genpolicy: Support confidential ephemeral volumes

This adds a new setting to genpolicy to support confidential ephemeral volumes. Signed-off-by: Aurélien Bombo <[email protected]>
microsoft · Oct 17, 2024 · 5dfa960 · 5dfa960
1 parent 10c1785
commit 5dfa960
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 5 deletions.
diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
@@ -277,13 +277,15 @@
             "CAP_CHECKPOINT_RESTORE"
         ],
         "virtio_blk_storage_classes": [
-            "cc-local-csi",
             "cc-managed-csi",
             "cc-managed-premium-csi"
         ],
         "smb_storage_classes": [
             "cc-azurefile-csi",
             "cc-azurefile-premium-csi"
+        ],
+        "coco_ephemeral_storage_classes": [
+           "cc-local-csi"
         ]
     },
     "kata_config": {
@@ -322,4 +324,4 @@
         "UpdateEphemeralMountsRequest": false,
         "WriteStreamRequest": false
     }
-}
+}
diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
@@ -246,9 +246,14 @@ fn get_persistent_volume_claim_mount(
         .and_then(|pvc_resource| pvc_resource.spec.storageClassName.as_ref())
         .is_some_and(|sc| settings.common.smb_storage_classes.contains(sc));
 
+    let is_coco_ephemeral_mount = pvc_resource
+        .and_then(|pvc_resource| pvc_resource.spec.storageClassName.as_ref())
+        .is_some_and(|sc| settings.common.coco_ephemeral_storage_classes.contains(sc));
+
     handle_persistent_volume_claim(
         is_blk_mount,
         is_smb_mount,
+        is_coco_ephemeral_mount,
         yaml_mount,
         p_mounts,
         storages,
@@ -431,14 +436,21 @@ fn get_ephemeral_mount(
         .as_ref()
         .map(|sc| settings.common.virtio_blk_storage_classes.contains(sc))
         .unwrap_or(false);
+
     let is_smb_mount = storage_class
         .as_ref()
         .map(|sc| settings.common.smb_storage_classes.contains(sc))
         .unwrap_or(false);
 
+    let is_coco_ephemeral_mount = storage_class
+        .as_ref()
+        .map(|sc| settings.common.coco_ephemeral_storage_classes.contains(sc))
+        .unwrap_or(false);
+
     handle_persistent_volume_claim(
         is_blk_mount,
         is_smb_mount,
+        is_coco_ephemeral_mount,
         yaml_mount,
         p_mounts,
         storages,
@@ -449,21 +461,28 @@ fn get_ephemeral_mount(
 pub fn handle_persistent_volume_claim(
     is_blk_mount: bool,
     is_smb_mount: bool,
+    is_coco_ephemeral_mount: bool,
     yaml_mount: &pod::VolumeMount,
     p_mounts: &mut Vec<policy::KataMount>,
     storages: &mut Vec<agent::Storage>,
     mount_options: (&str, &str),
 ) {
-    if is_blk_mount || is_smb_mount {
+    if is_blk_mount || is_smb_mount || is_coco_ephemeral_mount {
         let source = "$(spath)/$(b64-direct-vol-path)".to_string();
 
+        let mut driver_options = Vec::new();
+        if is_coco_ephemeral_mount {
+            driver_options.push("confidential=true".to_string());
+            driver_options.push("ephemeral=true".to_string());
+        }
+
         storages.push(agent::Storage {
-            driver: if is_blk_mount {
+            driver: if is_blk_mount || is_coco_ephemeral_mount {
                 "blk".to_string()
             } else {
                 "smb".to_string()
             },
-            driver_options: Vec::new(),
+            driver_options,
             fs_group: None,
             source: "$(direct-vol-path)".to_string(),
             mount_point: source.to_string(),

diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
@@ -380,6 +380,9 @@ pub struct CommonData {
 
     /// Storage classes which mounts should be handled as smb mounts
     pub smb_storage_classes: Vec<String>,
+
+    /// Storage classes which mounts should be handled as encrypted and ephemeral devices.
+    pub coco_ephemeral_storage_classes: Vec<String>,
 }
 
 /// Struct used to read data from the settings file and copy that data into the policy.

diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs
@@ -226,6 +226,12 @@ impl StatefulSet {
                         } else {
                             false
                         };
+                        // check if a storage class is set and if it is a coco ephemeral storage class
+                        let is_coco_ephemeral_mount = if let Some(storage_class) = &claim.spec.storageClassName {
+                            settings.common.coco_ephemeral_storage_classes.contains(storage_class)
+                        } else {
+                            false
+                        };
 
                         let propagation = match &mount.mountPropagation {
                             Some(p) if p == "Bidirectional" => "rshared",
@@ -242,6 +248,7 @@ impl StatefulSet {
                         mount_and_storage::handle_persistent_volume_claim(
                             is_blk_mount,
                             is_smb_mount,
+                            is_coco_ephemeral_mount,
                             mount,
                             policy_mounts,
                             storages,