[confcom] initial commit of katapolicygen (#6974)

* initial commit of katapolicygen * only grab genpolicy from genpolicy tagged releases * fixing tests for pipeline * updating docs with more samples * getting rid of unused links in readme
Azure · Nov 14, 2023 · cdb3dc6 · cdb3dc6
1 parent f1ade6d
commit cdb3dc6
Show file tree

Hide file tree

Showing 16 changed files with 1,589 additions and 16 deletions.
diff --git a/src/confcom/.gitignore b/src/confcom/.gitignore
@@ -12,6 +12,9 @@
 **/__pycache__/*
 **/*.pyc
 
+# genpolicy cache files
+**/layers_cache/*
+
 # virtual environments
 env/*
 accdevops_env/*
@@ -27,6 +30,7 @@ azext_confcom/bin/
 azext_confcom/bin/*
 **/dmverity-vhd.exe
 **/dmverity-vhd
+**/bin/genpolicy*
 
 # metadata file for coverage reports
 **/.coverage

diff --git a/src/confcom/HISTORY.rst b/src/confcom/HISTORY.rst
@@ -2,6 +2,9 @@
 
 Release History
 ===============
+0.3.0
+++++++
+* adding katapolicygen as a subcommand
 
 0.2.18
 ++++++
@@ -52,7 +55,7 @@ Release History
 * changing startup checks to errors rather than warnings
 * can specify image name in arm template by its SHA256 hash
 * disabling stdio in pause container
-* adding another README.md with omre descriptive information
+* adding another README.md with more descriptive information
 
 0.2.9
 ++++++
@@ -86,7 +89,6 @@ Release History
 * added ability to use tarball as input for layer hashes and container manifests
 * added initContainers as container source in ARM Template
 * update dealing with liveness and readiness probes
-* update
 
 0.2.2
 ++++++

diff --git a/src/confcom/azext_confcom/README.md b/src/confcom/azext_confcom/README.md
@@ -1,7 +1,7 @@
 # Microsoft Azure CLI 'confcom' Extension Examples and Security Policy Rules Documentation
 
-- [Microsoft Azure CLI 'confcom' Extension Examples and Security Policy Rules Documentation](#microsoft-azure-cli-confcom-extension-examples-and-security-policy-rules-documentation)
-  - [Microsoft Azure CLI 'confcom' Extension Examples](#microsoft-azure-cli-confcom-extension-examples)
+- [Microsoft Azure CLI 'confcom acipolicygen' Extension Examples and Security Policy Rules Documentation](#microsoft-azure-cli-confcom-acipolicygen-extension-examples-and-security-policy-rules-documentation)
+  - [Microsoft Azure CLI 'confcom acipolicygen' Extension Examples](#microsoft-azure-cli-confcom-extension-examples)
   - [dmverity Layer Hashing](#dmverity-layer-hashing)
   - [Security Policy Information Sources](#security-policy-information-sources)
   - [Security Policy Rules Documentation](#security-policy-rules-documentation)
@@ -28,13 +28,13 @@
     - [allow_environment_variable_dropping](#allow_environment_variable_dropping)
     - [allow_unencrypted_scratch](#allow_unencrypted_scratch)
     - [allow_capabilities_dropping](#allow_capabilities_dropping)
+- [Microsoft Azure CLI 'confcom katapolicygen' Extension Examples](#microsoft-azure-cli-confcom-katapolicygen-extension-examples)
+  - [Microsoft Azure CLI 'confcom katapolicygen' Extension Examples]
 
-## Microsoft Azure CLI 'confcom' Extension Examples
+## Microsoft Azure CLI 'confcom acipolicygen' Extension Examples
 
 Run `az confcom acipolicygen --help` to see a list of supported arguments along with explanations. The following commands demonstrate the usage of different arguments to generate confidential computing security policies.
 
-**Note:** The Azure Confidential Computing CLI extension is in public preview and is subject to change. Some arguments may be added or removed and the way `confcom acipolicygen` command is called to achieve specific functionality may change as well. This documentation will be updated as changes to the tooling are published.
-
 **Prerequisites:**
 Install the Azure CLI and Confidential Computing extension.
 
