diff --git a/tests/kata/data/k8s-policy-job/output.json b/tests/kata/data/k8s-policy-job/outputs.json similarity index 100% rename from tests/kata/data/k8s-policy-job/output.json rename to tests/kata/data/k8s-policy-job/outputs.json diff --git a/tests/kata/data/k8s-policy-pod/output.json b/tests/kata/data/k8s-policy-pod/outputs.json similarity index 100% rename from tests/kata/data/k8s-policy-pod/output.json rename to tests/kata/data/k8s-policy-pod/outputs.json diff --git a/tests/kata/data/k8s-policy-rc/output.json b/tests/kata/data/k8s-policy-rc/outputs.json similarity index 100% rename from tests/kata/data/k8s-policy-rc/output.json rename to tests/kata/data/k8s-policy-rc/outputs.json diff --git a/tests/kata/data/pod-cm1/inputs.txt b/tests/kata/data/pod-cm1/inputs.txt new file mode 100644 index 00000000..27ec7ee2 --- /dev/null +++ b/tests/kata/data/pod-cm1/inputs.txt @@ -0,0 +1,49 @@ +["ep":"AllowRequestsFailingPolicy",{}], + +["ep":"UpdateInterfaceRequest",{"interface":{"device":"eth0","name":"eth0","IPAddresses":[{"family":0,"address":"10.244.0.14","mask":"24"},{"family":1,"address":"fe80::6474:9fff:fe6a:9601","mask":"64"}],"mtu":1500,"hwAddr":"66:74:9f:6a:96:01","pciPath":"","type_":"","raw_flags":0}}], + +["ep":"UpdateRoutesRequest",{"routes":{"Routes":[{"dest":"","gateway":"10.244.0.1","device":"eth0","source":"","scope":0,"family":0}]}}], + +["ep":"CreateSandboxRequest",{"hostname":"cm1","dns":["search default.svc.cluster.local svc.cluster.local cluster.local","nameserver 10.0.0.10","options ndots:5",""],"storages":[{"driver":"ephemeral","driver_options":[],"source":"shm","fstype":"tmpfs","options":["noexec","nosuid","nodev","mode=1777","size=67108864"],"mount_point":"/run/kata-containers/sandbox/shm","fs_group":null}],"sandbox_pidns":false,"sandbox_id":"7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f","guest_hook_path":"","kernel_modules":[]}], + +["ep":"GuestDetailsRequest",{"mem_block_size":true,"mem_hotplug_probe":true}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f-fcc2557fcee4b4da-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CreateContainerRequest",{"container_id":"7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f","exec_id":"7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"],"mount_point":"/run/kata-containers/sandbox/layers/5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTgxNzI1MGYxYTNlMzM2ZGE3NmY1YmQzZmE3ODRlMWIyNmQ5NTliOWMxMzE4NzY4MTViYTI2MDQwNDhiNzBjMTg=","io.katacontainers.fs-opt.overlay-rw","lowerdir=5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d"],"mount_point":"/run/kata-containers/shared/containers/7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":2000,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["/pause"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":true,"ApparmorProfile":"","OOMScoreAdj":-998,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f","Readonly":true},"Hostname":"cm1","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f-fcc2557fcee4b4da-resolv.conf","type_":"bind","options":["rbind","ro","nosuid","nodev","noexec"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-cpu-shares":"2","io.kubernetes.cri.sandbox-cpu-quota":"0","nerdctl/network-namespace":"/var/run/netns/cni-99c9b587-9b06-f81a-a10c-2bd71ba4de0a","io.kubernetes.cri.sandbox-cpu-period":"100000","io.katacontainers.pkg.oci.container_type":"pod_sandbox","io.kubernetes.cri.sandbox-name":"cm1","io.kubernetes.cri.sandbox-log-directory":"/var/log/pods/default_cm1_7629e87a-0528-40c7-ac9e-fdf4bc202f8d","io.kubernetes.cri.sandbox-uid":"7629e87a-0528-40c7-ac9e-fdf4bc202f8d","io.kubernetes.cri.sandbox-memory":"0","io.kubernetes.cri.container-type":"sandbox","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f","io.kubernetes.cri.sandbox-id":"7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":null,"CPU":{"Shares":2,"Quota":0,"Period":0,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod7629e87a-0528-40c7-ac9e-fdf4bc202f8d/7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/acpi","/proc/asound","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/sys/firmware","/proc/scsi"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f"}], + +["ep":"WaitProcessRequest",{"container_id":"7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f","exec_id":"7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f"}], + +["ep":"GetOOMEventRequest",{}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-d7237018b1bd6306-hosts","file_size":199,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-7ff34bb27061c9d6-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-aefaf093e301d5c1-hostname","file_size":4,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-c8a426b90b41420f-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount/..2024_05_08_18_00_29.1625327705","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount/..2024_05_08_18_00_29.1625327705/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount/..2024_05_08_18_00_29.1625327705/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount/..2024_05_08_18_00_29.1625327705/token","file_size":1487,"file_mode":33152,"dir_mode":2147484136,"uid":2000,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_00_29.1625327705"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8","exec_id":"e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"],"mount_point":"/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"],"mount_point":"/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=","io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=","io.katacontainers.fs-opt.overlay-rw","lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"],"mount_point":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":2000,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["/bin/sh","-c","while true; do echo hello; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=cm1","CONFIG_MAP_VALUE1=value1","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","rw"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","rw"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-d7237018b1bd6306-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-7ff34bb27061c9d6-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-aefaf093e301d5c1-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-c8a426b90b41420f-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8-f6e224b8e9e0262c-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.container-type":"container","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.sandbox-name":"cm1","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8","io.kubernetes.cri.container-name":"busybox","io.kubernetes.cri.image-name":"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64","io.kubernetes.cri.sandbox-id":"7378f298b0f0745329680eba807f4e8283813bc5d38918fb10d0b596fc7e411f","io.kubernetes.cri.sandbox-uid":"7629e87a-0528-40c7-ac9e-fdf4bc202f8d","io.kubernetes.cri.sandbox-namespace":"default"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod7629e87a-0528-40c7-ac9e-fdf4bc202f8d/e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":[],"ReadonlyPaths":[],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"e0735049b06564545e5d65b9cb5ef0504ed9b5591b4c3ab224f650347745fdc8"}], \ No newline at end of file diff --git a/tests/kata/data/pod-cm1/outputs.json b/tests/kata/data/pod-cm1/outputs.json new file mode 100644 index 00000000..84e43b80 --- /dev/null +++ b/tests/kata/data/pod-cm1/outputs.json @@ -0,0 +1,27 @@ +[ + false, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +] \ No newline at end of file diff --git a/tests/kata/data/pod-cm1/policy.rego b/tests/kata/data/pod-cm1/policy.rego new file mode 100644 index 00000000..d8840f2b --- /dev/null +++ b/tests/kata/data/pod-cm1/policy.rego @@ -0,0 +1,1796 @@ +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +package agent_policy + +import future.keywords.in +import future.keywords.every + +# Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := false +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false +default OnlineCPUMemRequest := true +default PauseContainerRequest := false +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := false +default StatsContainerRequest := true +default StopTracingRequest := false +default TtyWinResizeRequest := true +default UpdateContainerRequest := false +default UpdateEphemeralMountsRequest := false +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + print("CreateContainerRequest: i_oci.Hooks =", i_oci.Hooks) + is_null(i_oci.Hooks) + + print("CreateContainerRequest: i_oci.Linux.Seccomp =", i_oci.Linux.Seccomp) + is_null(i_oci.Linux.Seccomp) + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + + p_oci := p_container.OCI + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + print("allow_env: i_var =", i_var) + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var == i_var + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + + print("allow_var 2: p_var2 =", p_var2) + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + + print("allow_var 3: p_regex5 =", p_regex5) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + i_path := i_oci.Root.Path + p_path1 := p_oci.Root.Path + print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) + + some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount == i_mount + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount.destination == i_mount.destination + p_mount.type_ == i_mount.type_ + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + + print("mount_source_allows 1: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + + print("mount_source_allows 2: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 3: i_mount.source=", i_mount.source) + + i_source_parts = split(i_mount.source, "/") + b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1] + + base64.is_valid(b64_direct_vol_path) + + source1 := p_mount.source + print("mount_source_allows 3: source1 =", source1) + + source2 := replace(source1, "$(spath)", policy_data.common.spath) + print("mount_source_allows 3: source2 =", source2) + + source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path) + print("mount_source_allows 3: source3 =", source3) + + source3 == i_mount.source + + print("mount_source_allows 3: true") +} + +###################################################################### +# Create container Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + i_storage.options[i_count - 1] == lowerdir + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 4: start") + + p_storage.driver == "smb" + count(i_storage.options) == 8 + i_storage.options[0] == "dir_mode=0666" + i_storage.options[1] == "file_mode=0666" + i_storage.options[2] == "mfsymlinks" + i_storage.options[3] == "cache=strict" + i_storage.options[4] == "nosharesock" + i_storage.options[5] == "actimeo=30" + startswith(i_storage.options[6], "addr=") + creds = split(i_storage.options[7], ",") + count(creds) == 2 + startswith(creds[0], "username=") + startswith(creds[1], "password=") + + print("allow_storage_options 4: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point) + allow_direct_vol_driver(p_storage, i_storage) + + mount1 := p_storage.mount_point + print("allow_mount_point 6: mount1 =", mount1) + + mount2 := replace(mount1, "$(spath)", policy_data.common.spath) + print("allow_mount_point 6: mount2 =", mount2) + + direct_vol_path := i_storage.source + mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path)) + print("allow_mount_point 6: mount3 =", mount3) + + mount3 == i_storage.mount_point + + print("allow_mount_point 6: true") +} + +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 1: start") + p_storage.driver == "blk" + print("allow_direct_vol_driver 1: true") +} +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 2: start") + p_storage.driver == "smb" + print("allow_direct_vol_driver 2: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +check_directory_traversal(i_path) { + contains(i_path, "../") == false + endswith(i_path, "/..") == false + i_path != ".." +} + +check_symlink_source { + # TODO: delete this rule once the symlink_src field gets implemented + # by all/most Guest VMs. + not input.symlink_src +} +check_symlink_source { + i_src := input.symlink_src + print("check_symlink_source: i_src =", i_src) + + startswith(i_src, "/") == false + check_directory_traversal(i_src) +} + +allow_sandbox_storages(i_storages) { + print("allow_sandbox_storages: i_storages =", i_storages) + + p_storages := policy_data.sandbox.storages + every i_storage in i_storages { + allow_sandbox_storage(p_storages, i_storage) + } + + print("allow_sandbox_storages: true") +} + +allow_sandbox_storage(p_storages, i_storage) { + print("allow_sandbox_storage: i_storage =", i_storage) + + some p_storage in p_storages + print("allow_sandbox_storage: p_storage =", p_storage) + i_storage == p_storage + + print("allow_sandbox_storage: true") +} + +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + check_symlink_source + check_directory_traversal(input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") + print("CopyFileRequest: regex4 =", regex4) + + regex.match(regex4, input.path) + + print("CopyFileRequest: true") +} + +CreateSandboxRequest { + print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) + count(input.guest_hook_path) == 0 + + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false + + allow_sandbox_storages(input.storages) +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 1: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +UpdateEphemeralMountsRequest { + policy_data.request_defaults.UpdateEphemeralMountsRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} + +policy_data := { + "containers": [ + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 2000, + "GID": 65535, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/pause" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": true + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "io.kubernetes.cri.sandbox-name": "cm1", + "io.kubernetes.cri.sandbox-namespace": "default", + "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d", + "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 2000, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)", + "CONFIG_MAP_VALUE1=value1" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(privileged_caps)" + ], + "Effective": [ + "$(privileged_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(privileged_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "rw" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "rw" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "busybox", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "cm1", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [], + "ReadonlyPaths": [] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552", + "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + } + ], + "common": { + "cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "spath": "/run/kata-containers/sandbox/storage", + "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}", + "ip_p": "[0-9]{1,5}", + "svc_name": "[A-Z0-9_\\.\\-]+", + "dns_label": "[a-zA-Z0-9_\\.\\-]+", + "default_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "privileged_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE" + ], + "virtio_blk_storage_classes": [ + "cc-local-csi", + "cc-managed-csi", + "cc-managed-premium-csi" + ], + "smb_storage_classes": [ + "cc-azurefile-csi", + "cc-azurefile-premium-csi" + ] + }, + "sandbox": { + "storages": [ + { + "driver": "ephemeral", + "driver_options": [], + "source": "shm", + "fstype": "tmpfs", + "options": [ + "noexec", + "nosuid", + "nodev", + "mode=1777", + "size=67108864" + ], + "mount_point": "/run/kata-containers/sandbox/shm", + "fs_group": null + } + ] + }, + "request_defaults": { + "CreateContainerRequest": { + "allow_env_regex": [ + "^HOSTNAME=$(dns_label)$", + "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", + "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" + ] + }, + "CopyFileRequest": [ + "$(sfprefix)" + ], + "ExecProcessRequest": { + "commands": [], + "regex": [] + }, + "CloseStdinRequest": false, + "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +} \ No newline at end of file diff --git a/tests/kata/data/pod-cm2/inputs.txt b/tests/kata/data/pod-cm2/inputs.txt new file mode 100644 index 00000000..02a5ff9a --- /dev/null +++ b/tests/kata/data/pod-cm2/inputs.txt @@ -0,0 +1,119 @@ +["ep":"AllowRequestsFailingPolicy",{}], + +["ep":"UpdateInterfaceRequest",{"interface":{"device":"eth0","name":"eth0","IPAddresses":[{"family":0,"address":"10.244.0.15","mask":"24"},{"family":1,"address":"fe80::d4bf:feff:fe2a:a15c","mask":"64"}],"mtu":1500,"hwAddr":"d6:bf:fe:2a:a1:5c","pciPath":"","type_":"","raw_flags":0}}], + +["ep":"UpdateRoutesRequest",{"routes":{"Routes":[{"dest":"","gateway":"10.244.0.1","device":"eth0","source":"","scope":0,"family":0}]}}], + +["ep":"CreateSandboxRequest",{"hostname":"cm2","dns":["search default.svc.cluster.local svc.cluster.local cluster.local","nameserver 10.0.0.10","options ndots:5",""],"storages":[{"driver":"ephemeral","driver_options":[],"source":"shm","fstype":"tmpfs","options":["noexec","nosuid","nodev","mode=1777","size=67108864"],"mount_point":"/run/kata-containers/sandbox/shm","fs_group":null}],"sandbox_pidns":false,"sandbox_id":"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","guest_hook_path":"","kernel_modules":[]}], + +["ep":"GuestDetailsRequest",{"mem_block_size":true,"mem_hotplug_probe":true}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f-436c8044ae5d2eea-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CreateContainerRequest",{"container_id":"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","exec_id":"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"],"mount_point":"/run/kata-containers/sandbox/layers/5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTgxNzI1MGYxYTNlMzM2ZGE3NmY1YmQzZmE3ODRlMWIyNmQ5NTliOWMxMzE4NzY4MTViYTI2MDQwNDhiNzBjMTg=","io.katacontainers.fs-opt.overlay-rw","lowerdir=5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d"],"mount_point":"/run/kata-containers/shared/containers/faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":65535,"GID":65535,"AdditionalGids":[65535],"Username":""},"Args":["/pause"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":true,"ApparmorProfile":"","OOMScoreAdj":-998,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","Readonly":true},"Hostname":"cm2","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f-436c8044ae5d2eea-resolv.conf","type_":"bind","options":["rbind","ro","nosuid","nodev","noexec"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-uid":"e171518a-2666-434f-86bb-1b067839f6e9","io.kubernetes.cri.sandbox-cpu-shares":"2","io.kubernetes.cri.sandbox-id":"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","io.katacontainers.pkg.oci.container_type":"pod_sandbox","io.kubernetes.cri.sandbox-memory":"0","nerdctl/network-namespace":"/var/run/netns/cni-f5c9d075-80ce-76f2-5578-94f4feab0a46","io.kubernetes.cri.sandbox-log-directory":"/var/log/pods/default_cm2_e171518a-2666-434f-86bb-1b067839f6e9","io.kubernetes.cri.container-type":"sandbox","io.kubernetes.cri.sandbox-cpu-period":"100000","io.kubernetes.cri.sandbox-name":"cm2","io.kubernetes.cri.sandbox-cpu-quota":"0"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":null,"CPU":{"Shares":2,"Quota":0,"Period":0,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pode171518a-2666-434f-86bb-1b067839f6e9/faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/acpi","/proc/asound","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/sys/firmware","/proc/scsi"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f"}], + +["ep":"GetOOMEventRequest",{}], + +["ep":"WaitProcessRequest",{"container_id":"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","exec_id":"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-a09a9af9b15c5fdd-cm2","file_size":0,"file_mode":16895,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-a09a9af9b15c5fdd-cm2/..2024_05_08_18_01_52.2860902433","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-a09a9af9b15c5fdd-cm2/..2024_05_08_18_01_52.2860902433/my-keys","file_size":65,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-a09a9af9b15c5fdd-cm2/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_01_52.2860902433"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-a09a9af9b15c5fdd-cm2/my-keys","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/my-keys"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-4ef29a1284058a8c-cm3","file_size":0,"file_mode":16895,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-4ef29a1284058a8c-cm3/..2024_05_08_18_01_52.1069278790","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-4ef29a1284058a8c-cm3/..2024_05_08_18_01_52.1069278790/ro-keys","file_size":11,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-4ef29a1284058a8c-cm3/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_01_52.1069278790"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-4ef29a1284058a8c-cm3/ro-keys","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ro-keys"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-3bb8d220ffb1f5e1-hosts","file_size":199,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-ce6c29c68dc0cc49-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-9be63438a9eb2789-hostname","file_size":4,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-8a053bb7df8eff93-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount/..2024_05_08_18_01_52.3435451574","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount/..2024_05_08_18_01_52.3435451574/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount/..2024_05_08_18_01_52.3435451574/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount/..2024_05_08_18_01_52.3435451574/token","file_size":1487,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_01_52.3435451574"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87","exec_id":"0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"],"mount_point":"/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"],"mount_point":"/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=","io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=","io.katacontainers.fs-opt.overlay-rw","lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"],"mount_point":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":123,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["/bin/sh","-c","while true; do echo hello; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=cm2","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"cri-containerd.apparmor.d","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","ro"]},{"destination":"/cm2","source":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-a09a9af9b15c5fdd-cm2","type_":"bind","options":["rbind","rprivate","ro"]},{"destination":"/cm3","source":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-4ef29a1284058a8c-cm3","type_":"bind","options":["rbind","rprivate","ro"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-3bb8d220ffb1f5e1-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-ce6c29c68dc0cc49-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-9be63438a9eb2789-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-8a053bb7df8eff93-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87-5ac80405797363af-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-name":"cm2","io.kubernetes.cri.sandbox-uid":"e171518a-2666-434f-86bb-1b067839f6e9","io.kubernetes.cri.image-name":"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64","io.katacontainers.pkg.oci.container_type":"pod_container","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.container-name":"busybox","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.sandbox-id":"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pode171518a-2666-434f-86bb-1b067839f6e9/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":true,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-6f93198617aff717-cm2","file_size":0,"file_mode":16895,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-6f93198617aff717-cm2/..2024_05_08_18_01_52.2860902433","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-6f93198617aff717-cm2/..2024_05_08_18_01_52.2860902433/my-keys","file_size":65,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-6f93198617aff717-cm2/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_01_52.2860902433"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-6f93198617aff717-cm2/my-keys","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/my-keys"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-ec595582efe8286f-cm3","file_size":0,"file_mode":16895,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-ec595582efe8286f-cm3/..2024_05_08_18_01_52.1069278790","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-ec595582efe8286f-cm3/..2024_05_08_18_01_52.1069278790/ro-keys","file_size":11,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-ec595582efe8286f-cm3/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_01_52.1069278790"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-ec595582efe8286f-cm3/ro-keys","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ro-keys"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-f749cedf36bddf3c-hosts","file_size":199,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-f0d8a25662250ce8-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-249cc2af2c1bfc4b-hostname","file_size":4,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-dc4288323e5a92bc-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount/..2024_05_08_18_01_52.3435451574","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount/..2024_05_08_18_01_52.3435451574/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount/..2024_05_08_18_01_52.3435451574/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount/..2024_05_08_18_01_52.3435451574/token","file_size":1487,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_01_52.3435451574"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4","exec_id":"b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"],"mount_point":"/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"],"mount_point":"/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=","io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=","io.katacontainers.fs-opt.overlay-rw","lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"],"mount_point":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":321,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["/bin/sh","-c","while true; do echo hello; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=cm2","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"cri-containerd.apparmor.d","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","ro"]},{"destination":"/cm2","source":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-6f93198617aff717-cm2","type_":"bind","options":["rbind","rprivate","ro"]},{"destination":"/cm3","source":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-ec595582efe8286f-cm3","type_":"bind","options":["rbind","rprivate","ro"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-f749cedf36bddf3c-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-f0d8a25662250ce8-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-249cc2af2c1bfc4b-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-dc4288323e5a92bc-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4-7ade70f5e8616378-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-id":"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f","io.kubernetes.cri.sandbox-uid":"e171518a-2666-434f-86bb-1b067839f6e9","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.container-name":"busybox2","io.kubernetes.cri.container-type":"container","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4","io.kubernetes.cri.sandbox-name":"cm2","io.kubernetes.cri.image-name":"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pode171518a-2666-434f-86bb-1b067839f6e9/b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":true,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"b8e0140601d37a8f5bce5b137d48b96e730c0645e85748fa2f8afcf79fbe37c4"}], \ No newline at end of file diff --git a/tests/kata/data/pod-cm2/outputs.json b/tests/kata/data/pod-cm2/outputs.json new file mode 100644 index 00000000..9ca07a04 --- /dev/null +++ b/tests/kata/data/pod-cm2/outputs.json @@ -0,0 +1,62 @@ +[ + false, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +] \ No newline at end of file diff --git a/tests/kata/data/pod-cm2/policy.rego b/tests/kata/data/pod-cm2/policy.rego new file mode 100644 index 00000000..ff3183f0 --- /dev/null +++ b/tests/kata/data/pod-cm2/policy.rego @@ -0,0 +1,2114 @@ +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +package agent_policy + +import future.keywords.in +import future.keywords.every + +# Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := false +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false +default OnlineCPUMemRequest := true +default PauseContainerRequest := false +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := false +default StatsContainerRequest := true +default StopTracingRequest := false +default TtyWinResizeRequest := true +default UpdateContainerRequest := false +default UpdateEphemeralMountsRequest := false +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + print("CreateContainerRequest: i_oci.Hooks =", i_oci.Hooks) + is_null(i_oci.Hooks) + + print("CreateContainerRequest: i_oci.Linux.Seccomp =", i_oci.Linux.Seccomp) + is_null(i_oci.Linux.Seccomp) + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + + p_oci := p_container.OCI + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + print("allow_env: i_var =", i_var) + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var == i_var + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + + print("allow_var 2: p_var2 =", p_var2) + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + + print("allow_var 3: p_regex5 =", p_regex5) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + i_path := i_oci.Root.Path + p_path1 := p_oci.Root.Path + print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) + + some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount == i_mount + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount.destination == i_mount.destination + p_mount.type_ == i_mount.type_ + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + + print("mount_source_allows 1: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + + print("mount_source_allows 2: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 3: i_mount.source=", i_mount.source) + + i_source_parts = split(i_mount.source, "/") + b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1] + + base64.is_valid(b64_direct_vol_path) + + source1 := p_mount.source + print("mount_source_allows 3: source1 =", source1) + + source2 := replace(source1, "$(spath)", policy_data.common.spath) + print("mount_source_allows 3: source2 =", source2) + + source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path) + print("mount_source_allows 3: source3 =", source3) + + source3 == i_mount.source + + print("mount_source_allows 3: true") +} + +###################################################################### +# Create container Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + i_storage.options[i_count - 1] == lowerdir + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 4: start") + + p_storage.driver == "smb" + count(i_storage.options) == 8 + i_storage.options[0] == "dir_mode=0666" + i_storage.options[1] == "file_mode=0666" + i_storage.options[2] == "mfsymlinks" + i_storage.options[3] == "cache=strict" + i_storage.options[4] == "nosharesock" + i_storage.options[5] == "actimeo=30" + startswith(i_storage.options[6], "addr=") + creds = split(i_storage.options[7], ",") + count(creds) == 2 + startswith(creds[0], "username=") + startswith(creds[1], "password=") + + print("allow_storage_options 4: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point) + allow_direct_vol_driver(p_storage, i_storage) + + mount1 := p_storage.mount_point + print("allow_mount_point 6: mount1 =", mount1) + + mount2 := replace(mount1, "$(spath)", policy_data.common.spath) + print("allow_mount_point 6: mount2 =", mount2) + + direct_vol_path := i_storage.source + mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path)) + print("allow_mount_point 6: mount3 =", mount3) + + mount3 == i_storage.mount_point + + print("allow_mount_point 6: true") +} + +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 1: start") + p_storage.driver == "blk" + print("allow_direct_vol_driver 1: true") +} +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 2: start") + p_storage.driver == "smb" + print("allow_direct_vol_driver 2: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +check_directory_traversal(i_path) { + contains(i_path, "../") == false + endswith(i_path, "/..") == false + i_path != ".." +} + +check_symlink_source { + # TODO: delete this rule once the symlink_src field gets implemented + # by all/most Guest VMs. + not input.symlink_src +} +check_symlink_source { + i_src := input.symlink_src + print("check_symlink_source: i_src =", i_src) + + startswith(i_src, "/") == false + check_directory_traversal(i_src) +} + +allow_sandbox_storages(i_storages) { + print("allow_sandbox_storages: i_storages =", i_storages) + + p_storages := policy_data.sandbox.storages + every i_storage in i_storages { + allow_sandbox_storage(p_storages, i_storage) + } + + print("allow_sandbox_storages: true") +} + +allow_sandbox_storage(p_storages, i_storage) { + print("allow_sandbox_storage: i_storage =", i_storage) + + some p_storage in p_storages + print("allow_sandbox_storage: p_storage =", p_storage) + i_storage == p_storage + + print("allow_sandbox_storage: true") +} + +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + check_symlink_source + check_directory_traversal(input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") + print("CopyFileRequest: regex4 =", regex4) + + regex.match(regex4, input.path) + + print("CopyFileRequest: true") +} + +CreateSandboxRequest { + print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) + count(input.guest_hook_path) == 0 + + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false + + allow_sandbox_storages(input.storages) +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 1: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +UpdateEphemeralMountsRequest { + policy_data.request_defaults.UpdateEphemeralMountsRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} + +policy_data := { + "containers": [ + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 65535, + "GID": 65535, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/pause" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": true + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "io.kubernetes.cri.sandbox-name": "cm2", + "io.kubernetes.cri.sandbox-namespace": "default", + "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d", + "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 123, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/cm2", + "source": "$(sfprefix)cm2$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/cm3", + "source": "$(sfprefix)cm3$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "busybox", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "cm2", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware" + ], + "ReadonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552", + "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": true, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 321, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/cm2", + "source": "$(sfprefix)cm2$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/cm3", + "source": "$(sfprefix)cm3$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "busybox2", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "cm2", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware" + ], + "ReadonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552", + "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": true, + "exec_commands": [] + } + ], + "common": { + "cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "spath": "/run/kata-containers/sandbox/storage", + "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}", + "ip_p": "[0-9]{1,5}", + "svc_name": "[A-Z0-9_\\.\\-]+", + "dns_label": "[a-zA-Z0-9_\\.\\-]+", + "default_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "privileged_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE" + ], + "virtio_blk_storage_classes": [ + "cc-local-csi", + "cc-managed-csi", + "cc-managed-premium-csi" + ], + "smb_storage_classes": [ + "cc-azurefile-csi", + "cc-azurefile-premium-csi" + ] + }, + "sandbox": { + "storages": [ + { + "driver": "ephemeral", + "driver_options": [], + "source": "shm", + "fstype": "tmpfs", + "options": [ + "noexec", + "nosuid", + "nodev", + "mode=1777", + "size=67108864" + ], + "mount_point": "/run/kata-containers/sandbox/shm", + "fs_group": null + } + ] + }, + "request_defaults": { + "CreateContainerRequest": { + "allow_env_regex": [ + "^HOSTNAME=$(dns_label)$", + "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", + "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" + ] + }, + "CopyFileRequest": [ + "$(sfprefix)" + ], + "ExecProcessRequest": { + "commands": [], + "regex": [] + }, + "CloseStdinRequest": false, + "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +} \ No newline at end of file diff --git a/tests/kata/data/pod-exec/inputs.txt b/tests/kata/data/pod-exec/inputs.txt new file mode 100644 index 00000000..d9a1e67f --- /dev/null +++ b/tests/kata/data/pod-exec/inputs.txt @@ -0,0 +1,153 @@ +["ep":"AllowRequestsFailingPolicy",{}], + +["ep":"UpdateInterfaceRequest",{"interface":{"device":"eth0","name":"eth0","IPAddresses":[{"family":0,"address":"10.244.0.16","mask":"24"},{"family":1,"address":"fe80::9cff:1eff:fec5:e9f5","mask":"64"}],"mtu":1500,"hwAddr":"9e:ff:1e:c5:e9:f5","pciPath":"","type_":"","raw_flags":0}}], + +["ep":"UpdateRoutesRequest",{"routes":{"Routes":[{"dest":"","gateway":"10.244.0.1","device":"eth0","source":"","scope":0,"family":0}]}}], + +["ep":"CreateSandboxRequest",{"hostname":"exec-test","dns":["search default.svc.cluster.local svc.cluster.local cluster.local","nameserver 10.0.0.10","options ndots:5",""],"storages":[{"driver":"ephemeral","driver_options":[],"source":"shm","fstype":"tmpfs","options":["noexec","nosuid","nodev","mode=1777","size=67108864"],"mount_point":"/run/kata-containers/sandbox/shm","fs_group":null}],"sandbox_pidns":false,"sandbox_id":"aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","guest_hook_path":"","kernel_modules":[]}], + +["ep":"GuestDetailsRequest",{"mem_block_size":true,"mem_hotplug_probe":true}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b-d96ce56341b7838c-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CreateContainerRequest",{"container_id":"aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","exec_id":"aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"],"mount_point":"/run/kata-containers/sandbox/layers/5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTgxNzI1MGYxYTNlMzM2ZGE3NmY1YmQzZmE3ODRlMWIyNmQ5NTliOWMxMzE4NzY4MTViYTI2MDQwNDhiNzBjMTg=","io.katacontainers.fs-opt.overlay-rw","lowerdir=5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d"],"mount_point":"/run/kata-containers/shared/containers/aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":65535,"GID":65535,"AdditionalGids":[65535],"Username":""},"Args":["/pause"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":true,"ApparmorProfile":"","OOMScoreAdj":-998,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","Readonly":true},"Hostname":"exec-test","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b-d96ce56341b7838c-resolv.conf","type_":"bind","options":["rbind","ro","nosuid","nodev","noexec"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-cpu-quota":"0","io.kubernetes.cri.sandbox-id":"aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","io.kubernetes.cri.container-type":"sandbox","io.kubernetes.cri.sandbox-log-directory":"/var/log/pods/default_exec-test_ada2ca20-1a14-42b4-ae7e-f1a45d63fa33","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-cpu-period":"100000","io.kubernetes.cri.sandbox-uid":"ada2ca20-1a14-42b4-ae7e-f1a45d63fa33","io.katacontainers.pkg.oci.container_type":"pod_sandbox","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","io.kubernetes.cri.sandbox-name":"exec-test","nerdctl/network-namespace":"/var/run/netns/cni-f24f98bd-565d-85de-43fc-629d7e43d846","io.kubernetes.cri.sandbox-memory":"0","io.kubernetes.cri.sandbox-cpu-shares":"2"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":null,"CPU":{"Shares":2,"Quota":0,"Period":0,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/podada2ca20-1a14-42b4-ae7e-f1a45d63fa33/aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/acpi","/proc/asound","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/sys/firmware","/proc/scsi"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b"}], + +["ep":"WaitProcessRequest",{"container_id":"aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","exec_id":"aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b"}], + +["ep":"GetOOMEventRequest",{}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-bc4160a6a1ede4ee-hosts","file_size":205,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-a1372f1433b2d57a-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-778950d1dc37ac62-hostname","file_size":10,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-856be8eac02b039b-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount/..2024_05_08_18_08_16.640162577","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount/..2024_05_08_18_08_16.640162577/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount/..2024_05_08_18_08_16.640162577/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount/..2024_05_08_18_08_16.640162577/token","file_size":1495,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_08_16.640162577"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"],"mount_point":"/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"],"mount_point":"/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=","io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=","io.katacontainers.fs-opt.overlay-rw","lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"],"mount_point":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["/bin/sh","-c","while true; do echo Kubernetes; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","rw"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","rw"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-bc4160a6a1ede4ee-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-a1372f1433b2d57a-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-778950d1dc37ac62-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-856be8eac02b039b-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6-b72adc8e24c572c5-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.katacontainers.pkg.oci.container_type":"pod_container","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.sandbox-name":"exec-test","io.kubernetes.cri.container-name":"busybox","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-id":"aac41059addb88a5ae3ab458912d6ea167cdf3e055a7c6698b647bac4fdb5c8b","io.kubernetes.cri.sandbox-uid":"ada2ca20-1a14-42b4-ae7e-f1a45d63fa33","io.kubernetes.cri.image-name":"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/podada2ca20-1a14-42b4-ae7e-f1a45d63fa33/42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":[],"ReadonlyPaths":[],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"230a7dd5-f55e-40c2-b866-c98ad050c029","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_NODE_NAME} startup"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"230a7dd5-f55e-40c2-b866-c98ad050c029"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"52f23a0b-0f09-4673-9541-5636889b6ca7","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"52f23a0b-0f09-4673-9541-5636889b6ca7"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"f1d04442-303f-40cb-ac48-eff1f9406895","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"bd33b367-2e42-4a83-8cf6-817eb10a1795","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"f1d04442-303f-40cb-ac48-eff1f9406895"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"bd33b367-2e42-4a83-8cf6-817eb10a1795"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"df812e16-cae6-46c4-b0fa-fdcc0e67472c","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"30724ed8-fff6-4b60-949d-e1380ace3706","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"df812e16-cae6-46c4-b0fa-fdcc0e67472c"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"30724ed8-fff6-4b60-949d-e1380ace3706"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"91fdfbb6-07fa-4db6-b0be-c4a96f9a55f0","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"37faef9b-60ad-4b1d-a421-9481e3e4f155","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"91fdfbb6-07fa-4db6-b0be-c4a96f9a55f0"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"37faef9b-60ad-4b1d-a421-9481e3e4f155"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"45cce89a-2b14-4af8-a139-a24246b3def0","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"3e1adff3-61e4-467e-9b4c-f74e253287b3","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"45cce89a-2b14-4af8-a139-a24246b3def0"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"3e1adff3-61e4-467e-9b4c-f74e253287b3"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"1e3e1846-0136-4a05-aa7b-29601f7503f7","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"f8119a2e-06c8-4e6e-b94d-c7d360ae0c6e","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"1e3e1846-0136-4a05-aa7b-29601f7503f7"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"f8119a2e-06c8-4e6e-b94d-c7d360ae0c6e"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"4afec5b2-c29e-42f6-adbb-410b398dc377","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"f6abfe03-0dca-41e8-b6a5-d4364c205005","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"4afec5b2-c29e-42f6-adbb-410b398dc377"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"f6abfe03-0dca-41e8-b6a5-d4364c205005"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"00945adb-7fa5-43b6-8dc0-b5d36378d1dc","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"301bb564-c4fd-484b-8c46-4044c051ba9f","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"00945adb-7fa5-43b6-8dc0-b5d36378d1dc"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"301bb564-c4fd-484b-8c46-4044c051ba9f"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"28470f50-4f0c-4fca-a247-9634c70d5512","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"bbe55000-3e78-43a4-963a-c762cde3a0e2","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"28470f50-4f0c-4fca-a247-9634c70d5512"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"bbe55000-3e78-43a4-963a-c762cde3a0e2"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"ac547fa2-97c2-4026-9e5a-5c1a51a2fdb1","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"de7ce829-d867-4ada-a8df-08de72c3fec2","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"ac547fa2-97c2-4026-9e5a-5c1a51a2fdb1"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"de7ce829-d867-4ada-a8df-08de72c3fec2"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"a1b1e13c-d22f-41e6-857f-dd256f3f0d6a","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"bfb9e571-b1dd-4217-b4a5-6d4d7c277332","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"a1b1e13c-d22f-41e6-857f-dd256f3f0d6a"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"bfb9e571-b1dd-4217-b4a5-6d4d7c277332"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"7829bfcf-0e79-4e1c-ab63-3e715f3551d7","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"56ccd0f4-1142-49a4-9732-146efca8e771","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"7829bfcf-0e79-4e1c-ab63-3e715f3551d7"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"56ccd0f4-1142-49a4-9732-146efca8e771"}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"ebb9afb5-e802-491d-9a4c-a49e9c0e655b","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","${ISTIO_META_APP_CONTAINERS}"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"ExecProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"15ba4186-176e-4903-b8c9-672f676645ef","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","Ready ${POD_IP}!"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=exec-test","POD_IP=10.244.0.16","SERVICE_ACCOUNT=default","POD_NAME=exec-test","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_CLUSTER_ID=Kubernetes","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"ebb9afb5-e802-491d-9a4c-a49e9c0e655b"}], + +["ep":"WaitProcessRequest",{"container_id":"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6","exec_id":"15ba4186-176e-4903-b8c9-672f676645ef"}], diff --git a/tests/kata/data/pod-exec/outputs.json b/tests/kata/data/pod-exec/outputs.json new file mode 100644 index 00000000..de41381e --- /dev/null +++ b/tests/kata/data/pod-exec/outputs.json @@ -0,0 +1,79 @@ +[ + false, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +] \ No newline at end of file diff --git a/tests/kata/data/pod-exec/policy.rego b/tests/kata/data/pod-exec/policy.rego new file mode 100644 index 00000000..2c9a399e --- /dev/null +++ b/tests/kata/data/pod-exec/policy.rego @@ -0,0 +1,1808 @@ +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +package agent_policy + +import future.keywords.in +import future.keywords.every + +# Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := false +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false +default OnlineCPUMemRequest := true +default PauseContainerRequest := false +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := false +default StatsContainerRequest := true +default StopTracingRequest := false +default TtyWinResizeRequest := true +default UpdateContainerRequest := false +default UpdateEphemeralMountsRequest := false +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + print("CreateContainerRequest: i_oci.Hooks =", i_oci.Hooks) + is_null(i_oci.Hooks) + + print("CreateContainerRequest: i_oci.Linux.Seccomp =", i_oci.Linux.Seccomp) + is_null(i_oci.Linux.Seccomp) + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + + p_oci := p_container.OCI + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + print("allow_env: i_var =", i_var) + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var == i_var + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + + print("allow_var 2: p_var2 =", p_var2) + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + + print("allow_var 3: p_regex5 =", p_regex5) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + i_path := i_oci.Root.Path + p_path1 := p_oci.Root.Path + print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) + + some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount == i_mount + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount.destination == i_mount.destination + p_mount.type_ == i_mount.type_ + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + + print("mount_source_allows 1: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + + print("mount_source_allows 2: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 3: i_mount.source=", i_mount.source) + + i_source_parts = split(i_mount.source, "/") + b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1] + + base64.is_valid(b64_direct_vol_path) + + source1 := p_mount.source + print("mount_source_allows 3: source1 =", source1) + + source2 := replace(source1, "$(spath)", policy_data.common.spath) + print("mount_source_allows 3: source2 =", source2) + + source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path) + print("mount_source_allows 3: source3 =", source3) + + source3 == i_mount.source + + print("mount_source_allows 3: true") +} + +###################################################################### +# Create container Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + i_storage.options[i_count - 1] == lowerdir + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 4: start") + + p_storage.driver == "smb" + count(i_storage.options) == 8 + i_storage.options[0] == "dir_mode=0666" + i_storage.options[1] == "file_mode=0666" + i_storage.options[2] == "mfsymlinks" + i_storage.options[3] == "cache=strict" + i_storage.options[4] == "nosharesock" + i_storage.options[5] == "actimeo=30" + startswith(i_storage.options[6], "addr=") + creds = split(i_storage.options[7], ",") + count(creds) == 2 + startswith(creds[0], "username=") + startswith(creds[1], "password=") + + print("allow_storage_options 4: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point) + allow_direct_vol_driver(p_storage, i_storage) + + mount1 := p_storage.mount_point + print("allow_mount_point 6: mount1 =", mount1) + + mount2 := replace(mount1, "$(spath)", policy_data.common.spath) + print("allow_mount_point 6: mount2 =", mount2) + + direct_vol_path := i_storage.source + mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path)) + print("allow_mount_point 6: mount3 =", mount3) + + mount3 == i_storage.mount_point + + print("allow_mount_point 6: true") +} + +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 1: start") + p_storage.driver == "blk" + print("allow_direct_vol_driver 1: true") +} +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 2: start") + p_storage.driver == "smb" + print("allow_direct_vol_driver 2: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +check_directory_traversal(i_path) { + contains(i_path, "../") == false + endswith(i_path, "/..") == false + i_path != ".." +} + +check_symlink_source { + # TODO: delete this rule once the symlink_src field gets implemented + # by all/most Guest VMs. + not input.symlink_src +} +check_symlink_source { + i_src := input.symlink_src + print("check_symlink_source: i_src =", i_src) + + startswith(i_src, "/") == false + check_directory_traversal(i_src) +} + +allow_sandbox_storages(i_storages) { + print("allow_sandbox_storages: i_storages =", i_storages) + + p_storages := policy_data.sandbox.storages + every i_storage in i_storages { + allow_sandbox_storage(p_storages, i_storage) + } + + print("allow_sandbox_storages: true") +} + +allow_sandbox_storage(p_storages, i_storage) { + print("allow_sandbox_storage: i_storage =", i_storage) + + some p_storage in p_storages + print("allow_sandbox_storage: p_storage =", p_storage) + i_storage == p_storage + + print("allow_sandbox_storage: true") +} + +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + check_symlink_source + check_directory_traversal(input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") + print("CopyFileRequest: regex4 =", regex4) + + regex.match(regex4, input.path) + + print("CopyFileRequest: true") +} + +CreateSandboxRequest { + print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) + count(input.guest_hook_path) == 0 + + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false + + allow_sandbox_storages(input.storages) +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 1: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +UpdateEphemeralMountsRequest { + policy_data.request_defaults.UpdateEphemeralMountsRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} + +policy_data := { + "containers": [ + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 65535, + "GID": 65535, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/pause" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": true + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "io.kubernetes.cri.sandbox-name": "exec-test", + "io.kubernetes.cri.sandbox-namespace": "default", + "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d", + "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo Kubernetes; sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)", + "POD_NAME=$(sandbox-name)", + "POD_NAMESPACE=default", + "POD_IP=$(pod-ip)", + "SERVICE_ACCOUNT=default", + "PROXY_CONFIG={}\n", + "ISTIO_META_POD_PORTS=[\n]", + "ISTIO_META_APP_CONTAINERS=serviceaclient", + "ISTIO_META_CLUSTER_ID=Kubernetes", + "ISTIO_META_NODE_NAME=$(node-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(privileged_caps)" + ], + "Effective": [ + "$(privileged_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(privileged_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "rw" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "rw" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "busybox", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "exec-test", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [], + "ReadonlyPaths": [] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552", + "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [ + "echo ${ISTIO_META_APP_CONTAINERS}", + "echo Ready ${POD_IP}!", + "echo ${ISTIO_META_NODE_NAME} startup" + ] + } + ], + "common": { + "cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "spath": "/run/kata-containers/sandbox/storage", + "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}", + "ip_p": "[0-9]{1,5}", + "svc_name": "[A-Z0-9_\\.