Skip to content

genpolicy: reduce complexity #11553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 28, 2025
Merged

genpolicy: reduce complexity #11553

merged 4 commits into from
Jul 28, 2025

Conversation

danmihai1
Copy link
Member

@danmihai1 danmihai1 commented Jul 10, 2025
edited
Loading

  1. Remove genpolicy tarfs snapshotter support.
  • AKS Confidential Containers are using the tarfs snapshotter.
  • CoCo upstream doesn't use this snapshotter, so remove this Policy complexity from upstream.
  1. Skip pulling container image layers when guest-pull=true.

The contents of these layers were ignored due to:

  1. Use genpolicy CoCo settings by default.
  • "confidential_emptyDir" becomes "emptyDir" in the settings file.
  • "confidential_configMap" becomes "configMap" in settings.
  • "mount_source_cpath" becomes "cpath".
  • The new "root_path" gets used instead of the old "cpath" to point to the container root path.
  • "confidential_guest" is no longer used. By default it gets replaced by "enable_configmap_secret_storages"=false, because CoCo is using CopyFileRequest instead of the Storage data structures for ConfigMap and/or Secret volume mounts during CreateContainerRequest.
  • The value of "guest_pull" becomes true by default.
  • "image_layer_verification" is no longer used - just CoCo's guest pull is supported.
  • The Request input files from unit tests are changing to reflect the new default settings values described above.
  • tests/integration/kubernetes/tests_common.sh adjusts the settings for platforms that are not set-up for CoCo during CI (i.e., platforms other than SNP, TDX, and CoCo Dev).

@danmihai1 danmihai1 marked this pull request as draft July 10, 2025 21:52
@danmihai1 danmihai1 force-pushed the danmihai1/genpolicy-cleanup branch 2 times, most recently from 921abd4 to 3a28b7e Compare July 11, 2025 01:07
danmihai1 added 4 commits July 28, 2025 18:30
@danmihai1
genpolicy: remove tarfs snapshotter support
f6016f4 
AKS Confidential Containers are using the tarfs snapshotter. CoCo
upstream doesn't use this snapshotter, so remove this Policy complexity
from upstream.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
@danmihai1
genpolicy: skip pulling layers for guest-pull
94995d7 
Skip pulling container image layers when guest-pull=true. The contents
of these layers were ignored due to:
- kata-containers#11162, and
- tarfs snapshotter support having been removed from genpolicy.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
@danmihai1
genpolicy: use CoCo settings by default
30bfa2d 
- "confidential_emptyDir" becomes "emptyDir" in the settings file.
- "confidential_configMap" becomes "configMap" in settings.
- "mount_source_cpath" becomes "cpath".
- The new "root_path" gets used instead of the old "cpath" to point to
  the container root path..
- "confidential_guest" is no longer used. By default it gets replaced
  by "enable_configmap_secret_storages"=false, because CoCo is using
  CopyFileRequest instead of the Storage data structures for ConfigMap
  and/or Secret volume mounts during CreateContainerRequest.
- The value of "guest_pull" becomes true by default.
- "image_layer_verification" is no longer used - just CoCo's guest pull
  is supported.
- The Request input files from unit tests are changing to reflect the
  new default settings values described above.
- tests/integration/kubernetes/tests_common.sh adjusts the settings for
  platforms that are not set-up for CoCo during CI (i.e., platforms
  other than SNP, TDX, and CoCo Dev).

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
@danmihai1
genpolicy: config layer logging clean-up
c11c972 
Use a simple debug!() for logging the config_layer string, instead of
transcoding, etc.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
@danmihai1 danmihai1 force-pushed the danmihai1/genpolicy-cleanup branch from 81bd21d to c11c972 Compare July 28, 2025 19:08
@Redent0r Redent0r merged commit 1aaaef2 into kata-containers:main Jul 28, 2025
500 of 538 checks passed
@danmihai1 danmihai1 deleted the danmihai1/genpolicy-cleanup branch July 28, 2025 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev burgerdev approved these changes

@Redent0r Redent0r Redent0r approved these changes

+1 more reviewer

@arc9693 arc9693 arc9693 approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@danmihai1 @burgerdev @Redent0r @arc9693