@@ -643,3 +643,55 @@ This rule determines whether unencrypted writable storage from the UVM to the co
 ## allow_capabilities_dropping
 
 Whether to allow capabilities to be dropped in the same manner as allow_environment_variable_dropping.
+
+## Microsoft Azure CLI 'confcom katapolicygen' Extension Examples
+
+Run `az confcom katapolicygen --help` to see a list of supported arguments along with explanations. The following commands demonstrate the usage of different arguments to generate confidential computing security policies.
+
+**Prerequisites:**
+Install the Azure CLI and Confidential Computing extension.
+
+See the most recently released version of `confcom` extension.
+
+```bash
+az extension list-available -o table | grep confcom
+```
+
+To add the most recent confcom extension, run:
+
+```bash
+az extension add --name confcom
+```
+
+Use the `--version` argument to specify a version to add.
+
+Run this to update to the latest version if an older version is already installed:
+
+```bash
+az extension update --name confcom
+```
+
+The `katapolicygen` command generates confidential computing security policies using a kubernetes pod spec. You can control the format of the generated policies using arguments. Note: It is recommended to use images with specific tags instead of the `latest` tag, as the `latest` tag can change at any time and images with different configurations may also have the latest tag.
+
+**Examples:**
+
+Example 1: The following command creates a security policy and outputs it to the command line:
+
+```bash
+az confcom katapolicygen -y ./pod.yaml --print-policy
+```
+
+This command combines the information of images from the pod spec with other information such as mount, environment variables and commands from the pod spec to create a security policy.
+The `--print-policy` argument is included to display the policy on the command line in addition to injecting it into the input pod spec.
+
+Example 2: This command injects a security policy into the pod spec based on input from a config map so that there is no need to change the pod spec to pass variables into the security policy:
+
+```bash
+az confcom katapolicygen -y .\\pod.yaml -c .\\config-map.yaml
+```
+
+Example 3: This command caches the layer hashes and stores them locally on your computer to make future computations faster if the same images are used:
+
+```bash
+az confcom katapolicygen -y .\\pod.yaml -u
+```
diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py
@@ -18,7 +18,7 @@
     "confcom acipolicygen"
 ] = """
     type: command
-    short-summary: Create a Confidential Container Security Policy.
+    short-summary: Create a Confidential Container Security Policy for ACI.
 
     parameters:
         - name: --input -i
@@ -91,3 +91,45 @@
         - name: Input an ARM Template file and use a tar file as the image source instead of the Docker daemon
           text: az confcom acipolicygen --template-file "./template.json" --tar "./image.tar"
 """
+
+helps[
+    "confcom katapolicygen"
+] = """
+    type: command
+    short-summary: Create a Confidential Container Security Policy for AKS.
+
+    parameters:
+        - name: --yaml -y
+          type: string
+          short-summary: 'Input YAML Kubernetes file'
+
+        - name: --outraw
+          type: boolean
+          short-summary: 'Output policy in clear text compact JSON instead of default base64 format'
+
+        - name: --print-policy
+          type: boolean
+          short-summary: 'Print the base64 encoded generated policy in the terminal'
+
+        - name: --config-map-file -c
+          type: string
+          short-summary: 'Path to config map file'
+
+        - name: --use-cached-files -u
+          type: bool
+          short-summary: 'Use cached files to save on computation time'
+
+        - name: --settings-file-name -j
+          type: bool
+          short-summary: 'Path to custom settings file'
+
+    examples:
+        - name: Input a Kubernetes YAML file to inject a base64 encoded Confidential Container Security Policy into the YAML file
+          text: az confcom katapolicygen --yaml "./pod.json"
+        - name: Input a Kubernetes YAML file to print a base64 encoded Confidential Container Security Policy to stdout
+          text: az confcom katapolicygen --yaml "./pod.json" --print-policy
+        - name: Input a Kubernetes YAML file and custom settings file to inject a base64 encoded Confidential Container Security Policy into the YAML file
+          text: az confcom katapolicygen --yaml "./pod.json" -j "./settings.json"
+        - name: Input a Kubernetes YAML file and external config map file
+          text: az confcom katapolicygen --yaml "./pod.json" --config-map-file "./configmap.json"
+"""
diff --git a/src/confcom/azext_confcom/_params.py b/src/confcom/azext_confcom/_params.py
@@ -121,3 +121,41 @@ def load_arguments(self, _):
             required=False,
             help="Print the generated policy in the terminal",
         )
+
+    with self.argument_context("confcom katapolicygen") as c:
+        c.argument(
+            "yaml_path",
+            options_list=("--yaml", "-y"),
+            required=True,
+            help="Input YAML config file",
+        )
+        c.argument(
+            "outraw",
+            options_list=("--outraw"),
+            required=False,
+            help="Print the generated policy in the terminal in Rego format",
+        )
+        c.argument(
+            "print_policy",
+            options_list=("--print-policy"),
+            required=False,
+            help="Print the generated policy in the terminal in base64",
+        )
+        c.argument(
+            "config_map_file",
+            options_list=("--config-map-file", "-c"),
+            required=False,
+            help="Config map file",
+        )
+        c.argument(
+            "use_cached_files",
+            options_list=("--use-cached-files", "-u"),
+            required=False,
+            help="Use cached files",
+        )
+        c.argument(
+            "settings_file_name",
+            options_list=("--settings-file-name", "-j"),
+            required=False,
+            help="Path for custom settings file",
+        )
diff --git a/src/confcom/azext_confcom/commands.py b/src/confcom/azext_confcom/commands.py
@@ -8,6 +8,7 @@ def load_command_table(self, _):
 