\\-]+", + "dns_label": "[a-zA-Z0-9_\\.\\-]+", + "default_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "privileged_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE" + ], + "virtio_blk_storage_classes": [ + "cc-local-csi", + "cc-managed-csi", + "cc-managed-premium-csi" + ], + "smb_storage_classes": [ + "cc-azurefile-csi", + "cc-azurefile-premium-csi" + ] + }, + "sandbox": { + "storages": [ + { + "driver": "ephemeral", + "driver_options": [], + "source": "shm", + "fstype": "tmpfs", + "options": [ + "noexec", + "nosuid", + "nodev", + "mode=1777", + "size=67108864" + ], + "mount_point": "/run/kata-containers/sandbox/shm", + "fs_group": null + } + ] + }, + "request_defaults": { + "CreateContainerRequest": { + "allow_env_regex": [ + "^HOSTNAME=$(dns_label)$", + "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", + "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" + ] + }, + "CopyFileRequest": [ + "$(sfprefix)" + ], + "ExecProcessRequest": { + "commands": [], + "regex": [] + }, + "CloseStdinRequest": false, + "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +} \ No newline at end of file diff --git a/tests/kata/data/pod-lifecycle/inputs.txt b/tests/kata/data/pod-lifecycle/inputs.txt new file mode 100644 index 00000000..e63c532c --- /dev/null +++ b/tests/kata/data/pod-lifecycle/inputs.txt @@ -0,0 +1,53 @@ +["ep":"AllowRequestsFailingPolicy",{}], + +["ep":"UpdateInterfaceRequest",{"interface":{"device":"eth0","name":"eth0","IPAddresses":[{"family":0,"address":"10.244.0.17","mask":"24"},{"family":1,"address":"fe80::447c:91ff:fe8d:d420","mask":"64"}],"mtu":1500,"hwAddr":"46:7c:91:8d:d4:20","pciPath":"","type_":"","raw_flags":0}}], + +["ep":"UpdateRoutesRequest",{"routes":{"Routes":[{"dest":"","gateway":"10.244.0.1","device":"eth0","source":"","scope":0,"family":0}]}}], + +["ep":"CreateSandboxRequest",{"hostname":"pod-lifecycle","dns":["search default.svc.cluster.local svc.cluster.local cluster.local","nameserver 10.0.0.10","options ndots:5",""],"storages":[{"driver":"ephemeral","driver_options":[],"source":"shm","fstype":"tmpfs","options":["noexec","nosuid","nodev","mode=1777","size=67108864"],"mount_point":"/run/kata-containers/sandbox/shm","fs_group":null}],"sandbox_pidns":false,"sandbox_id":"a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098","guest_hook_path":"","kernel_modules":[]}], + +["ep":"GuestDetailsRequest",{"mem_block_size":true,"mem_hotplug_probe":true}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098-34d3b6116093e1e7-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CreateContainerRequest",{"container_id":"a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098","exec_id":"a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"],"mount_point":"/run/kata-containers/sandbox/layers/5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTgxNzI1MGYxYTNlMzM2ZGE3NmY1YmQzZmE3ODRlMWIyNmQ5NTliOWMxMzE4NzY4MTViYTI2MDQwNDhiNzBjMTg=","io.katacontainers.fs-opt.overlay-rw","lowerdir=5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d"],"mount_point":"/run/kata-containers/shared/containers/a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":65535,"GID":65535,"AdditionalGids":[65535],"Username":""},"Args":["/pause"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":true,"ApparmorProfile":"","OOMScoreAdj":-998,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098","Readonly":true},"Hostname":"pod-lifecycle","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098-34d3b6116093e1e7-resolv.conf","type_":"bind","options":["rbind","ro","nosuid","nodev","noexec"]}],"Hooks":null,"Annotations":{"nerdctl/network-namespace":"/var/run/netns/cni-b894e817-0cf4-867e-21d1-af214f3a1a59","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-log-directory":"/var/log/pods/default_pod-lifecycle_078af1e8-328a-4f89-adfb-bae4455fbf50","io.kubernetes.cri.sandbox-cpu-quota":"0","io.kubernetes.cri.sandbox-cpu-period":"100000","io.kubernetes.cri.sandbox-uid":"078af1e8-328a-4f89-adfb-bae4455fbf50","io.kubernetes.cri.sandbox-cpu-shares":"2","io.kubernetes.cri.sandbox-id":"a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098","io.kubernetes.cri.sandbox-name":"pod-lifecycle","io.kubernetes.cri.sandbox-memory":"0","io.katacontainers.pkg.oci.container_type":"pod_sandbox","io.kubernetes.cri.container-type":"sandbox","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":null,"CPU":{"Shares":2,"Quota":0,"Period":0,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod078af1e8-328a-4f89-adfb-bae4455fbf50/a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/acpi","/proc/asound","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/sys/firmware","/proc/scsi"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098"}], + +["ep":"WaitProcessRequest",{"container_id":"a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098","exec_id":"a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098"}], + +["ep":"GetOOMEventRequest",{}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-a5e55412d673d067-hosts","file_size":209,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-036d9af44f466fd3-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-be4bb8149b1a22d4-hostname","file_size":14,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-cbb967c03ec60c27-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount/..2024_05_08_18_12_07.1887069138","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount/..2024_05_08_18_12_07.1887069138/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount/..2024_05_08_18_12_07.1887069138/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount/..2024_05_08_18_12_07.1887069138/token","file_size":1501,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_12_07.1887069138"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67","exec_id":"45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"],"mount_point":"/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"],"mount_point":"/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=","io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=","io.katacontainers.fs-opt.overlay-rw","lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"],"mount_point":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["/bin/sh","-c","while true; do echo pod-lifecycle; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=pod-lifecycle","POD_NAME=pod-lifecycle","POD_IP=10.244.0.17","SERVICE_ACCOUNT=default","ISTIO_META_CLUSTER_ID=Kubernetes","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","rw"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","rw"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-a5e55412d673d067-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-036d9af44f466fd3-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-be4bb8149b1a22d4-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-cbb967c03ec60c27-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67-5551049a2dcacf07-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.container-name":"busybox","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-id":"a3e5b029b23f8e3a63e5c231cf63688477a77f5036f249f722823eef73771098","io.kubernetes.cri.image-name":"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.sandbox-name":"pod-lifecycle","io.katacontainers.pkg.oci.container_type":"pod_container","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67","io.kubernetes.cri.sandbox-uid":"078af1e8-328a-4f89-adfb-bae4455fbf50"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod078af1e8-328a-4f89-adfb-bae4455fbf50/45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":[],"ReadonlyPaths":[],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67"}], + +["ep":"ExecProcessRequest",{"container_id":"45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67","exec_id":"9de547dd-0cad-42b6-a830-e00c297226bf","string_user":null,"process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["echo","hello from postStart hook"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=pod-lifecycle","POD_NAME=pod-lifecycle","POD_IP=10.244.0.17","SERVICE_ACCOUNT=default","ISTIO_META_CLUSTER_ID=Kubernetes","POD_NAMESPACE=default","PROXY_CONFIG={}\n","ISTIO_META_POD_PORTS=[\n]","ISTIO_META_APP_CONTAINERS=serviceaclient","ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1"],"Cwd":"/","Capabilities":null,"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":0,"SelinuxLabel":""}}], + +["ep":"WaitProcessRequest",{"container_id":"45bd74c304beec46aa5a433009e3ab6703d7995c37154ebe6a0d859924ebdf67","exec_id":"9de547dd-0cad-42b6-a830-e00c297226bf"}], diff --git a/tests/kata/data/pod-lifecycle/outputs.json b/tests/kata/data/pod-lifecycle/outputs.json new file mode 100644 index 00000000..a32d802b --- /dev/null +++ b/tests/kata/data/pod-lifecycle/outputs.json @@ -0,0 +1,29 @@ +[ + false, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +] \ No newline at end of file diff --git a/tests/kata/data/pod-lifecycle/policy.rego b/tests/kata/data/pod-lifecycle/policy.rego new file mode 100644 index 00000000..48f43169 --- /dev/null +++ b/tests/kata/data/pod-lifecycle/policy.rego @@ -0,0 +1,1806 @@ +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +package agent_policy + +import future.keywords.in +import future.keywords.every + +# Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := false +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false +default OnlineCPUMemRequest := true +default PauseContainerRequest := false +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := false +default StatsContainerRequest := true +default StopTracingRequest := false +default TtyWinResizeRequest := true +default UpdateContainerRequest := false +default UpdateEphemeralMountsRequest := false +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + print("CreateContainerRequest: i_oci.Hooks =", i_oci.Hooks) + is_null(i_oci.Hooks) + + print("CreateContainerRequest: i_oci.Linux.Seccomp =", i_oci.Linux.Seccomp) + is_null(i_oci.Linux.Seccomp) + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + + p_oci := p_container.OCI + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + print("allow_env: i_var =", i_var) + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var == i_var + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + + print("allow_var 2: p_var2 =", p_var2) + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + + print("allow_var 3: p_regex5 =", p_regex5) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + i_path := i_oci.Root.Path + p_path1 := p_oci.Root.Path + print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) + + some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount == i_mount + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount.destination == i_mount.destination + p_mount.type_ == i_mount.type_ + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + + print("mount_source_allows 1: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + + print("mount_source_allows 2: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 3: i_mount.source=", i_mount.source) + + i_source_parts = split(i_mount.source, "/") + b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1] + + base64.is_valid(b64_direct_vol_path) + + source1 := p_mount.source + print("mount_source_allows 3: source1 =", source1) + + source2 := replace(source1, "$(spath)", policy_data.common.spath) + print("mount_source_allows 3: source2 =", source2) + + source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path) + print("mount_source_allows 3: source3 =", source3) + + source3 == i_mount.source + + print("mount_source_allows 3: true") +} + +###################################################################### +# Create container Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + i_storage.options[i_count - 1] == lowerdir + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 4: start") + + p_storage.driver == "smb" + count(i_storage.options) == 8 + i_storage.options[0] == "dir_mode=0666" + i_storage.options[1] == "file_mode=0666" + i_storage.options[2] == "mfsymlinks" + i_storage.options[3] == "cache=strict" + i_storage.options[4] == "nosharesock" + i_storage.options[5] == "actimeo=30" + startswith(i_storage.options[6], "addr=") + creds = split(i_storage.options[7], ",") + count(creds) == 2 + startswith(creds[0], "username=") + startswith(creds[1], "password=") + + print("allow_storage_options 4: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point) + allow_direct_vol_driver(p_storage, i_storage) + + mount1 := p_storage.mount_point + print("allow_mount_point 6: mount1 =", mount1) + + mount2 := replace(mount1, "$(spath)", policy_data.common.spath) + print("allow_mount_point 6: mount2 =", mount2) + + direct_vol_path := i_storage.source + mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path)) + print("allow_mount_point 6: mount3 =", mount3) + + mount3 == i_storage.mount_point + + print("allow_mount_point 6: true") +} + +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 1: start") + p_storage.driver == "blk" + print("allow_direct_vol_driver 1: true") +} +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 2: start") + p_storage.driver == "smb" + print("allow_direct_vol_driver 2: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +check_directory_traversal(i_path) { + contains(i_path, "../") == false + endswith(i_path, "/..") == false + i_path != ".." +} + +check_symlink_source { + # TODO: delete this rule once the symlink_src field gets implemented + # by all/most Guest VMs. + not input.symlink_src +} +check_symlink_source { + i_src := input.symlink_src + print("check_symlink_source: i_src =", i_src) + + startswith(i_src, "/") == false + check_directory_traversal(i_src) +} + +allow_sandbox_storages(i_storages) { + print("allow_sandbox_storages: i_storages =", i_storages) + + p_storages := policy_data.sandbox.storages + every i_storage in i_storages { + allow_sandbox_storage(p_storages, i_storage) + } + + print("allow_sandbox_storages: true") +} + +allow_sandbox_storage(p_storages, i_storage) { + print("allow_sandbox_storage: i_storage =", i_storage) + + some p_storage in p_storages + print("allow_sandbox_storage: p_storage =", p_storage) + i_storage == p_storage + + print("allow_sandbox_storage: true") +} + +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + check_symlink_source + check_directory_traversal(input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") + print("CopyFileRequest: regex4 =", regex4) + + regex.match(regex4, input.path) + + print("CopyFileRequest: true") +} + +CreateSandboxRequest { + print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) + count(input.guest_hook_path) == 0 + + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false + + allow_sandbox_storages(input.storages) +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 1: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +UpdateEphemeralMountsRequest { + policy_data.request_defaults.UpdateEphemeralMountsRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} + +policy_data := { + "containers": [ + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 65535, + "GID": 65535, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/pause" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": true + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "io.kubernetes.cri.sandbox-name": "pod-lifecycle", + "io.kubernetes.cri.sandbox-namespace": "default", + "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d", + "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo $(sandbox-name); sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)", + "POD_NAME=$(sandbox-name)", + "POD_NAMESPACE=default", + "POD_IP=$(pod-ip)", + "SERVICE_ACCOUNT=default", + "PROXY_CONFIG={}\n", + "ISTIO_META_POD_PORTS=[\n]", + "ISTIO_META_APP_CONTAINERS=serviceaclient", + "ISTIO_META_CLUSTER_ID=Kubernetes", + "ISTIO_META_NODE_NAME=$(node-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(privileged_caps)" + ], + "Effective": [ + "$(privileged_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(privileged_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "rw" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "rw" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "busybox", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "pod-lifecycle", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [], + "ReadonlyPaths": [] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552", + "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [ + "echo hello from postStart hook" + ] + } + ], + "common": { + "cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "spath": "/run/kata-containers/sandbox/storage", + "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}", + "ip_p": "[0-9]{1,5}", + "svc_name": "[A-Z0-9_\\.\\-]+", + "dns_label": "[a-zA-Z0-9_\\.\\-]+", + "default_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "privileged_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE" + ], + "virtio_blk_storage_classes": [ + "cc-local-csi", + "cc-managed-csi", + "cc-managed-premium-csi" + ], + "smb_storage_classes": [ + "cc-azurefile-csi", + "cc-azurefile-premium-csi" + ] + }, + "sandbox": { + "storages": [ + { + "driver": "ephemeral", + "driver_options": [], + "source": "shm", + "fstype": "tmpfs", + "options": [ + "noexec", + "nosuid", + "nodev", + "mode=1777", + "size=67108864" + ], + "mount_point": "/run/kata-containers/sandbox/shm", + "fs_group": null + } + ] + }, + "request_defaults": { + "CreateContainerRequest": { + "allow_env_regex": [ + "^HOSTNAME=$(dns_label)$", + "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", + "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" + ] + }, + "CopyFileRequest": [ + "$(sfprefix)" + ], + "ExecProcessRequest": { + "commands": [], + "regex": [] + }, + "CloseStdinRequest": false, + "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +} \ No newline at end of file diff --git a/tests/kata/data/pod-many-layers/inputs.txt b/tests/kata/data/pod-many-layers/inputs.txt new file mode 100644 index 00000000..3beaea11 --- /dev/null +++ b/tests/kata/data/pod-many-layers/inputs.txt @@ -0,0 +1,139 @@ +["ep":"AllowRequestsFailingPolicy",{}], + +["ep":"UpdateInterfaceRequest",{"interface":{"device":"eth0","name":"eth0","IPAddresses":[{"family":0,"address":"10.244.0.18","mask":"24"},{"family":1,"address":"fe80::38f5:18ff:fe71:c086","mask":"64"}],"mtu":1500,"hwAddr":"3a:f5:18:71:c0:86","pciPath":"","type_":"","raw_flags":0}}], + +["ep":"UpdateRoutesRequest",{"routes":{"Routes":[{"dest":"","gateway":"10.244.0.1","device":"eth0","source":"","scope":0,"family":0}]}}], + +["ep":"CreateSandboxRequest",{"hostname":"many-layers","dns":["search default.svc.cluster.local svc.cluster.local cluster.local","nameserver 10.0.0.10","options ndots:5",""],"storages":[{"driver":"ephemeral","driver_options":[],"source":"shm","fstype":"tmpfs","options":["noexec","nosuid","nodev","mode=1777","size=67108864"],"mount_point":"/run/kata-containers/sandbox/shm","fs_group":null}],"sandbox_pidns":false,"sandbox_id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","guest_hook_path":"","kernel_modules":[]}], + +["ep":"GuestDetailsRequest",{"mem_block_size":true,"mem_hotplug_probe":true}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c-acad8bd86c53b0b2-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CreateContainerRequest",{"container_id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","exec_id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"],"mount_point":"/run/kata-containers/sandbox/layers/5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTgxNzI1MGYxYTNlMzM2ZGE3NmY1YmQzZmE3ODRlMWIyNmQ5NTliOWMxMzE4NzY4MTViYTI2MDQwNDhiNzBjMTg=","io.katacontainers.fs-opt.overlay-rw","lowerdir=5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d"],"mount_point":"/run/kata-containers/shared/containers/1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":65535,"GID":65535,"AdditionalGids":[65535],"Username":""},"Args":["/pause"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":true,"ApparmorProfile":"","OOMScoreAdj":-998,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","Readonly":true},"Hostname":"many-layers","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c-acad8bd86c53b0b2-resolv.conf","type_":"bind","options":["rbind","ro","nosuid","nodev","noexec"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-memory":"0","io.kubernetes.cri.sandbox-name":"many-layers","io.kubernetes.cri.sandbox-cpu-quota":"0","io.kubernetes.cri.sandbox-uid":"b78866ba-f3f0-4467-96f7-f610d8db99ac","io.kubernetes.cri.sandbox-id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","io.kubernetes.cri.sandbox-namespace":"default","nerdctl/network-namespace":"/var/run/netns/cni-9da1d64b-d15d-3b1c-754c-a06ce8c041f8","io.kubernetes.cri.container-type":"sandbox","io.kubernetes.cri.sandbox-cpu-shares":"2","io.kubernetes.cri.sandbox-cpu-period":"100000","io.kubernetes.cri.sandbox-log-directory":"/var/log/pods/default_many-layers_b78866ba-f3f0-4467-96f7-f610d8db99ac","io.katacontainers.pkg.oci.container_type":"pod_sandbox"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":null,"CPU":{"Shares":2,"Quota":0,"Period":0,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/podb78866ba-f3f0-4467-96f7-f610d8db99ac/1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/acpi","/proc/asound","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/sys/firmware","/proc/scsi"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c"}], + +["ep":"WaitProcessRequest",{"container_id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","exec_id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c"}], + +["ep":"GetOOMEventRequest",{}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-5d9c73b7e4920e4c-hosts","file_size":207,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1dddb5cf284a6db2-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-913177b4b1944db2-hostname","file_size":12,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-d95ac830a537c69c-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount/..2024_05_08_18_13_42.1553911240","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount/..2024_05_08_18_13_42.1553911240/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount/..2024_05_08_18_13_42.1553911240/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount/..2024_05_08_18_13_42.1553911240/token","file_size":1498,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_13_42.1553911240"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06","exec_id":"3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=942b444ce1728ac0eb515e7b0026d06f3106b1f601ffda662e21d12abdf1833b"],"mount_point":"/run/kata-containers/sandbox/layers/6f8ed2960df688b90d415d83d25db2a7898f795282fb2d35ba1f1b7d0892d157","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=f976d00359d14e60a13380ea863a4ea15ba1a8bc673ad1c71f7d17060f8f7d16"],"mount_point":"/run/kata-containers/sandbox/layers/0e3938da647a18478be0c2f886aba00570e0a5d071f9d797df38d7909ec64834","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:04.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=60d07e5beb16c6830a7add7c65d4dc32f001c865969b92b4b6c270dc3f87fa68"],"mount_point":"/run/kata-containers/sandbox/layers/6b387fe5995a4c5e4207c4df19365de347e03b6c9eec3e9a04a3dd18e19b5537","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:05.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=328a1dfa90d3e02d637333005a57dab23984a0007bfedc4ba0d84acf81833257"],"mount_point":"/run/kata-containers/sandbox/layers/fb17bf62204049b2dfc0344e475f8e1a1f50a751b5fbacbd75a24afac345d63c","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:06.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=5e65e33ce145509a7238a23d6ac6b17105b272f1fb0396482cb3fa02ec2b25c8"],"mount_point":"/run/kata-containers/sandbox/layers/53534f6f912aa54954b594fb585a829758a23588aef53a36b92ad37d43c866de","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:07.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=d753cf6af2b7eeff3e41b307cb50d4a7c7f6002fb77b6f165e010d7bd5f96291"],"mount_point":"/run/kata-containers/sandbox/layers/c2682a09e83d6186bfbbf0142927274b49057815b69d86ec4a8d3428720f8575","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:08.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=a25ed7d1aa7a682fab7f2116c86a43dc0c09cde626a4e47b374283106c9ae06b"],"mount_point":"/run/kata-containers/sandbox/layers/888056d803692cb662c9a0b85ba90942e52467b614d76340f55bc9d816e19963","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:09.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=c0d7666f113e39a4c7bfd98086fe189d7e3e95d47e6e4d62d65efcaf7dca099e"],"mount_point":"/run/kata-containers/sandbox/layers/c61c79f5319ddbc34f8cf6e93c246badae11498e5e63628397423dd14cd6400a","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:0a.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=7d4d932cb36b54fee794b8397a940f81fd235da28bc1533975845fd811f1e831"],"mount_point":"/run/kata-containers/sandbox/layers/544cd46ddeaedf7beffa91ae102418c04473d8cf79ad52273463094354d9bd15","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:0b.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=ff1c81a00214ae520833dbb3bfd5ceaa1e14f29c62fe699668dfa40fbf6c2816"],"mount_point":"/run/kata-containers/sandbox/layers/282626d5a417c60820f429e6d4d77dc7fe3a51d2f4b1851fb037821ad1ebaefe","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:0c.