From 14b8c3c6d528536a37b5918a4b0f16a2f91f7ed6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Thu, 17 Oct 2024 20:14:28 +0000 Subject: [PATCH] genpolicy: Support confidential ephemeral volumes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This adds a new setting to genpolicy to support confidential ephemeral volumes. Signed-off-by: Aurélien Bombo --- src/tools/genpolicy/genpolicy-settings.json | 6 +++-- src/tools/genpolicy/src/mount_and_storage.rs | 25 +++++++++++++++++--- src/tools/genpolicy/src/policy.rs | 3 +++ src/tools/genpolicy/src/stateful_set.rs | 7 ++++++ 4 files changed, 36 insertions(+), 5 deletions(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index 7d35862afa73..e5c11fb410b2 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -277,13 +277,15 @@ "CAP_CHECKPOINT_RESTORE" ], "virtio_blk_storage_classes": [ - "cc-local-csi", "cc-managed-csi", "cc-managed-premium-csi" ], "smb_storage_classes": [ "cc-azurefile-csi", "cc-azurefile-premium-csi" + ], + "coco_ephemeral_storage_classes": [ + "cc-local-csi" ] }, "kata_config": { @@ -322,4 +324,4 @@ "UpdateEphemeralMountsRequest": false, "WriteStreamRequest": false } -} \ No newline at end of file +} diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs index ecb8bf5776ff..0fb0cdace0da 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -246,9 +246,14 @@ fn get_persistent_volume_claim_mount( .and_then(|pvc_resource| pvc_resource.spec.storageClassName.as_ref()) .is_some_and(|sc| settings.common.smb_storage_classes.contains(sc)); + let is_coco_ephemeral_mount = pvc_resource + .and_then(|pvc_resource| pvc_resource.spec.storageClassName.as_ref()) + .is_some_and(|sc| settings.common.coco_ephemeral_storage_classes.contains(sc)); + handle_persistent_volume_claim( is_blk_mount, is_smb_mount, + is_coco_ephemeral_mount, yaml_mount, p_mounts, storages, @@ -431,14 +436,21 @@ fn get_ephemeral_mount( .as_ref() .map(|sc| settings.common.virtio_blk_storage_classes.contains(sc)) .unwrap_or(false); + let is_smb_mount = storage_class .as_ref() .map(|sc| settings.common.smb_storage_classes.contains(sc)) .unwrap_or(false); + let is_coco_ephemeral_mount = storage_class + .as_ref() + .map(|sc| settings.common.coco_ephemeral_storage_classes.contains(sc)) + .unwrap_or(false); + handle_persistent_volume_claim( is_blk_mount, is_smb_mount, + is_coco_ephemeral_mount, yaml_mount, p_mounts, storages, @@ -449,21 +461,28 @@ fn get_ephemeral_mount( pub fn handle_persistent_volume_claim( is_blk_mount: bool, is_smb_mount: bool, + is_coco_ephemeral_mount: bool, yaml_mount: &pod::VolumeMount, p_mounts: &mut Vec, storages: &mut Vec, mount_options: (&str, &str), ) { - if is_blk_mount || is_smb_mount { + if is_blk_mount || is_smb_mount || is_coco_ephemeral_mount { let source = "$(spath)/$(b64-direct-vol-path)".to_string(); + let mut driver_options = Vec::new(); + if is_coco_ephemeral_mount { + driver_options.push("confidential=true".to_string()); + driver_options.push("ephemeral=true".to_string()); + } + storages.push(agent::Storage { - driver: if is_blk_mount { + driver: if is_blk_mount || is_coco_ephemeral_mount { "blk".to_string() } else { "smb".to_string() }, - driver_options: Vec::new(), + driver_options, fs_group: None, source: "$(direct-vol-path)".to_string(), mount_point: source.to_string(), diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index baa382b7646a..d6eb113af65c 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -380,6 +380,9 @@ pub struct CommonData { /// Storage classes which mounts should be handled as smb mounts pub smb_storage_classes: Vec, + + /// Storage classes which mounts should be handled as encrypted and ephemeral devices. + pub coco_ephemeral_storage_classes: Vec, } /// Struct used to read data from the settings file and copy that data into the policy. diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs index 4c55f59ec3e8..866ae747f4cd 100644 --- a/src/tools/genpolicy/src/stateful_set.rs +++ b/src/tools/genpolicy/src/stateful_set.rs @@ -226,6 +226,12 @@ impl StatefulSet { } else { false }; + // check if a storage class is set and if it is a coco ephemeral storage class + let is_coco_ephemeral_mount = if let Some(storage_class) = &claim.spec.storageClassName { + settings.common.coco_ephemeral_storage_classes.contains(storage_class) + } else { + false + }; let propagation = match &mount.mountPropagation { Some(p) if p == "Bidirectional" => "rshared", @@ -242,6 +248,7 @@ impl StatefulSet { mount_and_storage::handle_persistent_volume_claim( is_blk_mount, is_smb_mount, + is_coco_ephemeral_mount, mount, policy_mounts, storages,