     with self.command_group("confcom") as g:
         g.custom_command("acipolicygen", "acipolicygen_confcom")
+        g.custom_command("katapolicygen", "katapolicygen_confcom")
 
     with self.command_group("confcom"):
         pass
diff --git a/src/confcom/azext_confcom/config.py b/src/confcom/azext_confcom/config.py
@@ -156,6 +156,8 @@
 SIDECAR_REGO_FILE = "./data/sidecar_rego_policy.txt"
 SIDECAR_REGO_FILE_PATH = f"{script_directory}/{SIDECAR_REGO_FILE}"
 SIDECAR_REGO_POLICY = os_util.load_str_from_file(SIDECAR_REGO_FILE_PATH)
+# data folder
+DATA_FOLDER = os.path.join(script_directory, "data")
 
 # api version
 API_VERSION = _config["version_api"]

diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py
@@ -8,13 +8,19 @@
 
 from pkg_resources import parse_version
 from knack.log import get_logger
-from azext_confcom.config import DEFAULT_REGO_FRAGMENTS
+from azext_confcom.config import DEFAULT_REGO_FRAGMENTS, DATA_FOLDER
 from azext_confcom import os_util
-from azext_confcom.template_util import pretty_print_func, print_func, str_to_sha256
+from azext_confcom.template_util import (
+    pretty_print_func,
+    print_func,
+    str_to_sha256,
+    inject_policy_into_template,
+    print_existing_policy_from_arm_template,
+)
 from azext_confcom.init_checks import run_initial_docker_checks
-from azext_confcom.template_util import inject_policy_into_template, print_existing_policy_from_arm_template
 from azext_confcom import security_policy
 from azext_confcom.security_policy import OutputType
+from azext_confcom.kata_proxy import KataPolicyGenProxy
 
 
 logger = get_logger(__name__)
@@ -150,6 +156,34 @@ def acipolicygen_confcom(
     sys.exit(exit_code)
 
 
+def katapolicygen_confcom(
+    yaml_path: str,
+    config_map_file: str,
+    outraw: bool = False,
+    print_policy: bool = False,
+    use_cached_files: bool = False,
+    settings_file_name: str = None,
+):
+
+    if settings_file_name:
+        if "genpolicy-settings.json" in settings_file_name:
+            error_out("Cannot use default settings file names")
+        os_util.copy_file(settings_file_name, DATA_FOLDER)
+
+    kata_proxy = KataPolicyGenProxy()
+
+    output = kata_proxy.kata_genpolicy(
+        yaml_path,
+        config_map_file=config_map_file,
+        outraw=outraw,
+        print_policy=print_policy,
+        use_cached_files=use_cached_files,
+        settings_file_name=settings_file_name,
+    )
+    print(output)
+    sys.exit(0)
+
+
 def update_confcom(cmd, instance, tags=None):
     with cmd.update_context(instance) as c:
         c.set_param("tags", tags)

diff --git a/src/confcom/azext_confcom/data/internal_config.json b/src/confcom/azext_confcom/data/internal_config.json
@@ -1,5 +1,5 @@
 {
-    "version": "0.2.18",
+    "version": "0.3.0",
     "hcsshim_config": {
         "maxVersion": "1.0.0",
         "minVersion": "0.0.1"