Skip to content

Commit 733b0d1

Browse files
msanftmsanft
committed
cli: support insecure manifests behind opt-in
1 parent 891d7f0 commit 733b0d1

9 files changed

Lines changed: 295 additions & 40 deletions

File tree

cli/cmd/generate.go

Lines changed: 54 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ subcommands.`,
9696
cmd.Flags().Bool("inject-image-store", false, "inject an ephemeral storage device to pull images onto instead of into memory")
9797
cmd.Flags().Bool("insecure-enable-debug-shell-access", false, "enable the debug shell service in the pod CVM to get access from container to guest VM")
9898
cmd.Flags().StringP("output", "o", "", "output file for generated YAML")
99+
cmd.Flags().Bool("INSECURE", false, "allow generation for insecure (non-CC) runtimes (also requires the CONTRAST_ALLOW_INSECURE_RUNTIMES environment variable to be set)")
99100
must(cmd.MarkFlagFilename("policy", "rego"))
100101
must(cmd.MarkFlagFilename("settings", "json"))
101102
must(cmd.MarkFlagFilename("manifest", "json"))
@@ -147,6 +148,10 @@ func runGenerate(cmd *cobra.Command, args []string) error {
147148
usedPlatforms.Add(flags.referenceValuesPlatform)
148149
}
149150

151+
if err := validateInsecurePlatforms(usedPlatforms, flags.allowInsecureRuntimes); err != nil {
152+
return err
153+
}
154+
150155
// generate a manifest by checking if a manifest exists and using that,
151156
// or otherwise using a default.
152157
var mnf *manifest.Manifest
@@ -284,7 +289,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
284289
return nil
285290
}
286291

287-
// mapContrastWorkloads applies the given function to all workloads with a Contrast runtime class.
292+
// mapContrastWorkloads applies the given function to all workloads with the 'contrast-cc' or 'contrast-insecure' runtime class.
288293
// The callback receives an apply configuration together with the file path and index the unstructured object has in the file map.
289294
// Changes to the apply configuration are not applied to the original unstructured object.
290295
func mapContrastWorkloads(fileMap map[string][]*unstructured.Unstructured, f func(res any, path string, idx int) (any, error)) error {
@@ -315,7 +320,9 @@ func mapContrastWorkloads(fileMap map[string][]*unstructured.Unstructured, f fun
315320

316321
func isContrastWorkload(resource any) (ret bool) {
317322
kuberesource.MapPodSpec(resource, func(spec *applycorev1.PodSpecApplyConfiguration) *applycorev1.PodSpecApplyConfiguration {
318-
ret = kuberesource.IsContrastPod(spec)
323+
if kuberesource.IsContrastPod(spec) {
324+
ret = true
325+
}
319326
return spec
320327
})
321328
return ret
@@ -334,6 +341,16 @@ func isCoordinator(resource any) bool {
334341
return false
335342
}
336343

344+
func patchCoordinatorAllowInsecure(resource any) {
345+
r, ok := resource.(*applyappsv1.StatefulSetApplyConfiguration)
346+
if !ok || !isCoordinator(resource) {
347+
return
348+
}
349+
if len(r.Spec.Template.Spec.Containers) > 0 {
350+
r.Spec.Template.Spec.Containers[0].WithEnv(kuberesource.NewEnvVar("CONTRAST_ALLOW_INSECURE", "1"))
351+
}
352+
}
353+
337354
func runVerifiers(fileMap map[string][]*unstructured.Unstructured, verifiers []verifier.Verifier) error {
338355
var findings error
339356
for _, v := range verifiers {
@@ -419,7 +436,7 @@ func extractTargets(paths []string, configFile io.Writer, logger *slog.Logger) (
419436
}
420437
}
421438
if len(fileMap) == 0 {
422-
return nil, "", fmt.Errorf("no .yml/.yaml files with 'contrast-cc' runtime found")
439+
return nil, "", fmt.Errorf("no .yml/.yaml files with 'contrast-cc' or 'contrast-insecure' runtime found")
423440
}
424441

425442
extraData, err := kuberesource.EncodeUnstructured(extraResources)
@@ -513,6 +530,9 @@ func patchTargets(fileMap map[string][]*unstructured.Unstructured, imageReplacem
513530
if flags.injectImageStore {
514531
kuberesource.AddImageStore([]any{res})
515532
}
533+
if flags.allowInsecureRuntimes {
534+
patchCoordinatorAllowInsecure(res)
535+
}
516536