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=7d04382685de3f27c7d9db678a023db6a3b4377e4f7efd9e5cbde856f46b154a"],"mount_point":"/run/kata-containers/sandbox/layers/a6e1effed45cb3c707445cdddd05335b050f1f3fcf6169e057f12b07b4db666e","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NmY4ZWQyOTYwZGY2ODhiOTBkNDE1ZDgzZDI1ZGIyYTc4OThmNzk1MjgyZmIyZDM1YmExZjFiN2QwODkyZDE1Nyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTk0MmI0NDRjZTE3MjhhYzBlYjUxNWU3YjAwMjZkMDZmMzEwNmIxZjYwMWZmZGE2NjJlMjFkMTJhYmRmMTgzM2I=","io.katacontainers.fs-opt.layer=MGUzOTM4ZGE2NDdhMTg0NzhiZTBjMmY4ODZhYmEwMDU3MGUwYTVkMDcxZjlkNzk3ZGYzOGQ3OTA5ZWM2NDgzNCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWY5NzZkMDAzNTlkMTRlNjBhMTMzODBlYTg2M2E0ZWExNWJhMWE4YmM2NzNhZDFjNzFmN2QxNzA2MGY4ZjdkMTY=","io.katacontainers.fs-opt.layer=NmIzODdmZTU5OTVhNGM1ZTQyMDdjNGRmMTkzNjVkZTM0N2UwM2I2YzllZWMzZTlhMDRhM2RkMThlMTliNTUzNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTYwZDA3ZTViZWIxNmM2ODMwYTdhZGQ3YzY1ZDRkYzMyZjAwMWM4NjU5NjliOTJiNGI2YzI3MGRjM2Y4N2ZhNjg=","io.katacontainers.fs-opt.layer=ZmIxN2JmNjIyMDQwNDliMmRmYzAzNDRlNDc1ZjhlMWExZjUwYTc1MWI1ZmJhY2JkNzVhMjRhZmFjMzQ1ZDYzYyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTMyOGExZGZhOTBkM2UwMmQ2MzczMzMwMDVhNTdkYWIyMzk4NGEwMDA3YmZlZGM0YmEwZDg0YWNmODE4MzMyNTc=","io.katacontainers.fs-opt.layer=NTM1MzRmNmY5MTJhYTU0OTU0YjU5NGZiNTg1YTgyOTc1OGEyMzU4OGFlZjUzYTM2YjkyYWQzN2Q0M2M4NjZkZSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTVlNjVlMzNjZTE0NTUwOWE3MjM4YTIzZDZhYzZiMTcxMDViMjcyZjFmYjAzOTY0ODJjYjNmYTAyZWMyYjI1Yzg=","io.katacontainers.fs-opt.layer=YzI2ODJhMDllODNkNjE4NmJmYmJmMDE0MjkyNzI3NGI0OTA1NzgxNWI2OWQ4NmVjNGE4ZDM0Mjg3MjBmODU3NSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWQ3NTNjZjZhZjJiN2VlZmYzZTQxYjMwN2NiNTBkNGE3YzdmNjAwMmZiNzdiNmYxNjVlMDEwZDdiZDVmOTYyOTE=","io.katacontainers.fs-opt.layer=ODg4MDU2ZDgwMzY5MmNiNjYyYzlhMGI4NWJhOTA5NDJlNTI0NjdiNjE0ZDc2MzQwZjU1YmM5ZDgxNmUxOTk2Myx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWEyNWVkN2QxYWE3YTY4MmZhYjdmMjExNmM4NmE0M2RjMGMwOWNkZTYyNmE0ZTQ3YjM3NDI4MzEwNmM5YWUwNmI=","io.katacontainers.fs-opt.layer=YzYxYzc5ZjUzMTlkZGJjMzRmOGNmNmU5M2MyNDZiYWRhZTExNDk4ZTVlNjM2MjgzOTc0MjNkZDE0Y2Q2NDAwYSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWMwZDc2NjZmMTEzZTM5YTRjN2JmZDk4MDg2ZmUxODlkN2UzZTk1ZDQ3ZTZlNGQ2MmQ2NWVmY2FmN2RjYTA5OWU=","io.katacontainers.fs-opt.layer=NTQ0Y2Q0NmRkZWFlZGY3YmVmZmE5MWFlMTAyNDE4YzA0NDczZDhjZjc5YWQ1MjI3MzQ2MzA5NDM1NGQ5YmQxNSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTdkNGQ5MzJjYjM2YjU0ZmVlNzk0YjgzOTdhOTQwZjgxZmQyMzVkYTI4YmMxNTMzOTc1ODQ1ZmQ4MTFmMWU4MzE=","io.katacontainers.fs-opt.layer=MjgyNjI2ZDVhNDE3YzYwODIwZjQyOWU2ZDRkNzdkYzdmZTNhNTFkMmY0YjE4NTFmYjAzNzgyMWFkMWViYWVmZSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWZmMWM4MWEwMDIxNGFlNTIwODMzZGJiM2JmZDVjZWFhMWUxNGYyOWM2MmZlNjk5NjY4ZGZhNDBmYmY2YzI4MTY=","io.katacontainers.fs-opt.layer=YTZlMWVmZmVkNDVjYjNjNzA3NDQ1Y2RkZGQwNTMzNWIwNTBmMWYzZmNmNjE2OWUwNTdmMTJiMDdiNGRiNjY2ZSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTdkMDQzODI2ODVkZTNmMjdjN2Q5ZGI2NzhhMDIzZGI2YTNiNDM3N2U0ZjdlZmQ5ZTVjYmRlODU2ZjQ2YjE1NGE=","io.katacontainers.fs-opt.overlay-rw","lowerdir=6f8ed2960df688b90d415d83d25db2a7898f795282fb2d35ba1f1b7d0892d157:0e3938da647a18478be0c2f886aba00570e0a5d071f9d797df38d7909ec64834:6b387fe5995a4c5e4207c4df19365de347e03b6c9eec3e9a04a3dd18e19b5537:fb17bf62204049b2dfc0344e475f8e1a1f50a751b5fbacbd75a24afac345d63c:53534f6f912aa54954b594fb585a829758a23588aef53a36b92ad37d43c866de:c2682a09e83d6186bfbbf0142927274b49057815b69d86ec4a8d3428720f8575:888056d803692cb662c9a0b85ba90942e52467b614d76340f55bc9d816e19963:c61c79f5319ddbc34f8cf6e93c246badae11498e5e63628397423dd14cd6400a:544cd46ddeaedf7beffa91ae102418c04473d8cf79ad52273463094354d9bd15:282626d5a417c60820f429e6d4d77dc7fe3a51d2f4b1851fb037821ad1ebaefe:a6e1effed45cb3c707445cdddd05335b050f1f3fcf6169e057f12b07b4db666e"],"mount_point":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["sh","-c","while true; do echo go; sleep 25; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=many-layers","container=docker","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"cri-containerd.apparmor.d","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","ro"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-5d9c73b7e4920e4c-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1dddb5cf284a6db2-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-913177b4b1944db2-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-d95ac830a537c69c-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06-1e6d5fbe932eb31f-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.image-name":"quay.io/footloose/ubuntu18.04:latest","io.kubernetes.cri.sandbox-name":"many-layers","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.sandbox-uid":"b78866ba-f3f0-4467-96f7-f610d8db99ac","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.container-name":"footloose","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/podb78866ba-f3f0-4467-96f7-f610d8db99ac/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-9545c8989f6ccd98-hosts","file_size":207,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-43980df2a7037297-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-7e342cc195c117f3-hostname","file_size":12,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-364919e659613c20-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount/..2024_05_08_18_13_42.1553911240","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount/..2024_05_08_18_13_42.1553911240/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount/..2024_05_08_18_13_42.1553911240/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount/..2024_05_08_18_13_42.1553911240/token","file_size":1498,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_13_42.1553911240"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca","exec_id":"b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:0d.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=073dba7831293107f8873eedabf4922d16a506086f6f46b19b4c2386831c3106"],"mount_point":"/run/kata-containers/sandbox/layers/1b27bec068016fce230a3c9f4920d3be7251e5baada7dca3204a932cbcde27e2","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:0e.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=ed0feae4f4dccb686628963b1f1f5dae7b3e015c881e72f005ff2f99c649457e"],"mount_point":"/run/kata-containers/sandbox/layers/c8295c80a79c2ed76e03ddb2af390ac3791b8779da798cb183fa985ce5cee1dc","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:0f.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=d138152b660d2dbcc5082afae58edb1bf0ee5742b91933a2f61664b847b23281"],"mount_point":"/run/kata-containers/sandbox/layers/cfb9fe97a1869ee9b0daae3d8cd59720cf371da568a6c14bba16d982e7092983","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:10.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=1d69eaf5c5c25731e9a8ebb038c942f6aa6aff5b15b11d8bd44431e514ccd69f"],"mount_point":"/run/kata-containers/sandbox/layers/14f395647869a88f90a33eef50c97e82f4b981b6e20a584d51bf304967b8542c","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:11.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=1eb4bff8040a86c514815a039f6cb4d7aa4c5f1b7a2e1a45f6f86ca8c770ffff"],"mount_point":"/run/kata-containers/sandbox/layers/fc7dd8614820bbafe5b6b6645e19945b4af989b662c989fd46c465fafca702f7","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:12.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=e928fff98ddea2d26dbba075605770bd6f6ef068c975289b49acb3d55030d071"],"mount_point":"/run/kata-containers/sandbox/layers/8d311e8e51984cabaccec1fbfcbcdd7bf52a8a978169cd20af07bbd1c3a4692a","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MWIyN2JlYzA2ODAxNmZjZTIzMGEzYzlmNDkyMGQzYmU3MjUxZTViYWFkYTdkY2EzMjA0YTkzMmNiY2RlMjdlMix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTA3M2RiYTc4MzEyOTMxMDdmODg3M2VlZGFiZjQ5MjJkMTZhNTA2MDg2ZjZmNDZiMTliNGMyMzg2ODMxYzMxMDY=","io.katacontainers.fs-opt.layer=YzgyOTVjODBhNzljMmVkNzZlMDNkZGIyYWYzOTBhYzM3OTFiODc3OWRhNzk4Y2IxODNmYTk4NWNlNWNlZTFkYyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWVkMGZlYWU0ZjRkY2NiNjg2NjI4OTYzYjFmMWY1ZGFlN2IzZTAxNWM4ODFlNzJmMDA1ZmYyZjk5YzY0OTQ1N2U=","io.katacontainers.fs-opt.layer=Y2ZiOWZlOTdhMTg2OWVlOWIwZGFhZTNkOGNkNTk3MjBjZjM3MWRhNTY4YTZjMTRiYmExNmQ5ODJlNzA5Mjk4Myx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWQxMzgxNTJiNjYwZDJkYmNjNTA4MmFmYWU1OGVkYjFiZjBlZTU3NDJiOTE5MzNhMmY2MTY2NGI4NDdiMjMyODE=","io.katacontainers.fs-opt.layer=MTRmMzk1NjQ3ODY5YTg4ZjkwYTMzZWVmNTBjOTdlODJmNGI5ODFiNmUyMGE1ODRkNTFiZjMwNDk2N2I4NTQyYyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTFkNjllYWY1YzVjMjU3MzFlOWE4ZWJiMDM4Yzk0MmY2YWE2YWZmNWIxNWIxMWQ4YmQ0NDQzMWU1MTRjY2Q2OWY=","io.katacontainers.fs-opt.layer=ZmM3ZGQ4NjE0ODIwYmJhZmU1YjZiNjY0NWUxOTk0NWI0YWY5ODliNjYyYzk4OWZkNDZjNDY1ZmFmY2E3MDJmNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTFlYjRiZmY4MDQwYTg2YzUxNDgxNWEwMzlmNmNiNGQ3YWE0YzVmMWI3YTJlMWE0NWY2Zjg2Y2E4Yzc3MGZmZmY=","io.katacontainers.fs-opt.layer=OGQzMTFlOGU1MTk4NGNhYmFjY2VjMWZiZmNiY2RkN2JmNTJhOGE5NzgxNjljZDIwYWYwN2JiZDFjM2E0NjkyYSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWU5MjhmZmY5OGRkZWEyZDI2ZGJiYTA3NTYwNTc3MGJkNmY2ZWYwNjhjOTc1Mjg5YjQ5YWNiM2Q1NTAzMGQwNzE=","io.katacontainers.fs-opt.overlay-rw","lowerdir=1b27bec068016fce230a3c9f4920d3be7251e5baada7dca3204a932cbcde27e2:c8295c80a79c2ed76e03ddb2af390ac3791b8779da798cb183fa985ce5cee1dc:cfb9fe97a1869ee9b0daae3d8cd59720cf371da568a6c14bba16d982e7092983:14f395647869a88f90a33eef50c97e82f4b981b6e20a584d51bf304967b8542c:fc7dd8614820bbafe5b6b6645e19945b4af989b662c989fd46c465fafca702f7:8d311e8e51984cabaccec1fbfcbcdd7bf52a8a978169cd20af07bbd1c3a4692a"],"mount_point":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["sh","-c","while true; do echo nginx; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=many-layers","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"cri-containerd.apparmor.d","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","ro"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-9545c8989f6ccd98-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-43980df2a7037297-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-7e342cc195c117f3-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-364919e659613c20-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca-1c83938b1e8fafba-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.image-name":"mcr.microsoft.com/cbl-mariner/base/nginx:1.22.1-9-cm2.0.20230904-amd64","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.sandbox-id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-name":"many-layers","io.kubernetes.cri.sandbox-uid":"b78866ba-f3f0-4467-96f7-f610d8db99ac","io.kubernetes.cri.container-name":"nginx"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/podb78866ba-f3f0-4467-96f7-f610d8db99ac/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-4fbfa3bedd17c360-hosts","file_size":207,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-8393af5f1c95b571-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-918ad672fd418a9b-hostname","file_size":12,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-ec4bd254a1be53b9-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount/..2024_05_08_18_13_42.1553911240","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount/..2024_05_08_18_13_42.1553911240/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount/..2024_05_08_18_13_42.1553911240/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount/..2024_05_08_18_13_42.1553911240/token","file_size":1498,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_13_42.1553911240"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e","exec_id":"2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:13.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b29ba7302d7fc8ab1539ea28062e5793955cdc59f7352942928d4c7ab33e52ae"],"mount_point":"/run/kata-containers/sandbox/layers/0dd98e3e6ded8d0be40d376f7a7c01cb7792c6c8ef878ee9477a6f8fb9ddfa56","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:14.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b4a7963727aa96024dc5c5b3f28b66803f4626f6506b58ee9fd49ff108aab822"],"mount_point":"/run/kata-containers/sandbox/layers/fac0b506b77176cb285eaadc33a2ea6274393227b117b9b9a6308a0ba7e8dba6","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:15.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=e7387f83726b29f52ef463f5744222ba05e2d47997447858764e53a864a6764d"],"mount_point":"/run/kata-containers/sandbox/layers/cdc8b889107d71c76d6a19e8a14e9ef7474ad2b8e92fece4e1b45d71595995b5","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:16.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=7a80e71d6d90a50ddf8e9f99141686e4609f0b47550ef74ff353624d2642db98"],"mount_point":"/run/kata-containers/sandbox/layers/3961d40e11473d8c5f93acb4f75853be0e99cde331a0f5e976ff2b42f9fdacef","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:17.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=c8db6d3fd3aaa8f9d0ce5ca8c71f5e387e17f1a6a643f5fed9a4cae1223d21cd"],"mount_point":"/run/kata-containers/sandbox/layers/a930e6a3bad1e3c4273efacfebe109ede6f95183d00ad07203954f9c1a82ee12","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:18.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=f3264c3b7b9a8f5162e75efb16c55ea4b8357f7f64ad9f9afaacdbf2a47f35a5"],"mount_point":"/run/kata-containers/sandbox/layers/0fd7a4bd1c2edc7a543ab3fe5e20abaeea6b8a4e41615a21c4d41b775538799a","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:19.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=7f65f0b17878c3551a8c93f276ab4877141b4ef41ddc3d2e2b1ac62b424488d0"],"mount_point":"/run/kata-containers/sandbox/layers/0fe73c7dfe84bc931bb7a963139264fae6dd6fe515be77e839d713dc7a047815","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:1a.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=f5dda5084b20faa0369db54a9e89693cb6b7e98979bb66fc5b3a851cfbbdf0e3"],"mount_point":"/run/kata-containers/sandbox/layers/ae6e78946fb64d4209a67cf081079aaa700edbf91fa505f0f43535d4dfd24764","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:1b.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8edba1283e614d6bdc8d39198ab29b8c624b95d8ecd3e811afbffb40bc8737cf"],"mount_point":"/run/kata-containers/sandbox/layers/d02c3d771c7fc6a6b2a92159b9bd32e6da0c9c13983a01018400acc90fc3169e","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:1c.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=6aea5b3ddfab821031500c5e28949128f02dd7056e097347d8dfc42869100904"],"mount_point":"/run/kata-containers/sandbox/layers/38379b8565e0e3cb1dd23f377c83226bde7f7ea671c73acd8f18f2b00788b5ef","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:1d.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=629670d9bb1e00e62d92bddb1ae206048cc2de23419c0f87e3f97622b9b0db20"],"mount_point":"/run/kata-containers/sandbox/layers/329464327f97a7da572e609aa00ed988b5ebffc1537f8b8a0e330d36f055df01","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MGRkOThlM2U2ZGVkOGQwYmU0MGQzNzZmN2E3YzAxY2I3NzkyYzZjOGVmODc4ZWU5NDc3YTZmOGZiOWRkZmE1Nix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWIyOWJhNzMwMmQ3ZmM4YWIxNTM5ZWEyODA2MmU1NzkzOTU1Y2RjNTlmNzM1Mjk0MjkyOGQ0YzdhYjMzZTUyYWU=","io.katacontainers.fs-opt.layer=ZmFjMGI1MDZiNzcxNzZjYjI4NWVhYWRjMzNhMmVhNjI3NDM5MzIyN2IxMTdiOWI5YTYzMDhhMGJhN2U4ZGJhNix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI0YTc5NjM3MjdhYTk2MDI0ZGM1YzViM2YyOGI2NjgwM2Y0NjI2ZjY1MDZiNThlZTlmZDQ5ZmYxMDhhYWI4MjI=","io.katacontainers.fs-opt.layer=Y2RjOGI4ODkxMDdkNzFjNzZkNmExOWU4YTE0ZTllZjc0NzRhZDJiOGU5MmZlY2U0ZTFiNDVkNzE1OTU5OTViNSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWU3Mzg3ZjgzNzI2YjI5ZjUyZWY0NjNmNTc0NDIyMmJhMDVlMmQ0Nzk5NzQ0Nzg1ODc2NGU1M2E4NjRhNjc2NGQ=","io.katacontainers.fs-opt.layer=Mzk2MWQ0MGUxMTQ3M2Q4YzVmOTNhY2I0Zjc1ODUzYmUwZTk5Y2RlMzMxYTBmNWU5NzZmZjJiNDJmOWZkYWNlZix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTdhODBlNzFkNmQ5MGE1MGRkZjhlOWY5OTE0MTY4NmU0NjA5ZjBiNDc1NTBlZjc0ZmYzNTM2MjRkMjY0MmRiOTg=","io.katacontainers.fs-opt.layer=YTkzMGU2YTNiYWQxZTNjNDI3M2VmYWNmZWJlMTA5ZWRlNmY5NTE4M2QwMGFkMDcyMDM5NTRmOWMxYTgyZWUxMix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWM4ZGI2ZDNmZDNhYWE4ZjlkMGNlNWNhOGM3MWY1ZTM4N2UxN2YxYTZhNjQzZjVmZWQ5YTRjYWUxMjIzZDIxY2Q=","io.katacontainers.fs-opt.layer=MGZkN2E0YmQxYzJlZGM3YTU0M2FiM2ZlNWUyMGFiYWVlYTZiOGE0ZTQxNjE1YTIxYzRkNDFiNzc1NTM4Nzk5YSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWYzMjY0YzNiN2I5YThmNTE2MmU3NWVmYjE2YzU1ZWE0YjgzNTdmN2Y2NGFkOWY5YWZhYWNkYmYyYTQ3ZjM1YTU=","io.katacontainers.fs-opt.layer=MGZlNzNjN2RmZTg0YmM5MzFiYjdhOTYzMTM5MjY0ZmFlNmRkNmZlNTE1YmU3N2U4MzlkNzEzZGM3YTA0NzgxNSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTdmNjVmMGIxNzg3OGMzNTUxYThjOTNmMjc2YWI0ODc3MTQxYjRlZjQxZGRjM2QyZTJiMWFjNjJiNDI0NDg4ZDA=","io.katacontainers.fs-opt.layer=YWU2ZTc4OTQ2ZmI2NGQ0MjA5YTY3Y2YwODEwNzlhYWE3MDBlZGJmOTFmYTUwNWYwZjQzNTM1ZDRkZmQyNDc2NCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWY1ZGRhNTA4NGIyMGZhYTAzNjlkYjU0YTllODk2OTNjYjZiN2U5ODk3OWJiNjZmYzViM2E4NTFjZmJiZGYwZTM=","io.katacontainers.fs-opt.layer=ZDAyYzNkNzcxYzdmYzZhNmIyYTkyMTU5YjliZDMyZTZkYTBjOWMxMzk4M2EwMTAxODQwMGFjYzkwZmMzMTY5ZSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPThlZGJhMTI4M2U2MTRkNmJkYzhkMzkxOThhYjI5YjhjNjI0Yjk1ZDhlY2QzZTgxMWFmYmZmYjQwYmM4NzM3Y2Y=","io.katacontainers.fs-opt.layer=MzgzNzliODU2NWUwZTNjYjFkZDIzZjM3N2M4MzIyNmJkZTdmN2VhNjcxYzczYWNkOGYxOGYyYjAwNzg4YjVlZix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTZhZWE1YjNkZGZhYjgyMTAzMTUwMGM1ZTI4OTQ5MTI4ZjAyZGQ3MDU2ZTA5NzM0N2Q4ZGZjNDI4NjkxMDA5MDQ=","io.katacontainers.fs-opt.layer=MzI5NDY0MzI3Zjk3YTdkYTU3MmU2MDlhYTAwZWQ5ODhiNWViZmZjMTUzN2Y4YjhhMGUzMzBkMzZmMDU1ZGYwMSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTYyOTY3MGQ5YmIxZTAwZTYyZDkyYmRkYjFhZTIwNjA0OGNjMmRlMjM0MTljMGY4N2UzZjk3NjIyYjliMGRiMjA=","io.katacontainers.fs-opt.overlay-rw","lowerdir=0dd98e3e6ded8d0be40d376f7a7c01cb7792c6c8ef878ee9477a6f8fb9ddfa56:fac0b506b77176cb285eaadc33a2ea6274393227b117b9b9a6308a0ba7e8dba6:cdc8b889107d71c76d6a19e8a14e9ef7474ad2b8e92fece4e1b45d71595995b5:3961d40e11473d8c5f93acb4f75853be0e99cde331a0f5e976ff2b42f9fdacef:a930e6a3bad1e3c4273efacfebe109ede6f95183d00ad07203954f9c1a82ee12:0fd7a4bd1c2edc7a543ab3fe5e20abaeea6b8a4e41615a21c4d41b775538799a:0fe73c7dfe84bc931bb7a963139264fae6dd6fe515be77e839d713dc7a047815:ae6e78946fb64d4209a67cf081079aaa700edbf91fa505f0f43535d4dfd24764:d02c3d771c7fc6a6b2a92159b9bd32e6da0c9c13983a01018400acc90fc3169e:38379b8565e0e3cb1dd23f377c83226bde7f7ea671c73acd8f18f2b00788b5ef:329464327f97a7da572e609aa00ed988b5ebffc1537f8b8a0e330d36f055df01"],"mount_point":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["sh","-c","while true; do echo python; sleep 15; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=many-layers","DEBIAN_FRONTEND=noninteractive","LANG=en_US.UTF-8","LANGUAGE=en_US:UTF-8","LC_ALL=en_US.UTF-8","PYTHON_MAJOR=3.3","PYTHON_VERSION=3.3.6-4+xenial1","PYTHONIOENCODING=UTF-8","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"cri-containerd.apparmor.d","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","ro"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-4fbfa3bedd17c360-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-8393af5f1c95b571-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-918ad672fd418a9b-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-ec4bd254a1be53b9-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e-0d5b5ffc09269c9c-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.container-type":"container","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.container-name":"python","io.kubernetes.cri.image-name":"quay.io/baselibrary/python:latest","io.kubernetes.cri.sandbox-id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","io.kubernetes.cri.sandbox-name":"many-layers","io.kubernetes.cri.sandbox-uid":"b78866ba-f3f0-4467-96f7-f610d8db99ac","io.katacontainers.pkg.oci.container_type":"pod_container","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/podb78866ba-f3f0-4467-96f7-f610d8db99ac/2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"2ff1a73620295ecb586fbb55029b25f85440cbdd937aadc20beb6cb48418a45e"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-f1ef6ff5e00f5f46-hosts","file_size":207,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-42168aa2791e3167-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-81134ec3739ec4f4-hostname","file_size":12,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-f71598673c8f16d8-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount/..2024_05_08_18_13_42.1553911240","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount/..2024_05_08_18_13_42.1553911240/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount/..2024_05_08_18_13_42.1553911240/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount/..2024_05_08_18_13_42.1553911240/token","file_size":1498,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_13_42.1553911240"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100","exec_id":"2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:1e.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=95a62b4104926d605106d45297d54efefbc0aebc7b1e958d6fb34cd906a8480e"],"mount_point":"/run/kata-containers/sandbox/layers/aa8443e1e4be0894f996cac03f8e9af59cbe6546f1ba34ae4cec7ad145764a7c","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:1f.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=ab081115d88966ec7e0d95b41f2efe68b072a0a434c64701ece088026bb56067"],"mount_point":"/run/kata-containers/sandbox/layers/97d7611f7154f1352f6cbfe8a8d04c87b0a2777a3b19ccd843a607c662078950","fs_group":null},{"driver":"blk","driver_options":[],"source":"0002:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=5defa6be35bd183a5e1815ae621ecc72faae9b056310a93dbd4df2776b7d31d3"],"mount_point":"/run/kata-containers/sandbox/layers/6d3d050378d25aafc709cb424a9cc3eb7987c32d8dcc4a9de6e132e40af6e8d6","fs_group":null},{"driver":"blk","driver_options":[],"source":"0002:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b0aad4ec3e3a7d6ed6f32d24845d92bc590f29e22f23e75bc509504791c7511c"],"mount_point":"/run/kata-containers/sandbox/layers/4febaf828ef36b382723b60b78dc5e67df97e985fd66020198559a4f68673ef5","fs_group":null},{"driver":"blk","driver_options":[],"source":"0002:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=95cf9b40e3649a2fc26e83b298ad651e49587e8d3432787812b50c916536b41e"],"mount_point":"/run/kata-containers/sandbox/layers/a2807c015eb08c112c2b000612f4eab984c99bbd0b5a4ce395b40122c72c0127","fs_group":null},{"driver":"blk","driver_options":[],"source":"0002:00:04.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b5178dce91914b8ff55b109e2b39d6eca6ca332b1c921e086e1a5ca06e70155b"],"mount_point":"/run/kata-containers/sandbox/layers/75071c3a113cec24136e847c1e3f0c2da8d44a5dd77a376d421f725b91b39c3e","fs_group":null},{"driver":"blk","driver_options":[],"source":"0002:00:05.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=a09eb427481e44591bd9a87cfe4b6ca733cbf337c38738944449424ac8b76999"],"mount_point":"/run/kata-containers/sandbox/layers/5b630283da49d0dae2eef07df3a7cc7ac371dc90d48c107be14074a3410e99f8","fs_group":null},{"driver":"blk","driver_options":[],"source":"0002:00:06.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b3a49e775f42e9fe066200d68ab832058cf463bc215097ad9fd5a80533280a1b"],"mount_point":"/run/kata-containers/sandbox/layers/b34c6dd00f957143d3f34af0beeb03b19478ad825ea90d7d187b74ae8194115e","fs_group":null},{"driver":"blk","driver_options":[],"source":"0002:00:07.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=baa7f107b781d10c5456c86a482aa946ec907186658bf24f2f231454e4830046"],"mount_point":"/run/kata-containers/sandbox/layers/52e85e953143bbf2ebf32b23bbeee579984acf41b9ce2924a679ca5d9d8eb1b8","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=YWE4NDQzZTFlNGJlMDg5NGY5OTZjYWMwM2Y4ZTlhZjU5Y2JlNjU0NmYxYmEzNGFlNGNlYzdhZDE0NTc2NGE3Yyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTk1YTYyYjQxMDQ5MjZkNjA1MTA2ZDQ1Mjk3ZDU0ZWZlZmJjMGFlYmM3YjFlOTU4ZDZmYjM0Y2Q5MDZhODQ4MGU=","io.katacontainers.fs-opt.layer=OTdkNzYxMWY3MTU0ZjEzNTJmNmNiZmU4YThkMDRjODdiMGEyNzc3YTNiMTljY2Q4NDNhNjA3YzY2MjA3ODk1MCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWFiMDgxMTE1ZDg4OTY2ZWM3ZTBkOTViNDFmMmVmZTY4YjA3MmEwYTQzNGM2NDcwMWVjZTA4ODAyNmJiNTYwNjc=","io.katacontainers.fs-opt.layer=NmQzZDA1MDM3OGQyNWFhZmM3MDljYjQyNGE5Y2MzZWI3OTg3YzMyZDhkY2M0YTlkZTZlMTMyZTQwYWY2ZThkNix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTVkZWZhNmJlMzViZDE4M2E1ZTE4MTVhZTYyMWVjYzcyZmFhZTliMDU2MzEwYTkzZGJkNGRmMjc3NmI3ZDMxZDM=","io.katacontainers.fs-opt.layer=NGZlYmFmODI4ZWYzNmIzODI3MjNiNjBiNzhkYzVlNjdkZjk3ZTk4NWZkNjYwMjAxOTg1NTlhNGY2ODY3M2VmNSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWIwYWFkNGVjM2UzYTdkNmVkNmYzMmQyNDg0NWQ5MmJjNTkwZjI5ZTIyZjIzZTc1YmM1MDk1MDQ3OTFjNzUxMWM=","io.katacontainers.fs-opt.layer=YTI4MDdjMDE1ZWIwOGMxMTJjMmIwMDA2MTJmNGVhYjk4NGM5OWJiZDBiNWE0Y2UzOTViNDAxMjJjNzJjMDEyNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTk1Y2Y5YjQwZTM2NDlhMmZjMjZlODNiMjk4YWQ2NTFlNDk1ODdlOGQzNDMyNzg3ODEyYjUwYzkxNjUzNmI0MWU=","io.katacontainers.fs-opt.layer=NzUwNzFjM2ExMTNjZWMyNDEzNmU4NDdjMWUzZjBjMmRhOGQ0NGE1ZGQ3N2EzNzZkNDIxZjcyNWI5MWIzOWMzZSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI1MTc4ZGNlOTE5MTRiOGZmNTViMTA5ZTJiMzlkNmVjYTZjYTMzMmIxYzkyMWUwODZlMWE1Y2EwNmU3MDE1NWI=","io.katacontainers.fs-opt.layer=NWI2MzAyODNkYTQ5ZDBkYWUyZWVmMDdkZjNhN2NjN2FjMzcxZGM5MGQ0OGMxMDdiZTE0MDc0YTM0MTBlOTlmOCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWEwOWViNDI3NDgxZTQ0NTkxYmQ5YTg3Y2ZlNGI2Y2E3MzNjYmYzMzdjMzg3Mzg5NDQ0NDk0MjRhYzhiNzY5OTk=","io.katacontainers.fs-opt.layer=YjM0YzZkZDAwZjk1NzE0M2QzZjM0YWYwYmVlYjAzYjE5NDc4YWQ4MjVlYTkwZDdkMTg3Yjc0YWU4MTk0MTE1ZSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWIzYTQ5ZTc3NWY0MmU5ZmUwNjYyMDBkNjhhYjgzMjA1OGNmNDYzYmMyMTUwOTdhZDlmZDVhODA1MzMyODBhMWI=","io.katacontainers.fs-opt.layer=NTJlODVlOTUzMTQzYmJmMmViZjMyYjIzYmJlZWU1Nzk5ODRhY2Y0MWI5Y2UyOTI0YTY3OWNhNWQ5ZDhlYjFiOCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWJhYTdmMTA3Yjc4MWQxMGM1NDU2Yzg2YTQ4MmFhOTQ2ZWM5MDcxODY2NThiZjI0ZjJmMjMxNDU0ZTQ4MzAwNDY=","io.katacontainers.fs-opt.overlay-rw","lowerdir=aa8443e1e4be0894f996cac03f8e9af59cbe6546f1ba34ae4cec7ad145764a7c:97d7611f7154f1352f6cbfe8a8d04c87b0a2777a3b19ccd843a607c662078950:6d3d050378d25aafc709cb424a9cc3eb7987c32d8dcc4a9de6e132e40af6e8d6:4febaf828ef36b382723b60b78dc5e67df97e985fd66020198559a4f68673ef5:a2807c015eb08c112c2b000612f4eab984c99bbd0b5a4ce395b40122c72c0127:75071c3a113cec24136e847c1e3f0c2da8d44a5dd77a376d421f725b91b39c3e:5b630283da49d0dae2eef07df3a7cc7ac371dc90d48c107be14074a3410e99f8:b34c6dd00f957143d3f34af0beeb03b19478ad825ea90d7d187b74ae8194115e:52e85e953143bbf2ebf32b23bbeee579984acf41b9ce2924a679ca5d9d8eb1b8"],"mount_point":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["sh","-c","while true; do echo go; sleep 25; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=many-layers","container=docker","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"cri-containerd.apparmor.d","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","ro"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-f1ef6ff5e00f5f46-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-42168aa2791e3167-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-81134ec3739ec4f4-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-f71598673c8f16d8-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100-05e1290560832a13-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-id":"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.image-name":"quay.io/k0sproject/bootloose-ubuntu22.04:latest","io.kubernetes.cri.container-name":"bootloose","io.kubernetes.cri.sandbox-name":"many-layers","io.kubernetes.cri.sandbox-uid":"b78866ba-f3f0-4467-96f7-f610d8db99ac","io.kubernetes.cri.sandbox-namespace":"default","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100","io.katacontainers.pkg.oci.container_type":"pod_container"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/podb78866ba-f3f0-4467-96f7-f610d8db99ac/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100"}], diff --git a/tests/kata/data/pod-many-layers/outputs.json b/tests/kata/data/pod-many-layers/outputs.json new file mode 100644 index 00000000..3bd0921b --- /dev/null +++ b/tests/kata/data/pod-many-layers/outputs.json @@ -0,0 +1,72 @@ +[ + false, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +] \ No newline at end of file