility and security. All dependencies are downloaded and stored locally in a vendor directory, eliminating the need to fetch them from external sources during builds. The projeci's Cargo configuration is updated to prioritize these vendored sources, ensuring consistent, self-contained builds regardless of external factors like network availability or changes in dependency repositories. By committing the vendor directory to version control, the project gains improved security, faster build times, and determinism. Developers must refresh the vendored dependencies whenever updates are made to the Cargo.toml, by re-running cargo vendor. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
arc9693
force-pushed
the
archana1/vendor-crates
branch
from
8e2cea3 to
7fa67f9
Compare
Author
|
|
sprt
approved these changes
Dec 19, 2024
sprt
left a comment
sprt
left a comment
There was a problem hiding this comment.
Reviewed this by checking it out locally and LGTM.
But let's hold off on merging for now as @danmihai1 suggested an alternative approach that we might want to evaluate: don't vendor everything from the get go, but instead, for each package that needs to be patched, incrementally add it to the vendors.
manuelh-dev
approved these changes
Dec 28, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Target rust folders: src/tardev-snapshotter, src/agent, src/utarfs, src/overlay
The change involves vendoring Cargo dependencies to enhance build reproducibility and security. All dependencies are downloaded and stored locally in a vendor directory, eliminating the need to fetch them from external sources during builds. The projeci's Cargo configuration is updated to prioritize these vendored sources, ensuring consistent, self-contained builds regardless of external factors like network availability or changes in dependency repositories. By committing the vendor directory to version control, the project gains improved security, faster build times, and determinism. Developers must refresh the vendored dependencies whenever updates are made to the Cargo.toml, by re-running cargo vendor.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
Test Methodology
Spec file changes (draft): microsoft/azurelinux@mahuber/kata-3.2.0.azl4...archana1/remove-rust-deps
Buddy Build of kata-containers and kata-containers-cc: https://dev.azure.com/mariner-org/mariner/_build?definitionId=2190&_a=summary (https://dev.azure.com/mariner-org/mariner/_build/results?buildId=693264&view=results)