517537
kuberesource.PatchImages([]any{res}, replacements)
518538

@@ -554,6 +574,19 @@ func injectServiceMesh(resource any) error {
554574
return nil
555575
}
556576

577+
func validateInsecurePlatforms(usedPlatforms kuberesource.PlatformCollection, allowInsecure bool) error {
578+
if !slices.ContainsFunc(usedPlatforms.Platforms(), platforms.IsInsecure) {
579+
return nil
580+
}
581+
if !allowInsecure {
582+
return fmt.Errorf("insecure runtime platforms detected but --INSECURE flag not set")
583+
}
584+
if os.Getenv("CONTRAST_ALLOW_INSECURE_RUNTIMES") == "" {
585+
return fmt.Errorf("insecure runtime platforms detected but CONTRAST_ALLOW_INSECURE_RUNTIMES environment variable not set")
586+
}
587+
return nil
588+
}
589+
557590
func validateOutputFile(outputFile string) error {
558591
if outputFile == "" {
559592
return nil
@@ -681,7 +714,17 @@ func patchRuntimeClassName(defaultRuntimeHandler string) func(*applycorev1.PodSp
681714
if spec == nil || spec.RuntimeClassName == nil {
682715
return spec, nil
683716
}
684-
if *spec.RuntimeClassName == "kata-cc-isolation" || *spec.RuntimeClassName == "contrast-cc" {
717+
if *spec.RuntimeClassName == "kata-cc-isolation" || *spec.RuntimeClassName == "contrast-cc" || *spec.RuntimeClassName == "contrast-insecure" {
718+
// Only allow the bare runtime class names if the default runtime handler is compatible.
719+
// For example, `contrast-cc` should only resolve when `--reference-values` is set to a CC-enabled platform,
720+
// and `contrast-insecure` should only resolve when `--reference-values` is set to an insecure platform.
721+
if *spec.RuntimeClassName == "contrast-insecure" && !strings.HasPrefix(defaultRuntimeHandler, "contrast-insecure-") {
722+
return nil, fmt.Errorf("bare 'contrast-insecure' runtime class requires --reference-values to be set to an insecure platform")
723+
}
724+
if (*spec.RuntimeClassName == "contrast-cc" || *spec.RuntimeClassName == "kata-cc-isolation") &&
725+
strings.HasPrefix(defaultRuntimeHandler, "contrast-insecure-") {
726+
return nil, fmt.Errorf("bare %q runtime class is incompatible with insecure --reference-values platform %q", *spec.RuntimeClassName, defaultRuntimeHandler)
727+
}
685728
spec.RuntimeClassName = &defaultRuntimeHandler
686729
if kuberesource.PodSpecRequiresGPU(spec) {
687730
platform, err := platforms.FromRuntimeClassString(*spec.RuntimeClassName)
@@ -696,7 +739,7 @@ func patchRuntimeClassName(defaultRuntimeHandler string) func(*applycorev1.PodSp
696739
}
697740
return spec, nil
698741
}
699-
if !strings.HasPrefix(*spec.RuntimeClassName, "contrast-cc-") {
742+
if !kuberesource.IsContrastPod(spec) {
700743
return spec, nil
701744
}
702745
overridePlatform, err := platforms.FromRuntimeClassString(*spec.RuntimeClassName)
@@ -868,6 +911,7 @@ type generateFlags struct {
868911
skipServiceMesh bool
869912
injectImageStore bool
870913
insecureEnableDebugShell bool
914+
allowInsecureRuntimes bool
871915
outputFile string
872916
}
873917

@@ -965,6 +1009,10 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) {
9651009
if err != nil {
9661010
return nil, err
9671011
}
1012+
allowInsecureRuntimes, err := cmd.Flags().GetBool("INSECURE")
1013+
if err != nil {
1014+
return nil, err
1015+
}
9681016
outputFile, err := cmd.Flags().GetString("output")
9691017
if err != nil {
9701018
return nil, err
@@ -990,6 +1038,7 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) {
9901038
skipServiceMesh: skipServiceMesh,
9911039
injectImageStore: injectImageStore,
9921040
insecureEnableDebugShell: insecureEnableDebugShell,
1041+
allowInsecureRuntimes: allowInsecureRuntimes,
9931042
outputFile: outputFile,
9941043
}, nil
9951044
}

0 commit comments

Comments
 (0)