diff --git a/tests/kata/data/pod-many-layers/policy.rego b/tests/kata/data/pod-many-layers/policy.rego new file mode 100644 index 00000000..6c1c41f1 --- /dev/null +++ b/tests/kata/data/pod-many-layers/policy.rego @@ -0,0 +1,2926 @@ +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +package agent_policy + +import future.keywords.in +import future.keywords.every + +# Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := false +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false +default OnlineCPUMemRequest := true +default PauseContainerRequest := false +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := false +default StatsContainerRequest := true +default StopTracingRequest := false +default TtyWinResizeRequest := true +default UpdateContainerRequest := false +default UpdateEphemeralMountsRequest := false +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + print("CreateContainerRequest: i_oci.Hooks =", i_oci.Hooks) + is_null(i_oci.Hooks) + + print("CreateContainerRequest: i_oci.Linux.Seccomp =", i_oci.Linux.Seccomp) + is_null(i_oci.Linux.Seccomp) + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + + p_oci := p_container.OCI + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + print("allow_env: i_var =", i_var) + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var == i_var + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + + print("allow_var 2: p_var2 =", p_var2) + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + + print("allow_var 3: p_regex5 =", p_regex5) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + i_path := i_oci.Root.Path + p_path1 := p_oci.Root.Path + print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) + + some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount == i_mount + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount.destination == i_mount.destination + p_mount.type_ == i_mount.type_ + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + + print("mount_source_allows 1: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + + print("mount_source_allows 2: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 3: i_mount.source=", i_mount.source) + + i_source_parts = split(i_mount.source, "/") + b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1] + + base64.is_valid(b64_direct_vol_path) + + source1 := p_mount.source + print("mount_source_allows 3: source1 =", source1) + + source2 := replace(source1, "$(spath)", policy_data.common.spath) + print("mount_source_allows 3: source2 =", source2) + + source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path) + print("mount_source_allows 3: source3 =", source3) + + source3 == i_mount.source + + print("mount_source_allows 3: true") +} + +###################################################################### +# Create container Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + i_storage.options[i_count - 1] == lowerdir + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 4: start") + + p_storage.driver == "smb" + count(i_storage.options) == 8 + i_storage.options[0] == "dir_mode=0666" + i_storage.options[1] == "file_mode=0666" + i_storage.options[2] == "mfsymlinks" + i_storage.options[3] == "cache=strict" + i_storage.options[4] == "nosharesock" + i_storage.options[5] == "actimeo=30" + startswith(i_storage.options[6], "addr=") + creds = split(i_storage.options[7], ",") + count(creds) == 2 + startswith(creds[0], "username=") + startswith(creds[1], "password=") + + print("allow_storage_options 4: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point) + allow_direct_vol_driver(p_storage, i_storage) + + mount1 := p_storage.mount_point + print("allow_mount_point 6: mount1 =", mount1) + + mount2 := replace(mount1, "$(spath)", policy_data.common.spath) + print("allow_mount_point 6: mount2 =", mount2) + + direct_vol_path := i_storage.source + mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path)) + print("allow_mount_point 6: mount3 =", mount3) + + mount3 == i_storage.mount_point + + print("allow_mount_point 6: true") +} + +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 1: start") + p_storage.driver == "blk" + print("allow_direct_vol_driver 1: true") +} +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 2: start") + p_storage.driver == "smb" + print("allow_direct_vol_driver 2: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +check_directory_traversal(i_path) { + contains(i_path, "../") == false + endswith(i_path, "/..") == false + i_path != ".." +} + +check_symlink_source { + # TODO: delete this rule once the symlink_src field gets implemented + # by all/most Guest VMs. + not input.symlink_src +} +check_symlink_source { + i_src := input.symlink_src + print("check_symlink_source: i_src =", i_src) + + startswith(i_src, "/") == false + check_directory_traversal(i_src) +} + +allow_sandbox_storages(i_storages) { + print("allow_sandbox_storages: i_storages =", i_storages) + + p_storages := policy_data.sandbox.storages + every i_storage in i_storages { + allow_sandbox_storage(p_storages, i_storage) + } + + print("allow_sandbox_storages: true") +} + +allow_sandbox_storage(p_storages, i_storage) { + print("allow_sandbox_storage: i_storage =", i_storage) + + some p_storage in p_storages + print("allow_sandbox_storage: p_storage =", p_storage) + i_storage == p_storage + + print("allow_sandbox_storage: true") +} + +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + check_symlink_source + check_directory_traversal(input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") + print("CopyFileRequest: regex4 =", regex4) + + regex.match(regex4, input.path) + + print("CopyFileRequest: true") +} + +CreateSandboxRequest { + print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) + count(input.guest_hook_path) == 0 + + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false + + allow_sandbox_storages(input.storages) +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 1: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +UpdateEphemeralMountsRequest { + policy_data.request_defaults.UpdateEphemeralMountsRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} + +policy_data := { + "containers": [ + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 65535, + "GID": 65535, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/pause" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": true + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "io.kubernetes.cri.sandbox-name": "many-layers", + "io.kubernetes.cri.sandbox-namespace": "default", + "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d", + "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "sh", + "-c", + "while true; do echo go; sleep 25; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "container=docker", + "HOSTNAME=$(host-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "footloose", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "quay.io/footloose/ubuntu18.04:latest", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "many-layers", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware" + ], + "ReadonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash2)" + ], + "mount_point": "$(layer2)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash3)" + ], + "mount_point": "$(layer3)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash4)" + ], + "mount_point": "$(layer4)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash5)" + ], + "mount_point": "$(layer5)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash6)" + ], + "mount_point": "$(layer6)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash7)" + ], + "mount_point": "$(layer7)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash8)" + ], + "mount_point": "$(layer8)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash9)" + ], + "mount_point": "$(layer9)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash10)" + ], + "mount_point": "$(layer10)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "6f8ed2960df688b90d415d83d25db2a7898f795282fb2d35ba1f1b7d0892d157:0e3938da647a18478be0c2f886aba00570e0a5d071f9d797df38d7909ec64834:6b387fe5995a4c5e4207c4df19365de347e03b6c9eec3e9a04a3dd18e19b5537:fb17bf62204049b2dfc0344e475f8e1a1f50a751b5fbacbd75a24afac345d63c:53534f6f912aa54954b594fb585a829758a23588aef53a36b92ad37d43c866de:c2682a09e83d6186bfbbf0142927274b49057815b69d86ec4a8d3428720f8575:888056d803692cb662c9a0b85ba90942e52467b614d76340f55bc9d816e19963:c61c79f5319ddbc34f8cf6e93c246badae11498e5e63628397423dd14cd6400a:544cd46ddeaedf7beffa91ae102418c04473d8cf79ad52273463094354d9bd15:282626d5a417c60820f429e6d4d77dc7fe3a51d2f4b1851fb037821ad1ebaefe:a6e1effed45cb3c707445cdddd05335b050f1f3fcf6169e057f12b07b4db666e", + "942b444ce1728ac0eb515e7b0026d06f3106b1f601ffda662e21d12abdf1833b:f976d00359d14e60a13380ea863a4ea15ba1a8bc673ad1c71f7d17060f8f7d16:60d07e5beb16c6830a7add7c65d4dc32f001c865969b92b4b6c270dc3f87fa68:328a1dfa90d3e02d637333005a57dab23984a0007bfedc4ba0d84acf81833257:5e65e33ce145509a7238a23d6ac6b17105b272f1fb0396482cb3fa02ec2b25c8:d753cf6af2b7eeff3e41b307cb50d4a7c7f6002fb77b6f165e010d7bd5f96291:a25ed7d1aa7a682fab7f2116c86a43dc0c09cde626a4e47b374283106c9ae06b:c0d7666f113e39a4c7bfd98086fe189d7e3e95d47e6e4d62d65efcaf7dca099e:7d4d932cb36b54fee794b8397a940f81fd235da28bc1533975845fd811f1e831:ff1c81a00214ae520833dbb3bfd5ceaa1e14f29c62fe699668dfa40fbf6c2816:7d04382685de3f27c7d9db678a023db6a3b4377e4f7efd9e5cbde856f46b154a" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "sh", + "-c", + "while true; do echo go; sleep 25; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "container=docker", + "HOSTNAME=$(host-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "bootloose", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "quay.io/k0sproject/bootloose-ubuntu22.04:latest", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "many-layers", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware" + ], + "ReadonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash2)" + ], + "mount_point": "$(layer2)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash3)" + ], + "mount_point": "$(layer3)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash4)" + ], + "mount_point": "$(layer4)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash5)" + ], + "mount_point": "$(layer5)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash6)" + ], + "mount_point": "$(layer6)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash7)" + ], + "mount_point": "$(layer7)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash8)" + ], + "mount_point": "$(layer8)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "aa8443e1e4be0894f996cac03f8e9af59cbe6546f1ba34ae4cec7ad145764a7c:97d7611f7154f1352f6cbfe8a8d04c87b0a2777a3b19ccd843a607c662078950:6d3d050378d25aafc709cb424a9cc3eb7987c32d8dcc4a9de6e132e40af6e8d6:4febaf828ef36b382723b60b78dc5e67df97e985fd66020198559a4f68673ef5:a2807c015eb08c112c2b000612f4eab984c99bbd0b5a4ce395b40122c72c0127:75071c3a113cec24136e847c1e3f0c2da8d44a5dd77a376d421f725b91b39c3e:5b630283da49d0dae2eef07df3a7cc7ac371dc90d48c107be14074a3410e99f8:b34c6dd00f957143d3f34af0beeb03b19478ad825ea90d7d187b74ae8194115e:52e85e953143bbf2ebf32b23bbeee579984acf41b9ce2924a679ca5d9d8eb1b8", + "95a62b4104926d605106d45297d54efefbc0aebc7b1e958d6fb34cd906a8480e:ab081115d88966ec7e0d95b41f2efe68b072a0a434c64701ece088026bb56067:5defa6be35bd183a5e1815ae621ecc72faae9b056310a93dbd4df2776b7d31d3:b0aad4ec3e3a7d6ed6f32d24845d92bc590f29e22f23e75bc509504791c7511c:95cf9b40e3649a2fc26e83b298ad651e49587e8d3432787812b50c916536b41e:b5178dce91914b8ff55b109e2b39d6eca6ca332b1c921e086e1a5ca06e70155b:a09eb427481e44591bd9a87cfe4b6ca733cbf337c38738944449424ac8b76999:b3a49e775f42e9fe066200d68ab832058cf463bc215097ad9fd5a80533280a1b:baa7f107b781d10c5456c86a482aa946ec907186658bf24f2f231454e4830046" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "sh", + "-c", + "while true; do echo nginx; sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "nginx", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/cbl-mariner/base/nginx:1.22.1-9-cm2.0.20230904-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "many-layers", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware" + ], + "ReadonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash2)" + ], + "mount_point": "$(layer2)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash3)" + ], + "mount_point": "$(layer3)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash4)" + ], + "mount_point": "$(layer4)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash5)" + ], + "mount_point": "$(layer5)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "1b27bec068016fce230a3c9f4920d3be7251e5baada7dca3204a932cbcde27e2:c8295c80a79c2ed76e03ddb2af390ac3791b8779da798cb183fa985ce5cee1dc:cfb9fe97a1869ee9b0daae3d8cd59720cf371da568a6c14bba16d982e7092983:14f395647869a88f90a33eef50c97e82f4b981b6e20a584d51bf304967b8542c:fc7dd8614820bbafe5b6b6645e19945b4af989b662c989fd46c465fafca702f7:8d311e8e51984cabaccec1fbfcbcdd7bf52a8a978169cd20af07bbd1c3a4692a", + "073dba7831293107f8873eedabf4922d16a506086f6f46b19b4c2386831c3106:ed0feae4f4dccb686628963b1f1f5dae7b3e015c881e72f005ff2f99c649457e:d138152b660d2dbcc5082afae58edb1bf0ee5742b91933a2f61664b847b23281:1d69eaf5c5c25731e9a8ebb038c942f6aa6aff5b15b11d8bd44431e514ccd69f:1eb4bff8040a86c514815a039f6cb4d7aa4c5f1b7a2e1a45f6f86ca8c770ffff:e928fff98ddea2d26dbba075605770bd6f6ef068c975289b49acb3d55030d071" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "sh", + "-c", + "while true; do echo python; sleep 15; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "DEBIAN_FRONTEND=noninteractive", + "LANG=en_US.UTF-8", + "LANGUAGE=en_US:UTF-8", + "LC_ALL=en_US.UTF-8", + "PYTHON_MAJOR=3.3", + "PYTHON_VERSION=3.3.6-4+xenial1", + "PYTHONIOENCODING=UTF-8", + "HOSTNAME=$(host-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "python", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "quay.io/baselibrary/python:latest", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "many-layers", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware" + ], + "ReadonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash2)" + ], + "mount_point": "$(layer2)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash3)" + ], + "mount_point": "$(layer3)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash4)" + ], + "mount_point": "$(layer4)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash5)" + ], + "mount_point": "$(layer5)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash6)" + ], + "mount_point": "$(layer6)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash7)" + ], + "mount_point": "$(layer7)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash8)" + ], + "mount_point": "$(layer8)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash9)" + ], + "mount_point": "$(layer9)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash10)" + ], + "mount_point": "$(layer10)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "0dd98e3e6ded8d0be40d376f7a7c01cb7792c6c8ef878ee9477a6f8fb9ddfa56:fac0b506b77176cb285eaadc33a2ea6274393227b117b9b9a6308a0ba7e8dba6:cdc8b889107d71c76d6a19e8a14e9ef7474ad2b8e92fece4e1b45d71595995b5:3961d40e11473d8c5f93acb4f75853be0e99cde331a0f5e976ff2b42f9fdacef:a930e6a3bad1e3c4273efacfebe109ede6f95183d00ad07203954f9c1a82ee12:0fd7a4bd1c2edc7a543ab3fe5e20abaeea6b8a4e41615a21c4d41b775538799a:0fe73c7dfe84bc931bb7a963139264fae6dd6fe515be77e839d713dc7a047815:ae6e78946fb64d4209a67cf081079aaa700edbf91fa505f0f43535d4dfd24764:d02c3d771c7fc6a6b2a92159b9bd32e6da0c9c13983a01018400acc90fc3169e:38379b8565e0e3cb1dd23f377c83226bde7f7ea671c73acd8f18f2b00788b5ef:329464327f97a7da572e609aa00ed988b5ebffc1537f8b8a0e330d36f055df01", + "b29ba7302d7fc8ab1539ea28062e5793955cdc59f7352942928d4c7ab33e52ae:b4a7963727aa96024dc5c5b3f28b66803f4626f6506b58ee9fd49ff108aab822:e7387f83726b29f52ef463f5744222ba05e2d47997447858764e53a864a6764d:7a80e71d6d90a50ddf8e9f99141686e4609f0b47550ef74ff353624d2642db98:c8db6d3fd3aaa8f9d0ce5ca8c71f5e387e17f1a6a643f5fed9a4cae1223d21cd:f3264c3b7b9a8f5162e75efb16c55ea4b8357f7f64ad9f9afaacdbf2a47f35a5:7f65f0b17878c3551a8c93f276ab4877141b4ef41ddc3d2e2b1ac62b424488d0:f5dda5084b20faa0369db54a9e89693cb6b7e98979bb66fc5b3a851cfbbdf0e3:8edba1283e614d6bdc8d39198ab29b8c624b95d8ecd3e811afbffb40bc8737cf:6aea5b3ddfab821031500c5e28949128f02dd7056e097347d8dfc42869100904:629670d9bb1e00e62d92bddb1ae206048cc2de23419c0f87e3f97622b9b0db20" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + } + ], + "common": { + "cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "spath": "/run/kata-containers/sandbox/storage", + "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}", + "ip_p": "[0-9]{1,5}", + "svc_name": "[A-Z0-9_\\.\\-]+", + "dns_label": "[a-zA-Z0-9_\\.\\-]+", + "default_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "privileged_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE" + ], + "virtio_blk_storage_classes": [ + "cc-local-csi", + "cc-managed-csi", + "cc-managed-premium-csi" + ], + "smb_storage_classes": [ + "cc-azurefile-csi", + "cc-azurefile-premium-csi" + ] + }, + "sandbox": { + "storages": [ + { + "driver": "ephemeral", + "driver_options": [], + "source": "shm", + "fstype": "tmpfs", + "options": [ + "noexec", + "nosuid", + "nodev", + "mode=1777", + "size=67108864" + ], + "mount_point": "/run/kata-containers/sandbox/shm", + "fs_group": null + } + ] + }, + "request_defaults": { + "CreateContainerRequest": { + "allow_env_regex": [ + "^HOSTNAME=$(dns_label)$", + "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", + "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" + ] + }, + "CopyFileRequest": [ + "$(sfprefix)" + ], + "ExecProcessRequest": { + "commands": [], + "regex": [] + }, + "CloseStdinRequest": false, + "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +} \ No newline at end of file diff --git a/tests/kata/data/pod-persistent-volumes/inputs.txt b/tests/kata/data/pod-persistent-volumes/inputs.txt new file mode 100644 index 00000000..19ff59c4 --- /dev/null +++ b/tests/kata/data/pod-persistent-volumes/inputs.txt @@ -0,0 +1,48 @@ +["ep":"AllowRequestsFailingPolicy",{}], + +["ep":"CreateSandboxRequest",{"hostname":"","dns":["nameserver 168.63.129.16",""],"storages":[{"driver":"ephemeral","driver_options":[],"source":"shm","fstype":"tmpfs","options":["noexec","nosuid","nodev","mode=1777","size=67108864"],"mount_point":"/run/kata-containers/sandbox/shm","fs_group":null}],"sandbox_pidns":false,"sandbox_id":"cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f","guest_hook_path":"","kernel_modules":[]}], + +["ep":"GuestDetailsRequest",{"mem_block_size":true,"mem_hotplug_probe":true}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f-2a9dcee0f0886a07-resolv.conf","file_size":25,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CreateContainerRequest",{"container_id":"cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f","exec_id":"cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"],"mount_point":"/run/kata-containers/sandbox/layers/5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTgxNzI1MGYxYTNlMzM2ZGE3NmY1YmQzZmE3ODRlMWIyNmQ5NTliOWMxMzE4NzY4MTViYTI2MDQwNDhiNzBjMTg=","io.katacontainers.fs-opt.overlay-rw","lowerdir=5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d"],"mount_point":"/run/kata-containers/shared/containers/cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":65535,"GID":65535,"AdditionalGids":[65535],"Username":""},"Args":["/pause"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":true,"ApparmorProfile":"","OOMScoreAdj":-998,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f","Readonly":true},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f-2a9dcee0f0886a07-resolv.conf","type_":"bind","options":["rbind","ro","nosuid","nodev","noexec"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-name":"persistent","io.kubernetes.cri.container-type":"sandbox","nerdctl/network-namespace":"/var/run/netns/cnitest-8951ee22-d2ae-ab42-5453-5920971b906d","io.kubernetes.cri.sandbox-id":"cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f","io.kubernetes.cri.sandbox-uid":"20a48b4d-0fcd-4547-9183-6ab69262ba04","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f","io.kubernetes.cri.sandbox-cpu-period":"100000","io.kubernetes.cri.sandbox-cpu-shares":"2","io.kubernetes.cri.sandbox-namespace":"default","io.katacontainers.pkg.oci.container_type":"pod_sandbox","io.kubernetes.cri.sandbox-cpu-quota":"0","io.kubernetes.cri.sandbox-memory":"0","io.kubernetes.cri.sandbox-log-directory":"/var/log/pods/default_persistent_20a48b4d-0fcd-4547-9183-6ab69262ba04"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":null,"CPU":{"Shares":2,"Quota":0,"Period":0,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod20a48b4d-0fcd-4547-9183-6ab69262ba04/cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f","Namespaces":[{"Type":"ipc","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/acpi","/proc/asound","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/sys/firmware","/proc/scsi"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f"}], + +["ep":"GetOOMEventRequest",{}], + +["ep":"WaitProcessRequest",{"container_id":"cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f","exec_id":"cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-70e78869b61b0688-my-volume","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-ac7ed51509af50bb-hosts","file_size":253,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-75f405b2a4d10c44-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-939ec8c725c03af2-hostname","file_size":34,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-338558fe91b38bf5-resolv.conf","file_size":25,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount/..2024_05_08_18_18_11.2961826904","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount/..2024_05_08_18_18_11.2961826904/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount/..2024_05_08_18_18_11.2961826904/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount/..2024_05_08_18_18_11.2961826904/token","file_size":1497,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_18_11.2961826904"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450","exec_id":"29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"],"mount_point":"/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"],"mount_point":"/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=","io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=","io.katacontainers.fs-opt.overlay-rw","lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"],"mount_point":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450","fs_group":null},{"driver":"ephemeral","driver_options":[],"source":"tmpfs","fstype":"tmpfs","options":[],"mount_point":"/run/kata-containers/sandbox/ephemeral/data2","fs_group":null},{"driver":"local","driver_options":[],"source":"local","fstype":"local","options":["mode=0777"],"mount_point":"/run/kata-containers/shared/containers/cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f/local/data","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["sh"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=aks-nodepool1-38464071-vmss000000","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"cri-containerd.apparmor.d","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450","Readonly":true},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","ro"]},{"destination":"/busy1","source":"/run/kata-containers/shared/containers/cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f/local/data","type_":"local","options":["rbind","rprivate","rw"]},{"destination":"/busy2","source":"/run/kata-containers/sandbox/ephemeral/data2","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/my-volume","source":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-70e78869b61b0688-my-volume","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/ttyS0","source":"/dev/ttyS0","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-ac7ed51509af50bb-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-75f405b2a4d10c44-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-939ec8c725c03af2-hostname","type_":"bind","options":["rbind","rprivate","ro"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-338558fe91b38bf5-resolv.conf","type_":"bind","options":["rbind","rprivate","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450-fbefa3825e8bd3eb-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-name":"persistent","io.kubernetes.cri.sandbox-uid":"20a48b4d-0fcd-4547-9183-6ab69262ba04","io.kubernetes.cri.container-type":"container","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.image-name":"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64","io.kubernetes.cri.container-name":"busybox","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450","io.kubernetes.cri.sandbox-id":"cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod20a48b4d-0fcd-4547-9183-6ab69262ba04/29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"29547a6b2b66f63e4b7ae3b4ee3de9b38100f0f309bb89c923f47660fdb3e450"}], + diff --git a/tests/kata/data/pod-persistent-volumes/outputs.json b/tests/kata/data/pod-persistent-volumes/outputs.json new file mode 100644 index 00000000..8ca5fc56 --- /dev/null +++ b/tests/kata/data/pod-persistent-volumes/outputs.json @@ -0,0 +1,26 @@ +[ + false, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +] \ No newline at end of file diff --git a/tests/kata/data/pod-persistent-volumes/policy.rego b/tests/kata/data/pod-persistent-volumes/policy.rego new file mode 100644 index 00000000..9e0c314b --- /dev/null +++ b/tests/kata/data/pod-persistent-volumes/policy.rego @@ -0,0 +1,1866 @@ +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +package agent_policy + +import future.keywords.in +import future.keywords.every + +# Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := false +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false +default OnlineCPUMemRequest := true +default PauseContainerRequest := false +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := false +default StatsContainerRequest := true +default StopTracingRequest := false +default TtyWinResizeRequest := true +default UpdateContainerRequest := false +default UpdateEphemeralMountsRequest := false +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + print("CreateContainerRequest: i_oci.Hooks =", i_oci.Hooks) + is_null(i_oci.Hooks) + + print("CreateContainerRequest: i_oci.Linux.Seccomp =", i_oci.Linux.Seccomp) + is_null(i_oci.Linux.Seccomp) + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + + p_oci := p_container.OCI + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + print("allow_env: i_var =", i_var) + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var == i_var + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + + print("allow_var 2: p_var2 =", p_var2) + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + + print("allow_var 3: p_regex5 =", p_regex5) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + i_path := i_oci.Root.Path + p_path1 := p_oci.Root.Path + print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) + + some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount == i_mount + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount.destination == i_mount.destination + p_mount.type_ == i_mount.type_ + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + + print("mount_source_allows 1: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + + print("mount_source_allows 2: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 3: i_mount.source=", i_mount.source) + + i_source_parts = split(i_mount.source, "/") + b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1] + + base64.is_valid(b64_direct_vol_path) + + source1 := p_mount.source + print("mount_source_allows 3: source1 =", source1) + + source2 := replace(source1, "$(spath)", policy_data.common.spath) + print("mount_source_allows 3: source2 =", source2) + + source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path) + print("mount_source_allows 3: source3 =", source3) + + source3 == i_mount.source + + print("mount_source_allows 3: true") +} + +###################################################################### +# Create container Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + i_storage.options[i_count - 1] == lowerdir + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 4: start") + + p_storage.driver == "smb" + count(i_storage.options) == 8 + i_storage.options[0] == "dir_mode=0666" + i_storage.options[1] == "file_mode=0666" + i_storage.options[2] == "mfsymlinks" + i_storage.options[3] == "cache=strict" + i_storage.options[4] == "nosharesock" + i_storage.options[5] == "actimeo=30" + startswith(i_storage.options[6], "addr=") + creds = split(i_storage.options[7], ",") + count(creds) == 2 + startswith(creds[0], "username=") + startswith(creds[1], "password=") + + print("allow_storage_options 4: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point) + allow_direct_vol_driver(p_storage, i_storage) + + mount1 := p_storage.mount_point + print("allow_mount_point 6: mount1 =", mount1) + + mount2 := replace(mount1, "$(spath)", policy_data.common.spath) + print("allow_mount_point 6: mount2 =", mount2) + + direct_vol_path := i_storage.source + mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path)) + print("allow_mount_point 6: mount3 =", mount3) + + mount3 == i_storage.mount_point + + print("allow_mount_point 6: true") +} + +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 1: start") + p_storage.driver == "blk" + print("allow_direct_vol_driver 1: true") +} +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 2: start") + p_storage.driver == "smb" + print("allow_direct_vol_driver 2: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +check_directory_traversal(i_path) { + contains(i_path, "../") == false + endswith(i_path, "/..") == false + i_path != ".." +} + +check_symlink_source { + # TODO: delete this rule once the symlink_src field gets implemented + # by all/most Guest VMs. + not input.symlink_src +} +check_symlink_source { + i_src := input.symlink_src + print("check_symlink_source: i_src =", i_src) + + startswith(i_src, "/") == false + check_directory_traversal(i_src) +} + +allow_sandbox_storages(i_storages) { + print("allow_sandbox_storages: i_storages =", i_storages) + + p_storages := policy_data.sandbox.storages + every i_storage in i_storages { + allow_sandbox_storage(p_storages, i_storage) + } + + print("allow_sandbox_storages: true") +} + +allow_sandbox_storage(p_storages, i_storage) { + print("allow_sandbox_storage: i_storage =", i_storage) + + some p_storage in p_storages + print("allow_sandbox_storage: p_storage =", p_storage) + i_storage == p_storage + + print("allow_sandbox_storage: true") +} + +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + check_symlink_source + check_directory_traversal(input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") + print("CopyFileRequest: regex4 =", regex4) + + regex.match(regex4, input.path) + + print("CopyFileRequest: true") +} + +CreateSandboxRequest { + print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) + count(input.guest_hook_path) == 0 + + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false + + allow_sandbox_storages(input.storages) +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 1: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +UpdateEphemeralMountsRequest { + policy_data.request_defaults.UpdateEphemeralMountsRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} + +policy_data := { + "containers": [ + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 65535, + "GID": 65535, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/pause" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": true + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "io.kubernetes.cri.sandbox-name": "persistent", + "io.kubernetes.cri.sandbox-namespace": "default", + "nerdctl/network-namespace": "^/var/run/netns/cnitest-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d", + "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "sh" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/busy1", + "source": "^$(cpath)/$(sandbox-id)/local/data$", + "type_": "local", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/busy2", + "source": "^/run/kata-containers/sandbox/ephemeral/data2$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/my-volume", + "source": "$(sfprefix)my-volume$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/ttyS0", + "source": "/dev/ttyS0", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "busybox", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "persistent", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware" + ], + "ReadonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552", + "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + }, + { + "driver": "local", + "driver_options": [], + "source": "local", + "fstype": "local", + "options": [ + "mode=0777" + ], + "mount_point": "^$(cpath)/$(sandbox-id)/local/data$", + "fs_group": null + }, + { + "driver": "ephemeral", + "driver_options": [], + "source": "tmpfs", + "fstype": "tmpfs", + "options": [], + "mount_point": "^/run/kata-containers/sandbox/ephemeral/data2$", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + } + ], + "common": { + "cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "spath": "/run/kata-containers/sandbox/storage", + "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}", + "ip_p": "[0-9]{1,5}", + "svc_name": "[A-Z0-9_\\.\\-]+", + "dns_label": "[a-zA-Z0-9_\\.\\-]+", + "default_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "privileged_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE" + ], + "virtio_blk_storage_classes": [ + "cc-local-csi", + "cc-managed-csi", + "cc-managed-premium-csi" + ], + "smb_storage_classes": [ + "cc-azurefile-csi", + "cc-azurefile-premium-csi" + ] + }, + "sandbox": { + "storages": [ + { + "driver": "ephemeral", + "driver_options": [], + "source": "shm", + "fstype": "tmpfs", + "options": [ + "noexec", + "nosuid", + "nodev", + "mode=1777", + "size=67108864" + ], + "mount_point": "/run/kata-containers/sandbox/shm", + "fs_group": null + } + ] + }, + "request_defaults": { + "CreateContainerRequest": { + "allow_env_regex": [ + "^HOSTNAME=$(dns_label)$", + "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", + "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" + ] + }, + "CopyFileRequest": [ + "$(sfprefix)" + ], + "ExecProcessRequest": { + "commands": [], + "regex": [] + }, + "CloseStdinRequest": false, + "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +} \ No newline at end of file diff --git a/tests/kata/data/pod-same-containers/inputs.txt b/tests/kata/data/pod-same-containers/inputs.txt new file mode 100644 index 00000000..d8d733df --- /dev/null +++ b/tests/kata/data/pod-same-containers/inputs.txt @@ -0,0 +1,109 @@ +["ep":"AllowRequestsFailingPolicy",{}], + +["ep":"UpdateInterfaceRequest",{"interface":{"device":"eth0","name":"eth0","IPAddresses":[{"family":0,"address":"10.244.0.19","mask":"24"},{"family":1,"address":"fe80::944c:5ff:fe39:6f48","mask":"64"}],"mtu":1500,"hwAddr":"96:4c:05:39:6f:48","pciPath":"","type_":"","raw_flags":0}}], + +["ep":"UpdateRoutesRequest",{"routes":{"Routes":[{"dest":"","gateway":"10.244.0.1","device":"eth0","source":"","scope":0,"family":0}]}}], + +["ep":"CreateSandboxRequest",{"hostname":"same-containers","dns":["search default.svc.cluster.local svc.cluster.local cluster.local","nameserver 10.0.0.10","options ndots:5",""],"storages":[{"driver":"ephemeral","driver_options":[],"source":"shm","fstype":"tmpfs","options":["noexec","nosuid","nodev","mode=1777","size=67108864"],"mount_point":"/run/kata-containers/sandbox/shm","fs_group":null}],"sandbox_pidns":false,"sandbox_id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","guest_hook_path":"","kernel_modules":[]}], + +["ep":"GuestDetailsRequest",{"mem_block_size":true,"mem_hotplug_probe":true}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73-7421ddf5d67aab1a-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CreateContainerRequest",{"container_id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","exec_id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"],"mount_point":"/run/kata-containers/sandbox/layers/5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTgxNzI1MGYxYTNlMzM2ZGE3NmY1YmQzZmE3ODRlMWIyNmQ5NTliOWMxMzE4NzY4MTViYTI2MDQwNDhiNzBjMTg=","io.katacontainers.fs-opt.overlay-rw","lowerdir=5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d"],"mount_point":"/run/kata-containers/shared/containers/971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":65535,"GID":65535,"AdditionalGids":[65535],"Username":""},"Args":["/pause"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":true,"ApparmorProfile":"","OOMScoreAdj":-998,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","Readonly":true},"Hostname":"same-containers","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73-7421ddf5d67aab1a-resolv.conf","type_":"bind","options":["rbind","ro","nosuid","nodev","noexec"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-cpu-quota":"0","io.kubernetes.cri.sandbox-cpu-period":"100000","io.kubernetes.cri.sandbox-cpu-shares":"2","io.kubernetes.cri.sandbox-memory":"0","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","nerdctl/network-namespace":"/var/run/netns/cni-6fcf525d-6c80-2df0-1830-663d81b995c6","io.kubernetes.cri.container-type":"sandbox","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-name":"same-containers","io.kubernetes.cri.sandbox-id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","io.katacontainers.config.agent.policyOption.execCommands":"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=","io.katacontainers.pkg.oci.container_type":"pod_sandbox","io.kubernetes.cri.sandbox-uid":"5b6eaa52-24fd-4a6e-8371-936515f32c7f","io.kubernetes.cri.sandbox-log-directory":"/var/log/pods/default_same-containers_5b6eaa52-24fd-4a6e-8371-936515f32c7f"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":null,"CPU":{"Shares":2,"Quota":0,"Period":0,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod5b6eaa52-24fd-4a6e-8371-936515f32c7f/971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/acpi","/proc/asound","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/sys/firmware","/proc/scsi"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73"}], + +["ep":"GetOOMEventRequest",{}], + +["ep":"WaitProcessRequest",{"container_id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","exec_id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0396c0c0821b1f3b-hosts","file_size":211,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-a5a9d87ef5adeee7-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-6e73cba1b0c2c91a-hostname","file_size":16,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-fc44e14f837ef2a1-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount/..2024_05_08_18_21_16.3360422085","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount/..2024_05_08_18_21_16.3360422085/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount/..2024_05_08_18_21_16.3360422085/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount/..2024_05_08_18_21_16.3360422085/token","file_size":1503,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_21_16.3360422085"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26","exec_id":"8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"],"mount_point":"/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"],"mount_point":"/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=","io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=","io.katacontainers.fs-opt.overlay-rw","lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"],"mount_point":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":true,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["/bin/sh","-c","while true; do echo hello; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","TERM=xterm","HOSTNAME=same-containers","POD_NAME=same-containers","POD_NAMESPACE=default","POD_IP=10.244.0.19","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","rw"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","rw"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0396c0c0821b1f3b-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-a5a9d87ef5adeee7-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-6e73cba1b0c2c91a-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-fc44e14f837ef2a1-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26-0ab02792924eaf31-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.container-name":"busybox1","io.kubernetes.cri.container-type":"container","io.katacontainers.config.agent.policyOption.execCommands":"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=","io.kubernetes.cri.sandbox-name":"same-containers","io.katacontainers.pkg.oci.container_type":"pod_container","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26","io.kubernetes.cri.sandbox-id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","io.kubernetes.cri.sandbox-uid":"5b6eaa52-24fd-4a6e-8371-936515f32c7f","io.kubernetes.cri.image-name":"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64","io.kubernetes.cri.sandbox-namespace":"default"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod5b6eaa52-24fd-4a6e-8371-936515f32c7f/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":[],"ReadonlyPaths":[],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-2e8565bb63c4358e-hosts","file_size":211,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-cdd46f668b4907de-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-66279b0ec718ddff-hostname","file_size":16,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-1d706e054d5a35eb-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount/..2024_05_08_18_21_16.3360422085","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount/..2024_05_08_18_21_16.3360422085/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount/..2024_05_08_18_21_16.3360422085/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount/..2024_05_08_18_21_16.3360422085/token","file_size":1503,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_21_16.3360422085"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9","exec_id":"8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"],"mount_point":"/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"],"mount_point":"/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=","io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=","io.katacontainers.fs-opt.overlay-rw","lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"],"mount_point":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["/bin/sh","-c","while true; do echo hello; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=same-containers","POD_NAME=same-containers","POD_NAMESPACE=default","POD_IP=10.244.0.19","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","rw"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","rw"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-2e8565bb63c4358e-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-cdd46f668b4907de-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-66279b0ec718ddff-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-1d706e054d5a35eb-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9-53ddca97f561311e-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-name":"same-containers","io.kubernetes.cri.sandbox-namespace":"default","io.katacontainers.config.agent.policyOption.execCommands":"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.container-name":"busybox2","io.kubernetes.cri.image-name":"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64","io.kubernetes.cri.sandbox-uid":"5b6eaa52-24fd-4a6e-8371-936515f32c7f","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.sandbox-id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod5b6eaa52-24fd-4a6e-8371-936515f32c7f/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":[],"ReadonlyPaths":[],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-1f4b8b12570104a4-hosts","file_size":211,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-f186dcdcfb3b4b74-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-f257bcef4144f455-hostname","file_size":16,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-fcec31796ec146b0-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount/..2024_05_08_18_21_16.3360422085","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount/..2024_05_08_18_21_16.3360422085/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount/..2024_05_08_18_21_16.3360422085/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount/..2024_05_08_18_21_16.3360422085/token","file_size":1503,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_21_16.3360422085"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092","exec_id":"611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080"],"mount_point":"/run/kata-containers/sandbox/layers/2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f"],"mount_point":"/run/kata-containers/sandbox/layers/2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA=","io.katacontainers.fs-opt.layer=MjU3MGUzYTE5ZTFiZjIwZGRkYTQ1NDk4YTk2MjdmNjE1NTVkMmQ2YzAxNDc5YjliNzY0NjBiNjc5YjI3ZDU1Mix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWI2NDNiNjIxNzc0ODk4MzgzMGIyNmFjMTRhMzVhMzMyMmRkNTI4YzAwOTYzZWFhZGQ5MWVmNTVmNTEzZGM3M2Y=","io.katacontainers.fs-opt.overlay-rw","lowerdir=2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552"],"mount_point":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0,10],"Username":""},"Args":["/bin/sh","-c","while true; do echo hello; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=same-containers","POD_NAME=same-containers","POD_NAMESPACE=default","POD_IP=10.244.0.19","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP","CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST","CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE","CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT","CAP_SYS_ADMIN","CAP_SYS_BOOT","CAP_SYS_NICE","CAP_SYS_RESOURCE","CAP_SYS_TIME","CAP_SYS_TTY_CONFIG","CAP_MKNOD","CAP_LEASE","CAP_AUDIT_WRITE","CAP_AUDIT_CONTROL","CAP_SETFCAP","CAP_MAC_OVERRIDE","CAP_MAC_ADMIN","CAP_SYSLOG","CAP_WAKE_ALARM","CAP_BLOCK_SUSPEND","CAP_AUDIT_READ","CAP_PERFMON","CAP_BPF","CAP_CHECKPOINT_RESTORE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","rw"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","rw"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-1f4b8b12570104a4-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-f186dcdcfb3b4b74-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-f257bcef4144f455-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-fcec31796ec146b0-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092-cc9e8759f7c25f9e-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-name":"same-containers","io.kubernetes.cri.sandbox-uid":"5b6eaa52-24fd-4a6e-8371-936515f32c7f","io.katacontainers.config.agent.policyOption.execCommands":"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.sandbox-id":"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73","io.kubernetes.cri.container-type":"container","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.container-name":"busybox3","io.kubernetes.cri.image-name":"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod5b6eaa52-24fd-4a6e-8371-936515f32c7f/611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":[],"ReadonlyPaths":[],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"611c5a52cccd11f12e2f6f90340914e5616aa615d1f8fdafb41380a531f1f092"}], diff --git a/tests/kata/data/pod-same-containers/outputs.json b/tests/kata/data/pod-same-containers/outputs.json new file mode 100644 index 00000000..308f0a6f --- /dev/null +++ b/tests/kata/data/pod-same-containers/outputs.json @@ -0,0 +1,57 @@ +[ + false, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +] \ No newline at end of file diff --git a/tests/kata/data/pod-same-containers/policy.rego b/tests/kata/data/pod-same-containers/policy.rego new file mode 100644 index 00000000..06ee03a9 --- /dev/null +++ b/tests/kata/data/pod-same-containers/policy.rego @@ -0,0 +1,2299 @@ +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +package agent_policy + +import future.keywords.in +import future.keywords.every + +# Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := false +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false +default OnlineCPUMemRequest := true +default PauseContainerRequest := false +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := false +default StatsContainerRequest := true +default StopTracingRequest := false +default TtyWinResizeRequest := true +default UpdateContainerRequest := false +default UpdateEphemeralMountsRequest := false +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + print("CreateContainerRequest: i_oci.Hooks =", i_oci.Hooks) + is_null(i_oci.Hooks) + + print("CreateContainerRequest: i_oci.Linux.Seccomp =", i_oci.Linux.Seccomp) + is_null(i_oci.Linux.Seccomp) + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + + p_oci := p_container.OCI + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + print("allow_env: i_var =", i_var) + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var == i_var + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + + print("allow_var 2: p_var2 =", p_var2) + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + + print("allow_var 3: p_regex5 =", p_regex5) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + i_path := i_oci.Root.Path + p_path1 := p_oci.Root.Path + print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) + + some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount == i_mount + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount.destination == i_mount.destination + p_mount.type_ == i_mount.type_ + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + + print("mount_source_allows 1: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + + print("mount_source_allows 2: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 3: i_mount.source=", i_mount.source) + + i_source_parts = split(i_mount.source, "/") + b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1] + + base64.is_valid(b64_direct_vol_path) + + source1 := p_mount.source + print("mount_source_allows 3: source1 =", source1) + + source2 := replace(source1, "$(spath)", policy_data.common.spath) + print("mount_source_allows 3: source2 =", source2) + + source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path) + print("mount_source_allows 3: source3 =", source3) + + source3 == i_mount.source + + print("mount_source_allows 3: true") +} + +###################################################################### +# Create container Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + i_storage.options[i_count - 1] == lowerdir + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 4: start") + + p_storage.driver == "smb" + count(i_storage.options) == 8 + i_storage.options[0] == "dir_mode=0666" + i_storage.options[1] == "file_mode=0666" + i_storage.options[2] == "mfsymlinks" + i_storage.options[3] == "cache=strict" + i_storage.options[4] == "nosharesock" + i_storage.options[5] == "actimeo=30" + startswith(i_storage.options[6], "addr=") + creds = split(i_storage.options[7], ",") + count(creds) == 2 + startswith(creds[0], "username=") + startswith(creds[1], "password=") + + print("allow_storage_options 4: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point) + allow_direct_vol_driver(p_storage, i_storage) + + mount1 := p_storage.mount_point + print("allow_mount_point 6: mount1 =", mount1) + + mount2 := replace(mount1, "$(spath)", policy_data.common.spath) + print("allow_mount_point 6: mount2 =", mount2) + + direct_vol_path := i_storage.source + mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path)) + print("allow_mount_point 6: mount3 =", mount3) + + mount3 == i_storage.mount_point + + print("allow_mount_point 6: true") +} + +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 1: start") + p_storage.driver == "blk" + print("allow_direct_vol_driver 1: true") +} +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 2: start") + p_storage.driver == "smb" + print("allow_direct_vol_driver 2: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +check_directory_traversal(i_path) { + contains(i_path, "../") == false + endswith(i_path, "/..") == false + i_path != ".." +} + +check_symlink_source { + # TODO: delete this rule once the symlink_src field gets implemented + # by all/most Guest VMs. + not input.symlink_src +} +check_symlink_source { + i_src := input.symlink_src + print("check_symlink_source: i_src =", i_src) + + startswith(i_src, "/") == false + check_directory_traversal(i_src) +} + +allow_sandbox_storages(i_storages) { + print("allow_sandbox_storages: i_storages =", i_storages) + + p_storages := policy_data.sandbox.storages + every i_storage in i_storages { + allow_sandbox_storage(p_storages, i_storage) + } + + print("allow_sandbox_storages: true") +} + +allow_sandbox_storage(p_storages, i_storage) { + print("allow_sandbox_storage: i_storage =", i_storage) + + some p_storage in p_storages + print("allow_sandbox_storage: p_storage =", p_storage) + i_storage == p_storage + + print("allow_sandbox_storage: true") +} + +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + check_symlink_source + check_directory_traversal(input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") + print("CopyFileRequest: regex4 =", regex4) + + regex.match(regex4, input.path) + + print("CopyFileRequest: true") +} + +CreateSandboxRequest { + print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) + count(input.guest_hook_path) == 0 + + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false + + allow_sandbox_storages(input.storages) +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 1: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +UpdateEphemeralMountsRequest { + policy_data.request_defaults.UpdateEphemeralMountsRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} + +policy_data := { + "containers": [ + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 65535, + "GID": 65535, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/pause" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": true + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ] + } + ], + "Annotations": { + "io.katacontainers.config.agent.policyOption.execCommands": "W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=", + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "io.kubernetes.cri.sandbox-name": "same-containers", + "io.kubernetes.cri.sandbox-namespace": "default", + "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d", + "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": true, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm", + "HOSTNAME=$(host-name)", + "POD_NAME=$(sandbox-name)", + "POD_NAMESPACE=default", + "POD_IP=$(pod-ip)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(privileged_caps)" + ], + "Effective": [ + "$(privileged_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(privileged_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "rw" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "rw" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.config.agent.policyOption.execCommands": "W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=", + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "busybox1", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "same-containers", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [], + "ReadonlyPaths": [] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552", + "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)", + "POD_NAME=$(sandbox-name)", + "POD_NAMESPACE=default", + "POD_IP=$(pod-ip)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(privileged_caps)" + ], + "Effective": [ + "$(privileged_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(privileged_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "rw" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "rw" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.config.agent.policyOption.execCommands": "W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=", + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "busybox2", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "same-containers", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [], + "ReadonlyPaths": [] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552", + "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)", + "POD_NAME=$(sandbox-name)", + "POD_NAMESPACE=default", + "POD_IP=$(pod-ip)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(privileged_caps)" + ], + "Effective": [ + "$(privileged_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(privileged_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "rw" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "rw" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + } + ], + "Annotations": { + "io.katacontainers.config.agent.policyOption.execCommands": "W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=", + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "busybox3", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-name": "same-containers", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [], + "ReadonlyPaths": [] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "2c342a137e693c7898aec36da1047f191dc7c1687e66198adacc439cf4adf379:2570e3a19e1bf20ddda45498a9627f61555d2d6c01479b9b76460b679b27d552", + "8568c70c0ccfe0051092e818da769111a59882cd19dd799d3bca5ffa82791080:b643b6217748983830b26ac14a35a3322dd528c00963eaadd91ef55f513dc73f" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + } + ], + "common": { + "cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "spath": "/run/kata-containers/sandbox/storage", + "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}", + "ip_p": "[0-9]{1,5}", + "svc_name": "[A-Z0-9_\\.\\-]+", + "dns_label": "[a-zA-Z0-9_\\.\\-]+", + "default_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "privileged_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE" + ], + "virtio_blk_storage_classes": [ + "cc-local-csi", + "cc-managed-csi", + "cc-managed-premium-csi" + ], + "smb_storage_classes": [ + "cc-azurefile-csi", + "cc-azurefile-premium-csi" + ] + }, + "sandbox": { + "storages": [ + { + "driver": "ephemeral", + "driver_options": [], + "source": "shm", + "fstype": "tmpfs", + "options": [ + "noexec", + "nosuid", + "nodev", + "mode=1777", + "size=67108864" + ], + "mount_point": "/run/kata-containers/sandbox/shm", + "fs_group": null + } + ] + }, + "request_defaults": { + "CreateContainerRequest": { + "allow_env_regex": [ + "^HOSTNAME=$(dns_label)$", + "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", + "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" + ] + }, + "CopyFileRequest": [ + "$(sfprefix)" + ], + "ExecProcessRequest": { + "commands": [], + "regex": [] + }, + "CloseStdinRequest": false, + "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +} \ No newline at end of file diff --git a/tests/kata/data/web/inputs.txt b/tests/kata/data/web/inputs.txt new file mode 100644 index 00000000..85e13269 --- /dev/null +++ b/tests/kata/data/web/inputs.txt @@ -0,0 +1,54 @@ +["ep":"AllowRequestsFailingPolicy",{}], + +["ep":"UpdateInterfaceRequest",{"interface":{"device":"eth0","name":"eth0","IPAddresses":[{"family":0,"address":"10.244.0.21","mask":"24"},{"family":1,"address":"fe80::98e4:18ff:fe6c:38fc","mask":"64"}],"mtu":1500,"hwAddr":"9a:e4:18:6c:38:fc","pciPath":"","type_":"","raw_flags":0}}], + +["ep":"UpdateRoutesRequest",{"routes":{"Routes":[{"dest":"","gateway":"10.244.0.1","device":"eth0","source":"","scope":0,"family":0}]}}], + +["ep":"CreateSandboxRequest",{"hostname":"web-0","dns":["search default.svc.cluster.local svc.cluster.local cluster.local","nameserver 10.0.0.10","options ndots:5",""],"storages":[{"driver":"ephemeral","driver_options":[],"source":"shm","fstype":"tmpfs","options":["noexec","nosuid","nodev","mode=1777","size=67108864"],"mount_point":"/run/kata-containers/sandbox/shm","fs_group":null}],"sandbox_pidns":false,"sandbox_id":"bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","guest_hook_path":"","kernel_modules":[]}], + +["ep":"GuestDetailsRequest",{"mem_block_size":true,"mem_hotplug_probe":true}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b-f0e92b7f714aa203-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CreateContainerRequest",{"container_id":"bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","exec_id":"bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"],"mount_point":"/run/kata-containers/sandbox/layers/5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTgxNzI1MGYxYTNlMzM2ZGE3NmY1YmQzZmE3ODRlMWIyNmQ5NTliOWMxMzE4NzY4MTViYTI2MDQwNDhiNzBjMTg=","io.katacontainers.fs-opt.overlay-rw","lowerdir=5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d"],"mount_point":"/run/kata-containers/shared/containers/bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":65535,"GID":65535,"AdditionalGids":[65535],"Username":""},"Args":["/pause"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":true,"ApparmorProfile":"","OOMScoreAdj":-998,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","Readonly":true},"Hostname":"web-0","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b-f0e92b7f714aa203-resolv.conf","type_":"bind","options":["rbind","ro","nosuid","nodev","noexec"]}],"Hooks":null,"Annotations":{"io.katacontainers.pkg.oci.container_type":"pod_sandbox","io.kubernetes.cri.container-type":"sandbox","io.kubernetes.cri.sandbox-log-directory":"/var/log/pods/default_web-0_a03a12a9-f2d5-4b92-952c-c47f68f7b795","io.kubernetes.cri.sandbox-cpu-quota":"0","io.kubernetes.cri.sandbox-memory":"0","io.kubernetes.cri.sandbox-cpu-shares":"2","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","nerdctl/network-namespace":"/var/run/netns/cni-441c0e6e-9425-52fd-473b-ffaf8eec9643","io.kubernetes.cri.sandbox-uid":"a03a12a9-f2d5-4b92-952c-c47f68f7b795","io.kubernetes.cri.sandbox-name":"web-0","io.kubernetes.cri.sandbox-id":"bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","io.kubernetes.cri.sandbox-cpu-period":"100000","io.kubernetes.cri.sandbox-namespace":"default"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":null,"CPU":{"Shares":2,"Quota":0,"Period":0,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/poda03a12a9-f2d5-4b92-952c-c47f68f7b795/bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/acpi","/proc/asound","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/sys/firmware","/proc/scsi"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b"}], + +["ep":"WaitProcessRequest",{"container_id":"bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","exec_id":"bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b"}], + +["ep":"GetOOMEventRequest",{}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-8e80dc82103dadad-hosts","file_size":239,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-693bc9bb02ffa5f9-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-4c26ca9c72f5f92f-hostname","file_size":6,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-911cc8f3fc1fac0f-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-53c0b95bb07319ea-html","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-53c0b95bb07319ea-html/lost+found","file_size":0,"file_mode":16832,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount/..2024_05_08_18_27_27.2903191328","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount/..2024_05_08_18_27_27.2903191328/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount/..2024_05_08_18_27_27.2903191328/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount/..2024_05_08_18_27_27.2903191328/token","file_size":1490,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_27_27.2903191328"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1","exec_id":"61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=073dba7831293107f8873eedabf4922d16a506086f6f46b19b4c2386831c3106"],"mount_point":"/run/kata-containers/sandbox/layers/1b27bec068016fce230a3c9f4920d3be7251e5baada7dca3204a932cbcde27e2","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=ed0feae4f4dccb686628963b1f1f5dae7b3e015c881e72f005ff2f99c649457e"],"mount_point":"/run/kata-containers/sandbox/layers/c8295c80a79c2ed76e03ddb2af390ac3791b8779da798cb183fa985ce5cee1dc","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:04.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=d138152b660d2dbcc5082afae58edb1bf0ee5742b91933a2f61664b847b23281"],"mount_point":"/run/kata-containers/sandbox/layers/cfb9fe97a1869ee9b0daae3d8cd59720cf371da568a6c14bba16d982e7092983","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:05.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=1d69eaf5c5c25731e9a8ebb038c942f6aa6aff5b15b11d8bd44431e514ccd69f"],"mount_point":"/run/kata-containers/sandbox/layers/14f395647869a88f90a33eef50c97e82f4b981b6e20a584d51bf304967b8542c","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:06.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=1eb4bff8040a86c514815a039f6cb4d7aa4c5f1b7a2e1a45f6f86ca8c770ffff"],"mount_point":"/run/kata-containers/sandbox/layers/fc7dd8614820bbafe5b6b6645e19945b4af989b662c989fd46c465fafca702f7","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:07.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=e928fff98ddea2d26dbba075605770bd6f6ef068c975289b49acb3d55030d071"],"mount_point":"/run/kata-containers/sandbox/layers/8d311e8e51984cabaccec1fbfcbcdd7bf52a8a978169cd20af07bbd1c3a4692a","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MWIyN2JlYzA2ODAxNmZjZTIzMGEzYzlmNDkyMGQzYmU3MjUxZTViYWFkYTdkY2EzMjA0YTkzMmNiY2RlMjdlMix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTA3M2RiYTc4MzEyOTMxMDdmODg3M2VlZGFiZjQ5MjJkMTZhNTA2MDg2ZjZmNDZiMTliNGMyMzg2ODMxYzMxMDY=","io.katacontainers.fs-opt.layer=YzgyOTVjODBhNzljMmVkNzZlMDNkZGIyYWYzOTBhYzM3OTFiODc3OWRhNzk4Y2IxODNmYTk4NWNlNWNlZTFkYyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWVkMGZlYWU0ZjRkY2NiNjg2NjI4OTYzYjFmMWY1ZGFlN2IzZTAxNWM4ODFlNzJmMDA1ZmYyZjk5YzY0OTQ1N2U=","io.katacontainers.fs-opt.layer=Y2ZiOWZlOTdhMTg2OWVlOWIwZGFhZTNkOGNkNTk3MjBjZjM3MWRhNTY4YTZjMTRiYmExNmQ5ODJlNzA5Mjk4Myx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWQxMzgxNTJiNjYwZDJkYmNjNTA4MmFmYWU1OGVkYjFiZjBlZTU3NDJiOTE5MzNhMmY2MTY2NGI4NDdiMjMyODE=","io.katacontainers.fs-opt.layer=MTRmMzk1NjQ3ODY5YTg4ZjkwYTMzZWVmNTBjOTdlODJmNGI5ODFiNmUyMGE1ODRkNTFiZjMwNDk2N2I4NTQyYyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTFkNjllYWY1YzVjMjU3MzFlOWE4ZWJiMDM4Yzk0MmY2YWE2YWZmNWIxNWIxMWQ4YmQ0NDQzMWU1MTRjY2Q2OWY=","io.katacontainers.fs-opt.layer=ZmM3ZGQ4NjE0ODIwYmJhZmU1YjZiNjY0NWUxOTk0NWI0YWY5ODliNjYyYzk4OWZkNDZjNDY1ZmFmY2E3MDJmNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTFlYjRiZmY4MDQwYTg2YzUxNDgxNWEwMzlmNmNiNGQ3YWE0YzVmMWI3YTJlMWE0NWY2Zjg2Y2E4Yzc3MGZmZmY=","io.katacontainers.fs-opt.layer=OGQzMTFlOGU1MTk4NGNhYmFjY2VjMWZiZmNiY2RkN2JmNTJhOGE5NzgxNjljZDIwYWYwN2JiZDFjM2E0NjkyYSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWU5MjhmZmY5OGRkZWEyZDI2ZGJiYTA3NTYwNTc3MGJkNmY2ZWYwNjhjOTc1Mjg5YjQ5YWNiM2Q1NTAzMGQwNzE=","io.katacontainers.fs-opt.overlay-rw","lowerdir=1b27bec068016fce230a3c9f4920d3be7251e5baada7dca3204a932cbcde27e2:c8295c80a79c2ed76e03ddb2af390ac3791b8779da798cb183fa985ce5cee1dc:cfb9fe97a1869ee9b0daae3d8cd59720cf371da568a6c14bba16d982e7092983:14f395647869a88f90a33eef50c97e82f4b981b6e20a584d51bf304967b8542c:fc7dd8614820bbafe5b6b6645e19945b4af989b662c989fd46c465fafca702f7:8d311e8e51984cabaccec1fbfcbcdd7bf52a8a978169cd20af07bbd1c3a4692a"],"mount_point":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["/bin/sh","-c","while true; do echo web-0; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=web-0","META_NAME=web-0","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"cri-containerd.apparmor.d","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","ro"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-8e80dc82103dadad-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-693bc9bb02ffa5f9-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-4c26ca9c72f5f92f-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-911cc8f3fc1fac0f-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/usr/share/nginx/html","source":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-53c0b95bb07319ea-html","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1-ed27a22ae4256441-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.image-name":"mcr.microsoft.com/cbl-mariner/base/nginx:1.22.1-9-cm2.0.20230904-amd64","io.kubernetes.cri.sandbox-name":"web-0","io.kubernetes.cri.container-name":"nginx","io.kubernetes.cri.sandbox-id":"bd9d8a7145f3d1b1306dac8a6ea24d35010ba5c35122ffe1bd2f0cc1bf77298b","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-uid":"a03a12a9-f2d5-4b92-952c-c47f68f7b795","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/poda03a12a9-f2d5-4b92-952c-c47f68f7b795/61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"61d94665cec0025e68f0bea6c4eea6e19b23f8c95a1a45f63a5315b0700d72b1"}], + diff --git a/tests/kata/data/web/outputs.json b/tests/kata/data/web/outputs.json new file mode 100644 index 00000000..a32d802b --- /dev/null +++ b/tests/kata/data/web/outputs.json @@ -0,0 +1,29 @@ +[ + false, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +] \ No newline at end of file diff --git a/tests/kata/data/web/policy.rego b/tests/kata/data/web/policy.rego new file mode 100644 index 00000000..5cb04d4e --- /dev/null +++ b/tests/kata/data/web/policy.rego @@ -0,0 +1,1865 @@ +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +package agent_policy + +import future.keywords.in +import future.keywords.every + +# Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := false +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false +default OnlineCPUMemRequest := true +default PauseContainerRequest := false +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := false +default StatsContainerRequest := true +default StopTracingRequest := false +default TtyWinResizeRequest := true +default UpdateContainerRequest := false +default UpdateEphemeralMountsRequest := false +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + print("CreateContainerRequest: i_oci.Hooks =", i_oci.Hooks) + is_null(i_oci.Hooks) + + print("CreateContainerRequest: i_oci.Linux.Seccomp =", i_oci.Linux.Seccomp) + is_null(i_oci.Linux.Seccomp) + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + + p_oci := p_container.OCI + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + print("allow_env: i_var =", i_var) + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var == i_var + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + + print("allow_var 2: p_var2 =", p_var2) + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + + print("allow_var 3: p_regex5 =", p_regex5) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + i_path := i_oci.Root.Path + p_path1 := p_oci.Root.Path + print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) + + some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount == i_mount + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount.destination == i_mount.destination + p_mount.type_ == i_mount.type_ + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + + print("mount_source_allows 1: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + + print("mount_source_allows 2: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 3: i_mount.source=", i_mount.source) + + i_source_parts = split(i_mount.source, "/") + b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1] + + base64.is_valid(b64_direct_vol_path) + + source1 := p_mount.source + print("mount_source_allows 3: source1 =", source1) + + source2 := replace(source1, "$(spath)", policy_data.common.spath) + print("mount_source_allows 3: source2 =", source2) + + source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path) + print("mount_source_allows 3: source3 =", source3) + + source3 == i_mount.source + + print("mount_source_allows 3: true") +} + +###################################################################### +# Create container Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + i_storage.options[i_count - 1] == lowerdir + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 4: start") + + p_storage.driver == "smb" + count(i_storage.options) == 8 + i_storage.options[0] == "dir_mode=0666" + i_storage.options[1] == "file_mode=0666" + i_storage.options[2] == "mfsymlinks" + i_storage.options[3] == "cache=strict" + i_storage.options[4] == "nosharesock" + i_storage.options[5] == "actimeo=30" + startswith(i_storage.options[6], "addr=") + creds = split(i_storage.options[7], ",") + count(creds) == 2 + startswith(creds[0], "username=") + startswith(creds[1], "password=") + + print("allow_storage_options 4: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point) + allow_direct_vol_driver(p_storage, i_storage) + + mount1 := p_storage.mount_point + print("allow_mount_point 6: mount1 =", mount1) + + mount2 := replace(mount1, "$(spath)", policy_data.common.spath) + print("allow_mount_point 6: mount2 =", mount2) + + direct_vol_path := i_storage.source + mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path)) + print("allow_mount_point 6: mount3 =", mount3) + + mount3 == i_storage.mount_point + + print("allow_mount_point 6: true") +} + +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 1: start") + p_storage.driver == "blk" + print("allow_direct_vol_driver 1: true") +} +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 2: start") + p_storage.driver == "smb" + print("allow_direct_vol_driver 2: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +check_directory_traversal(i_path) { + contains(i_path, "../") == false + endswith(i_path, "/..") == false + i_path != ".." +} + +check_symlink_source { + # TODO: delete this rule once the symlink_src field gets implemented + # by all/most Guest VMs. + not input.symlink_src +} +check_symlink_source { + i_src := input.symlink_src + print("check_symlink_source: i_src =", i_src) + + startswith(i_src, "/") == false + check_directory_traversal(i_src) +} + +allow_sandbox_storages(i_storages) { + print("allow_sandbox_storages: i_storages =", i_storages) + + p_storages := policy_data.sandbox.storages + every i_storage in i_storages { + allow_sandbox_storage(p_storages, i_storage) + } + + print("allow_sandbox_storages: true") +} + +allow_sandbox_storage(p_storages, i_storage) { + print("allow_sandbox_storage: i_storage =", i_storage) + + some p_storage in p_storages + print("allow_sandbox_storage: p_storage =", p_storage) + i_storage == p_storage + + print("allow_sandbox_storage: true") +} + +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + check_symlink_source + check_directory_traversal(input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") + print("CopyFileRequest: regex4 =", regex4) + + regex.match(regex4, input.path) + + print("CopyFileRequest: true") +} + +CreateSandboxRequest { + print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) + count(input.guest_hook_path) == 0 + + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false + + allow_sandbox_storages(input.storages) +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 1: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +UpdateEphemeralMountsRequest { + policy_data.request_defaults.UpdateEphemeralMountsRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} + +policy_data := { + "containers": [ + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 65535, + "GID": 65535, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/pause" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": true + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "io.kubernetes.cri.sandbox-namespace": "default", + "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d", + "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo $(sandbox-name); sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)", + "META_NAME=$(sandbox-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/usr/share/nginx/html", + "source": "^/run/kata-containers/shared/containers/$(bundle-id)-[a-z0-9]{16}-html$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "nginx", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/cbl-mariner/base/nginx:1.22.1-9-cm2.0.20230904-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware" + ], + "ReadonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash2)" + ], + "mount_point": "$(layer2)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash3)" + ], + "mount_point": "$(layer3)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash4)" + ], + "mount_point": "$(layer4)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash5)" + ], + "mount_point": "$(layer5)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "1b27bec068016fce230a3c9f4920d3be7251e5baada7dca3204a932cbcde27e2:c8295c80a79c2ed76e03ddb2af390ac3791b8779da798cb183fa985ce5cee1dc:cfb9fe97a1869ee9b0daae3d8cd59720cf371da568a6c14bba16d982e7092983:14f395647869a88f90a33eef50c97e82f4b981b6e20a584d51bf304967b8542c:fc7dd8614820bbafe5b6b6645e19945b4af989b662c989fd46c465fafca702f7:8d311e8e51984cabaccec1fbfcbcdd7bf52a8a978169cd20af07bbd1c3a4692a", + "073dba7831293107f8873eedabf4922d16a506086f6f46b19b4c2386831c3106:ed0feae4f4dccb686628963b1f1f5dae7b3e015c881e72f005ff2f99c649457e:d138152b660d2dbcc5082afae58edb1bf0ee5742b91933a2f61664b847b23281:1d69eaf5c5c25731e9a8ebb038c942f6aa6aff5b15b11d8bd44431e514ccd69f:1eb4bff8040a86c514815a039f6cb4d7aa4c5f1b7a2e1a45f6f86ca8c770ffff:e928fff98ddea2d26dbba075605770bd6f6ef068c975289b49acb3d55030d071" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + } + ], + "common": { + "cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "spath": "/run/kata-containers/sandbox/storage", + "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}", + "ip_p": "[0-9]{1,5}", + "svc_name": "[A-Z0-9_\\.\\-]+", + "dns_label": "[a-zA-Z0-9_\\.\\-]+", + "default_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "privileged_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE" + ], + "virtio_blk_storage_classes": [ + "cc-local-csi", + "cc-managed-csi", + "cc-managed-premium-csi" + ], + "smb_storage_classes": [ + "cc-azurefile-csi", + "cc-azurefile-premium-csi" + ] + }, + "sandbox": { + "storages": [ + { + "driver": "ephemeral", + "driver_options": [], + "source": "shm", + "fstype": "tmpfs", + "options": [ + "noexec", + "nosuid", + "nodev", + "mode=1777", + "size=67108864" + ], + "mount_point": "/run/kata-containers/sandbox/shm", + "fs_group": null + } + ] + }, + "request_defaults": { + "CreateContainerRequest": { + "allow_env_regex": [ + "^HOSTNAME=$(dns_label)$", + "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", + "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" + ] + }, + "CopyFileRequest": [ + "$(sfprefix)" + ], + "ExecProcessRequest": { + "commands": [], + "regex": [] + }, + "CloseStdinRequest": false, + "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +} \ No newline at end of file diff --git a/tests/kata/data/web2/inputs.txt b/tests/kata/data/web2/inputs.txt new file mode 100644 index 00000000..86f9cc88 --- /dev/null +++ b/tests/kata/data/web2/inputs.txt @@ -0,0 +1,51 @@ +["ep":"AllowRequestsFailingPolicy",{}], + +["ep":"UpdateInterfaceRequest",{"interface":{"device":"eth0","name":"eth0","IPAddresses":[{"family":0,"address":"10.244.0.22","mask":"24"},{"family":1,"address":"fe80::e848:90ff:fe69:54c8","mask":"64"}],"mtu":1500,"hwAddr":"ea:48:90:69:54:c8","pciPath":"","type_":"","raw_flags":0}}], + +["ep":"UpdateRoutesRequest",{"routes":{"Routes":[{"dest":"","gateway":"10.244.0.1","device":"eth0","source":"","scope":0,"family":0}]}}], + +["ep":"CreateSandboxRequest",{"hostname":"web2-0","dns":["search default.svc.cluster.local svc.cluster.local cluster.local","nameserver 10.0.0.10","options ndots:5",""],"storages":[{"driver":"ephemeral","driver_options":[],"source":"shm","fstype":"tmpfs","options":["noexec","nosuid","nodev","mode=1777","size=67108864"],"mount_point":"/run/kata-containers/sandbox/shm","fs_group":null}],"sandbox_pidns":false,"sandbox_id":"459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","guest_hook_path":"","kernel_modules":[]}], + +["ep":"GuestDetailsRequest",{"mem_block_size":true,"mem_hotplug_probe":true}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656-4a4bba3a5a6c9b54-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CreateContainerRequest",{"container_id":"459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","exec_id":"459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:01.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18"],"mount_point":"/run/kata-containers/sandbox/layers/5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=NWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTgxNzI1MGYxYTNlMzM2ZGE3NmY1YmQzZmE3ODRlMWIyNmQ5NTliOWMxMzE4NzY4MTViYTI2MDQwNDhiNzBjMTg=","io.katacontainers.fs-opt.overlay-rw","lowerdir=5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d"],"mount_point":"/run/kata-containers/shared/containers/459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":65535,"GID":65535,"AdditionalGids":[65535],"Username":""},"Args":["/pause"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":true,"ApparmorProfile":"","OOMScoreAdj":-998,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","Readonly":true},"Hostname":"web2-0","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656-4a4bba3a5a6c9b54-resolv.conf","type_":"bind","options":["rbind","ro","nosuid","nodev","noexec"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-cpu-quota":"0","io.kubernetes.cri.sandbox-id":"459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","io.katacontainers.pkg.oci.container_type":"pod_sandbox","io.kubernetes.cri.sandbox-uid":"79e6d928-5d3e-4a7e-93d4-88cd828517b5","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","io.kubernetes.cri.sandbox-log-directory":"/var/log/pods/default_web2-0_79e6d928-5d3e-4a7e-93d4-88cd828517b5","io.kubernetes.cri.sandbox-cpu-period":"100000","io.kubernetes.cri.container-type":"sandbox","io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.sandbox-name":"web2-0","io.kubernetes.cri.sandbox-cpu-shares":"2","io.kubernetes.cri.sandbox-memory":"0","nerdctl/network-namespace":"/var/run/netns/cni-9fd96ae5-97cc-f93f-1a4e-82ca887e931f"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":null,"CPU":{"Shares":2,"Quota":0,"Period":0,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod79e6d928-5d3e-4a7e-93d4-88cd828517b5/459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/acpi","/proc/asound","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/sys/firmware","/proc/scsi"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":false,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656"}], + +["ep":"WaitProcessRequest",{"container_id":"459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","exec_id":"459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656"}], + +["ep":"GetOOMEventRequest",{}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-c9d84ad063ec0742-hosts","file_size":242,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-63f9f7fea6333cd0-termination-log","file_size":0,"file_mode":33206,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-034b80350c1ccbb7-hostname","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-c39c3fd00fbf3239-resolv.conf","file_size":102,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-43e927ff560a6360-html","file_size":0,"file_mode":16895,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount","file_size":0,"file_mode":17407,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount/..2024_05_08_18_30_45.15688249","file_size":0,"file_mode":16877,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount/..2024_05_08_18_30_45.15688249/ca.crt","file_size":1761,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount/..2024_05_08_18_30_45.15688249/namespace","file_size":7,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount/..2024_05_08_18_30_45.15688249/token","file_size":1491,"file_mode":33188,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":""}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount/..data","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..2024_05_08_18_30_45.15688249"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount/ca.crt","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/ca.crt"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount/namespace","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/namespace"}], + +["ep":"CopyFileRequest",{"path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount/token","file_size":0,"file_mode":41471,"dir_mode":2147484136,"uid":0,"gid":0,"offset":0,"symlink_src":"..data/token"}], + +["ep":"CreateContainerRequest",{"container_id":"d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470","exec_id":"d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470","string_user":null,"devices":[],"storages":[{"driver":"blk","driver_options":[],"source":"0001:00:02.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=073dba7831293107f8873eedabf4922d16a506086f6f46b19b4c2386831c3106"],"mount_point":"/run/kata-containers/sandbox/layers/1b27bec068016fce230a3c9f4920d3be7251e5baada7dca3204a932cbcde27e2","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:03.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=ed0feae4f4dccb686628963b1f1f5dae7b3e015c881e72f005ff2f99c649457e"],"mount_point":"/run/kata-containers/sandbox/layers/c8295c80a79c2ed76e03ddb2af390ac3791b8779da798cb183fa985ce5cee1dc","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:04.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=d138152b660d2dbcc5082afae58edb1bf0ee5742b91933a2f61664b847b23281"],"mount_point":"/run/kata-containers/sandbox/layers/cfb9fe97a1869ee9b0daae3d8cd59720cf371da568a6c14bba16d982e7092983","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:05.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=1d69eaf5c5c25731e9a8ebb038c942f6aa6aff5b15b11d8bd44431e514ccd69f"],"mount_point":"/run/kata-containers/sandbox/layers/14f395647869a88f90a33eef50c97e82f4b981b6e20a584d51bf304967b8542c","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:06.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=1eb4bff8040a86c514815a039f6cb4d7aa4c5f1b7a2e1a45f6f86ca8c770ffff"],"mount_point":"/run/kata-containers/sandbox/layers/fc7dd8614820bbafe5b6b6645e19945b4af989b662c989fd46c465fafca702f7","fs_group":null},{"driver":"blk","driver_options":[],"source":"0001:00:07.0","fstype":"tar","options":["ro","io.katacontainers.fs-opt.block_device=file","io.katacontainers.fs-opt.is-layer","io.katacontainers.fs-opt.root-hash=e928fff98ddea2d26dbba075605770bd6f6ef068c975289b49acb3d55030d071"],"mount_point":"/run/kata-containers/sandbox/layers/8d311e8e51984cabaccec1fbfcbcdd7bf52a8a978169cd20af07bbd1c3a4692a","fs_group":null},{"driver":"overlayfs","driver_options":[],"source":"none","fstype":"fuse3.kata-overlay","options":["io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers","io.katacontainers.fs-opt.layer=MWIyN2JlYzA2ODAxNmZjZTIzMGEzYzlmNDkyMGQzYmU3MjUxZTViYWFkYTdkY2EzMjA0YTkzMmNiY2RlMjdlMix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTA3M2RiYTc4MzEyOTMxMDdmODg3M2VlZGFiZjQ5MjJkMTZhNTA2MDg2ZjZmNDZiMTliNGMyMzg2ODMxYzMxMDY=","io.katacontainers.fs-opt.layer=YzgyOTVjODBhNzljMmVkNzZlMDNkZGIyYWYzOTBhYzM3OTFiODc3OWRhNzk4Y2IxODNmYTk4NWNlNWNlZTFkYyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWVkMGZlYWU0ZjRkY2NiNjg2NjI4OTYzYjFmMWY1ZGFlN2IzZTAxNWM4ODFlNzJmMDA1ZmYyZjk5YzY0OTQ1N2U=","io.katacontainers.fs-opt.layer=Y2ZiOWZlOTdhMTg2OWVlOWIwZGFhZTNkOGNkNTk3MjBjZjM3MWRhNTY4YTZjMTRiYmExNmQ5ODJlNzA5Mjk4Myx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWQxMzgxNTJiNjYwZDJkYmNjNTA4MmFmYWU1OGVkYjFiZjBlZTU3NDJiOTE5MzNhMmY2MTY2NGI4NDdiMjMyODE=","io.katacontainers.fs-opt.layer=MTRmMzk1NjQ3ODY5YTg4ZjkwYTMzZWVmNTBjOTdlODJmNGI5ODFiNmUyMGE1ODRkNTFiZjMwNDk2N2I4NTQyYyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTFkNjllYWY1YzVjMjU3MzFlOWE4ZWJiMDM4Yzk0MmY2YWE2YWZmNWIxNWIxMWQ4YmQ0NDQzMWU1MTRjY2Q2OWY=","io.katacontainers.fs-opt.layer=ZmM3ZGQ4NjE0ODIwYmJhZmU1YjZiNjY0NWUxOTk0NWI0YWY5ODliNjYyYzk4OWZkNDZjNDY1ZmFmY2E3MDJmNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTFlYjRiZmY4MDQwYTg2YzUxNDgxNWEwMzlmNmNiNGQ3YWE0YzVmMWI3YTJlMWE0NWY2Zjg2Y2E4Yzc3MGZmZmY=","io.katacontainers.fs-opt.layer=OGQzMTFlOGU1MTk4NGNhYmFjY2VjMWZiZmNiY2RkN2JmNTJhOGE5NzgxNjljZDIwYWYwN2JiZDFjM2E0NjkyYSx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPWU5MjhmZmY5OGRkZWEyZDI2ZGJiYTA3NTYwNTc3MGJkNmY2ZWYwNjhjOTc1Mjg5YjQ5YWNiM2Q1NTAzMGQwNzE=","io.katacontainers.fs-opt.overlay-rw","lowerdir=1b27bec068016fce230a3c9f4920d3be7251e5baada7dca3204a932cbcde27e2:c8295c80a79c2ed76e03ddb2af390ac3791b8779da798cb183fa985ce5cee1dc:cfb9fe97a1869ee9b0daae3d8cd59720cf371da568a6c14bba16d982e7092983:14f395647869a88f90a33eef50c97e82f4b981b6e20a584d51bf304967b8542c:fc7dd8614820bbafe5b6b6645e19945b4af989b662c989fd46c465fafca702f7:8d311e8e51984cabaccec1fbfcbcdd7bf52a8a978169cd20af07bbd1c3a4692a"],"mount_point":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470","fs_group":null}],"OCI":{"Version":"1.1.0-rc.1","Process":{"Terminal":false,"ConsoleSize":null,"User":{"UID":0,"GID":0,"AdditionalGids":[0],"Username":""},"Args":["/bin/sh","-c","while true; do echo web2-0; sleep 10; done"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME=web2-0","META_NAME=web2-0","KUBERNETES_PORT_443_TCP_PROTO=tcp","KUBERNETES_PORT_443_TCP_PORT=443","KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1","KUBERNETES_SERVICE_HOST=10.0.0.1","KUBERNETES_SERVICE_PORT=443","KUBERNETES_SERVICE_PORT_HTTPS=443","KUBERNETES_PORT=tcp://10.0.0.1:443","KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443"],"Cwd":"/","Capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":[],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"Rlimits":[],"NoNewPrivileges":false,"ApparmorProfile":"cri-containerd.apparmor.d","OOMScoreAdj":1000,"SelinuxLabel":""},"Root":{"Path":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470","Readonly":false},"Hostname":"","Mounts":[{"destination":"/proc","source":"proc","type_":"proc","options":["nosuid","noexec","nodev"]},{"destination":"/dev","source":"tmpfs","type_":"tmpfs","options":["nosuid","strictatime","mode=755","size=65536k"]},{"destination":"/dev/pts","source":"devpts","type_":"devpts","options":["nosuid","noexec","newinstance","ptmxmode=0666","mode=0620","gid=5"]},{"destination":"/dev/mqueue","source":"mqueue","type_":"mqueue","options":["nosuid","noexec","nodev"]},{"destination":"/sys","source":"sysfs","type_":"sysfs","options":["nosuid","noexec","nodev","ro"]},{"destination":"/sys/fs/cgroup","source":"cgroup","type_":"cgroup","options":["nosuid","noexec","nodev","relatime","ro"]},{"destination":"/etc/hosts","source":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-c9d84ad063ec0742-hosts","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/termination-log","source":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-63f9f7fea6333cd0-termination-log","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/hostname","source":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-034b80350c1ccbb7-hostname","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/etc/resolv.conf","source":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-c39c3fd00fbf3239-resolv.conf","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/dev/shm","source":"/run/kata-containers/sandbox/shm","type_":"bind","options":["rbind"]},{"destination":"/usr/share/nginx/html","source":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-43e927ff560a6360-html","type_":"bind","options":["rbind","rprivate","rw"]},{"destination":"/var/run/secrets/kubernetes.io/serviceaccount","source":"/run/kata-containers/shared/containers/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470-1474bdfcd7ea43a4-serviceaccount","type_":"bind","options":["rbind","rprivate","ro"]}],"Hooks":null,"Annotations":{"io.kubernetes.cri.sandbox-namespace":"default","io.kubernetes.cri.container-type":"container","io.kubernetes.cri.sandbox-uid":"79e6d928-5d3e-4a7e-93d4-88cd828517b5","io.kubernetes.cri.container-name":"nginx2","io.kubernetes.cri.sandbox-name":"web2-0","io.kubernetes.cri.sandbox-id":"459053f3aa53bfe9ea3c7befdda6e1c12270527c9040d772a38f6caa8318a656","io.katacontainers.pkg.oci.container_type":"pod_container","io.kubernetes.cri.image-name":"mcr.microsoft.com/cbl-mariner/base/nginx:1.22.1-9-cm2.0.20230904-amd64","io.katacontainers.pkg.oci.bundle_path":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470"},"Linux":{"UIDMappings":[],"GIDMappings":[],"Sysctl":{},"Resources":{"Devices":[],"Memory":{"Limit":0,"Reservation":0,"Swap":0,"Kernel":0,"KernelTCP":0,"Swappiness":0,"DisableOOMKiller":false},"CPU":{"Shares":2,"Quota":0,"Period":100000,"RealtimeRuntime":0,"RealtimePeriod":0,"Cpus":"","Mems":""},"Pids":null,"BlockIO":null,"HugepageLimits":[],"Network":null},"CgroupsPath":"/kubepods/besteffort/pod79e6d928-5d3e-4a7e-93d4-88cd828517b5/d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470","Namespaces":[{"Type":"ipc","Path":""},{"Type":"uts","Path":""},{"Type":"mount","Path":""}],"Devices":[],"Seccomp":null,"RootfsPropagation":"","MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"MountLabel":"","IntelRdt":null},"Solaris":null,"Windows":null},"sandbox_pidns":true,"shared_mounts":[]}], + +["ep":"StartContainerRequest",{"container_id":"d955586a9452d731577ea25c085b6c709a6738fbd0303f71d188a10cb8a1b470"}], diff --git a/tests/kata/data/web2/outputs.json b/tests/kata/data/web2/outputs.json new file mode 100644 index 00000000..65614cf6 --- /dev/null +++ b/tests/kata/data/web2/outputs.json @@ -0,0 +1,28 @@ +[ + false, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +] \ No newline at end of file diff --git a/tests/kata/data/web2/policy.rego b/tests/kata/data/web2/policy.rego new file mode 100644 index 00000000..3a8a8a75 --- /dev/null +++ b/tests/kata/data/web2/policy.rego @@ -0,0 +1,1865 @@ +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +package agent_policy + +import future.keywords.in +import future.keywords.every + +# Default values, returned by OPA when rules cannot be evaluated to true. +default AddARPNeighborsRequest := false +default AddSwapRequest := false +default CloseStdinRequest := false +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := false +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := false +default ListRoutesRequest := false +default MemHotplugByProbeRequest := false +default OnlineCPUMemRequest := true +default PauseContainerRequest := false +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := false +default SetGuestDateTimeRequest := false +default SetPolicyRequest := false +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := false +default StatsContainerRequest := true +default StopTracingRequest := false +default TtyWinResizeRequest := true +default UpdateContainerRequest := false +default UpdateEphemeralMountsRequest := false +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + print("CreateContainerRequest: i_oci.Hooks =", i_oci.Hooks) + is_null(i_oci.Hooks) + + print("CreateContainerRequest: i_oci.Linux.Seccomp =", i_oci.Linux.Seccomp) + is_null(i_oci.Linux.Seccomp) + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + + p_oci := p_container.OCI + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + print("allow_env: i_var =", i_var) + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var == i_var + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + + print("allow_var 2: p_var2 =", p_var2) + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + + print("allow_var 3: p_regex5 =", p_regex5) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + i_path := i_oci.Root.Path + p_path1 := p_oci.Root.Path + print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) + + some p_mount in p_oci.Mounts + print("allow_mount: p_mount =", p_mount) + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount == i_mount + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + p_mount.destination == i_mount.destination + p_mount.type_ == i_mount.type_ + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + + print("mount_source_allows 1: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + regex1 := p_mount.source + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + + print("mount_source_allows 2: regex4 =", regex4) + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 3: i_mount.source=", i_mount.source) + + i_source_parts = split(i_mount.source, "/") + b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1] + + base64.is_valid(b64_direct_vol_path) + + source1 := p_mount.source + print("mount_source_allows 3: source1 =", source1) + + source2 := replace(source1, "$(spath)", policy_data.common.spath) + print("mount_source_allows 3: source2 =", source2) + + source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path) + print("mount_source_allows 3: source3 =", source3) + + source3 == i_mount.source + + print("mount_source_allows 3: true") +} + +###################################################################### +# Create container Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + i_storage.options[i_count - 1] == lowerdir + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 4: start") + + p_storage.driver == "smb" + count(i_storage.options) == 8 + i_storage.options[0] == "dir_mode=0666" + i_storage.options[1] == "file_mode=0666" + i_storage.options[2] == "mfsymlinks" + i_storage.options[3] == "cache=strict" + i_storage.options[4] == "nosharesock" + i_storage.options[5] == "actimeo=30" + startswith(i_storage.options[6], "addr=") + creds = split(i_storage.options[7], ",") + count(creds) == 2 + startswith(creds[0], "username=") + startswith(creds[1], "password=") + + print("allow_storage_options 4: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point) + allow_direct_vol_driver(p_storage, i_storage) + + mount1 := p_storage.mount_point + print("allow_mount_point 6: mount1 =", mount1) + + mount2 := replace(mount1, "$(spath)", policy_data.common.spath) + print("allow_mount_point 6: mount2 =", mount2) + + direct_vol_path := i_storage.source + mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path)) + print("allow_mount_point 6: mount3 =", mount3) + + mount3 == i_storage.mount_point + + print("allow_mount_point 6: true") +} + +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 1: start") + p_storage.driver == "blk" + print("allow_direct_vol_driver 1: true") +} +allow_direct_vol_driver(p_storage, i_storage) { + print("allow_direct_vol_driver 2: start") + p_storage.driver == "smb" + print("allow_direct_vol_driver 2: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +check_directory_traversal(i_path) { + contains(i_path, "../") == false + endswith(i_path, "/..") == false + i_path != ".." +} + +check_symlink_source { + # TODO: delete this rule once the symlink_src field gets implemented + # by all/most Guest VMs. + not input.symlink_src +} +check_symlink_source { + i_src := input.symlink_src + print("check_symlink_source: i_src =", i_src) + + startswith(i_src, "/") == false + check_directory_traversal(i_src) +} + +allow_sandbox_storages(i_storages) { + print("allow_sandbox_storages: i_storages =", i_storages) + + p_storages := policy_data.sandbox.storages + every i_storage in i_storages { + allow_sandbox_storage(p_storages, i_storage) + } + + print("allow_sandbox_storages: true") +} + +allow_sandbox_storage(p_storages, i_storage) { + print("allow_sandbox_storage: i_storage =", i_storage) + + some p_storage in p_storages + print("allow_sandbox_storage: p_storage =", p_storage) + i_storage == p_storage + + print("allow_sandbox_storage: true") +} + +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + check_symlink_source + check_directory_traversal(input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}") + print("CopyFileRequest: regex4 =", regex4) + + regex.match(regex4, input.path) + + print("CopyFileRequest: true") +} + +CreateSandboxRequest { + print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) + count(input.guest_hook_path) == 0 + + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false + + allow_sandbox_storages(input.storages) +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 1: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + print("ExecProcessRequest 1: p_command =", p_command) + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +CloseStdinRequest { + policy_data.request_defaults.CloseStdinRequest == true +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +UpdateEphemeralMountsRequest { + policy_data.request_defaults.UpdateEphemeralMountsRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} + +policy_data := { + "containers": [ + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 65535, + "GID": 65535, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/pause" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": true + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": true + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "ro", + "nosuid", + "nodev", + "noexec" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_sandbox", + "io.kubernetes.cri.container-type": "sandbox", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-log-directory": "^/var/log/pods/$(sandbox-namespace)_$(sandbox-name)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "io.kubernetes.cri.sandbox-namespace": "default", + "nerdctl/network-namespace": "^/var/run/netns/cni-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "5a5aad80055ff20012a50dc25f8df7a29924474324d65f7d5306ee8ee27ff71d", + "817250f1a3e336da76f5bd3fa784e1b26d959b9c131876815ba2604048b70c18" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": false, + "exec_commands": [] + }, + { + "OCI": { + "Version": "1.1.0-rc.1", + "Process": { + "Terminal": false, + "User": { + "UID": 0, + "GID": 0, + "AdditionalGids": [], + "Username": "" + }, + "Args": [ + "/bin/sh", + "-c", + "while true; do echo $(sandbox-name); sleep 10; done" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=$(host-name)", + "META_NAME=$(sandbox-name)" + ], + "Cwd": "/", + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "NoNewPrivileges": false + }, + "Root": { + "Path": "$(cpath)/$(bundle-id)", + "Readonly": false + }, + "Mounts": [ + { + "destination": "/proc", + "source": "proc", + "type_": "proc", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/dev", + "source": "tmpfs", + "type_": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "source": "devpts", + "type_": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "source": "/run/kata-containers/sandbox/shm", + "type_": "bind", + "options": [ + "rbind" + ] + }, + { + "destination": "/dev/mqueue", + "source": "mqueue", + "type_": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "source": "sysfs", + "type_": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "source": "cgroup", + "type_": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "destination": "/etc/hosts", + "source": "$(sfprefix)hosts$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/dev/termination-log", + "source": "$(sfprefix)termination-log$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/hostname", + "source": "$(sfprefix)hostname$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/etc/resolv.conf", + "source": "$(sfprefix)resolv.conf$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/var/run/secrets/kubernetes.io/serviceaccount", + "source": "$(sfprefix)serviceaccount$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/var/run/secrets/azure/tokens", + "source": "$(sfprefix)tokens$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ] + }, + { + "destination": "/usr/share/nginx/html", + "source": "^/run/kata-containers/shared/containers/$(bundle-id)-[a-z0-9]{16}-html$", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + } + ], + "Annotations": { + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-name": "nginx2", + "io.kubernetes.cri.container-type": "container", + "io.kubernetes.cri.image-name": "mcr.microsoft.com/cbl-mariner/base/nginx:1.22.1-9-cm2.0.20230904-amd64", + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.kubernetes.cri.sandbox-namespace": "default" + }, + "Linux": { + "Namespaces": [ + { + "Type": "ipc", + "Path": "" + }, + { + "Type": "uts", + "Path": "" + }, + { + "Type": "mount", + "Path": "" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware" + ], + "ReadonlyPaths": [ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + }, + "storages": [ + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash0)" + ], + "mount_point": "$(layer0)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash1)" + ], + "mount_point": "$(layer1)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash2)" + ], + "mount_point": "$(layer2)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash3)" + ], + "mount_point": "$(layer3)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash4)" + ], + "mount_point": "$(layer4)", + "fs_group": null + }, + { + "driver": "blk", + "driver_options": [], + "source": "", + "fstype": "tar", + "options": [ + "$(hash5)" + ], + "mount_point": "$(layer5)", + "fs_group": null + }, + { + "driver": "overlayfs", + "driver_options": [], + "source": "", + "fstype": "fuse3.kata-overlay", + "options": [ + "1b27bec068016fce230a3c9f4920d3be7251e5baada7dca3204a932cbcde27e2:c8295c80a79c2ed76e03ddb2af390ac3791b8779da798cb183fa985ce5cee1dc:cfb9fe97a1869ee9b0daae3d8cd59720cf371da568a6c14bba16d982e7092983:14f395647869a88f90a33eef50c97e82f4b981b6e20a584d51bf304967b8542c:fc7dd8614820bbafe5b6b6645e19945b4af989b662c989fd46c465fafca702f7:8d311e8e51984cabaccec1fbfcbcdd7bf52a8a978169cd20af07bbd1c3a4692a", + "073dba7831293107f8873eedabf4922d16a506086f6f46b19b4c2386831c3106:ed0feae4f4dccb686628963b1f1f5dae7b3e015c881e72f005ff2f99c649457e:d138152b660d2dbcc5082afae58edb1bf0ee5742b91933a2f61664b847b23281:1d69eaf5c5c25731e9a8ebb038c942f6aa6aff5b15b11d8bd44431e514ccd69f:1eb4bff8040a86c514815a039f6cb4d7aa4c5f1b7a2e1a45f6f86ca8c770ffff:e928fff98ddea2d26dbba075605770bd6f6ef068c975289b49acb3d55030d071" + ], + "mount_point": "$(cpath)/$(bundle-id)", + "fs_group": null + } + ], + "sandbox_pidns": true, + "exec_commands": [] + } + ], + "common": { + "cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "spath": "/run/kata-containers/sandbox/storage", + "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}", + "ip_p": "[0-9]{1,5}", + "svc_name": "[A-Z0-9_\\.\\-]+", + "dns_label": "[a-zA-Z0-9_\\.\\-]+", + "default_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "privileged_caps": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE" + ], + "virtio_blk_storage_classes": [ + "cc-local-csi", + "cc-managed-csi", + "cc-managed-premium-csi" + ], + "smb_storage_classes": [ + "cc-azurefile-csi", + "cc-azurefile-premium-csi" + ] + }, + "sandbox": { + "storages": [ + { + "driver": "ephemeral", + "driver_options": [], + "source": "shm", + "fstype": "tmpfs", + "options": [ + "noexec", + "nosuid", + "nodev", + "mode=1777", + "size=67108864" + ], + "mount_point": "/run/kata-containers/sandbox/shm", + "fs_group": null + } + ] + }, + "request_defaults": { + "CreateContainerRequest": { + "allow_env_regex": [ + "^HOSTNAME=$(dns_label)$", + "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", + "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" + ] + }, + "CopyFileRequest": [ + "$(sfprefix)" + ], + "ExecProcessRequest": { + "commands": [], + "regex": [] + }, + "CloseStdinRequest": false, + "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +} \ No newline at end of file diff --git a/tests/kata/main.rs b/tests/kata/main.rs index c329725d..43428db9 100644 --- a/tests/kata/main.rs +++ b/tests/kata/main.rs @@ -3,12 +3,21 @@ use regorus::*; use std::path::Path; +use std::time::Instant; -use anyhow::Result; +use anyhow::{bail, Result}; use clap::Parser; use walkdir::WalkDir; -fn run_kata_tests(tests_dir: &Path, generate: bool) -> Result<()> { +fn run_kata_tests( + tests_dir: &Path, + name: &Option, + coverage: bool, + generate: bool, +) -> Result<()> { + let mut num_tests = 0; + let mut num_queries = 0; + let mut total_time_ns = 0; for entry in WalkDir::new(tests_dir) .max_depth(1) // Do not recurse .sort_by_file_name() @@ -20,9 +29,17 @@ fn run_kata_tests(tests_dir: &Path, generate: bool) -> Result<()> { continue; } + // If specificed, only execute tests matching given name. + if let Some(name) = name { + if !path.ends_with(name) { + continue; + } + } + num_tests += 1; + let policy_file = path.join("policy.rego"); let inputs_file = path.join("inputs.txt"); - let outputs_file = path.join("output.json"); + let outputs_file = path.join("outputs.json"); let mut engine = Engine::new(); engine.add_policy_from_file(&policy_file)?; @@ -37,7 +54,7 @@ fn run_kata_tests(tests_dir: &Path, generate: bool) -> Result<()> { let mut results = if generate { vec![] } else { - Value::from_json_str(&std::fs::read_to_string(&outputs_file)?)? + Value::from_json_file(&outputs_file)? .as_array()? .iter() .cloned() @@ -63,12 +80,16 @@ fn run_kata_tests(tests_dir: &Path, generate: bool) -> Result<()> { // Evaluate using engine. engine.set_input(input.clone()); + let start = Instant::now(); let r = engine.eval_rule(rule.clone())?; + total_time_ns += start.elapsed().as_nanos(); // Evaluate using fresh engine. let mut new_engine = engine_base.clone(); new_engine.set_input(input); + let start = Instant::now(); let r_new = new_engine.eval_rule(rule)?; + total_time_ns += start.elapsed().as_nanos(); // Ensure that both evaluations produced the same result. assert_eq!(r, r_new); @@ -79,19 +100,32 @@ fn run_kata_tests(tests_dir: &Path, generate: bool) -> Result<()> { let expected = results.pop().unwrap(); assert_eq!(r, expected, "{lineno} failed in {}", inputs_file.display()); } + + num_queries += 2; } if generate { std::fs::write(outputs_file, Value::from(results).to_json_str()?)?; } - #[cfg(feature = "coverage")] - { - let report = engine.get_coverage_report()?; - println!("{}", report.to_colored_string()?); + + if coverage { + #[cfg(feature = "coverage")] + { + let report = engine.get_coverage_report()?; + println!("{}", report.to_colored_string()?); + } } } + if num_tests == 0 { + bail!("no tests found"); + } + + let millis = total_time_ns as f64 / 1000_000.0; + println!("executed {num_queries} queries in {millis:2} millis"); + println!("time per query is {:2} millis", millis / num_queries as f64); println!("kata tests passed"); + Ok(()) } @@ -103,6 +137,15 @@ struct Cli { #[clap(default_value = "tests/kata/data")] test_dir: String, + /// Name of a specific test + #[arg(long, short)] + name: Option, + + /// Display code coverage + #[arg(long, short)] + #[clap(default_value = "false")] + coverage: bool, + /// Generate outputs instead of testing. #[arg(long, short)] #[clap(default_value = "false")] @@ -111,5 +154,10 @@ struct Cli { fn main() -> Result<()> { let cli = Cli::parse(); - run_kata_tests(&Path::new(&cli.test_dir), cli.generate) + run_kata_tests( + &Path::new(&cli.test_dir), + &cli.name, + cli.coverage, + cli.generate, + ) }