[confcom] changing version number naming scheme and bugfix for 32bit …

…python (Azure#6144) * changing version number naming scheme and bugfix for 32bit python * addressing PR comments * moving where pulling files happens from * making a sha256 hash of the security policy print out when injecting into arm template * taking out the --json option * removing unused function * adding warnings for save to file and debug mode. fixed bug with numbers for template parameters * taking out unused function and fixing style checks * adding error checking back in for when dmverity-vhd returns nothing * making it so you can disable allow_elevated via the privileged field in the arm template * Feature/security context (#18) * securityContext --------- Co-authored-by: Seth Hollandsworth <seth.hollandsworth@gmail.com> Co-authored-by: Seth Hollandsworth <sethho@microsoft.com> * changing default value of no_new_privileges * updating tests * taking allow_elevated out of expected fields in ARM template * adding docs for dmverity hashing and fixing markdown styling --------- Co-authored-by: Heather Garvison <hgarvison@microsoft.com>
AzureArcForKubernetes · May 8, 2023 · ead702f · ead702f
1 parent 0194f58
commit ead702f
Show file tree

Hide file tree

Showing 26 changed files with 3,158 additions and 717 deletions.
diff --git a/src/confcom/.gitignore b/src/confcom/.gitignore
@@ -27,6 +27,8 @@ azext_confcom/bin/
 azext_confcom/bin/*
 **/dmverity-vhd.exe
 **/dmverity-vhd
+
 # metadata file for coverage reports
 **/.coverage
-**/htmlcov
+
+**/htmlcov
diff --git a/src/confcom/HISTORY.rst b/src/confcom/HISTORY.rst
@@ -2,6 +2,11 @@
 
 Release History
 ===============
+0.2.14
+* changing the name of api_svn and framework_svn to api_version and framework_version
+* changing fragment versions to an integer instead of semver
+* bugfix for allowing 32bit python on a 64bit OS
+
 0.2.13
 * fixing bug where you could not pull by sha value if a tag was not specified
 * fixing error message when attempting to use sha value with tar files

diff --git a/src/confcom/README.md b/src/confcom/README.md
@@ -55,6 +55,7 @@ The `confcom` extension does not currently support:
 
 - [ARM Template functions](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions) other than `variables` and `parameters`.
 - Variables and Parameters with non-primitive data types e.g. objects and arrays
+- Nested and Linked ARM Templates
 
 ## Trademarks
 

diff --git a/src/confcom/azext_confcom/README.md b/src/confcom/azext_confcom/README.md
diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py
@@ -65,10 +65,6 @@
           type: boolean
           short-summary: 'When combined with an input ARM Template, verifies the policy present in the ARM Template under "ccePolicy" and the containers within the ARM Template are compatible. If they are incompatible, a list of reasons is given and the exit status code will be 2.'
 
-        - name: --json -j
-          type: string
-          short-summary: 'Outputs in JSON format instead of Rego'
-
         - name: --outraw
           type: boolean
           short-summary: 'Output policy in clear text compact JSON instead of default base64 format'
@@ -90,8 +86,8 @@
           text: az confcom acipolicygen --template-file "./template.json"
         - name: Input an ARM Template file to create a human-readable Confidential Container Security Policy
           text: az confcom acipolicygen --template-file "./template.json" --outraw-pretty-print
-        - name: Input an ARM Template file to save a Confidential Container Security Policy to a file
-          text: az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt"
+        - name: Input an ARM Template file to save a Confidential Container Security Policy to a file as base64 encoded text
+          text: az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt" --print-policy
         - name: Input an ARM Template file and use a tar file as the image source instead of the Docker daemon
           text: az confcom acipolicygen --template-file "./template.json" --tar "./image.tar"
 """
diff --git a/src/confcom/azext_confcom/_params.py b/src/confcom/azext_confcom/_params.py
@@ -76,12 +76,6 @@ def load_arguments(self, _):
             required=False,
             help="Disabling container stdio will disable the ability to see the output of the container in the terminal for Confidential ACI",
         )
-        c.argument(
-            "use_json",
-            options_list=("--json", "-j"),
-            required=False,
-            help="Output in JSON format",
-        )
         c.argument(
             "diff",
             options_list=("--diff", "-d"),
@@ -95,7 +89,7 @@ def load_arguments(self, _):
             help="Validate that the image used to generate the CCE Policy for a sidecar container will be allowed by its generated policy",
         )
         c.argument(
-            "print-existing-policy",
+            "print_existing_policy",
             options_list=("--print-existing-policy"),
             required=False,
             action="store_true",

diff --git a/src/confcom/azext_confcom/azext_metadata.json b/src/confcom/azext_confcom/azext_metadata.json
@@ -1,4 +1,3 @@
 {
-    "azext.isPreview": true,
     "azext.minCliCoreVersion": "2.26.2"
 }
diff --git a/src/confcom/azext_confcom/config.py b/src/confcom/azext_confcom/config.py
@@ -25,6 +25,11 @@
 ACI_FIELD_CONTAINERS_MOUNTS_READONLY = "readonly"
 ACI_FIELD_CONTAINERS_WAIT_MOUNT_POINTS = "wait_mount_points"
 ACI_FIELD_CONTAINERS_ALLOW_ELEVATED = "allow_elevated"
+ACI_FIELD_CONTAINERS_SECURITY_CONTEXT = "securityContext"
+ACI_FIELD_CONTAINERS_ALLOW_PRIVILEGE_ESCALATION = "allowPrivilegeEscalation"
+ACI_FIELD_CONTAINERS_RUN_AS_USER = "runAsUser"
+ACI_FIELD_CONTAINERS_RUN_AS_GROUP = "runAsGroup"
+ACI_FIELD_CONTAINERS_SECCOMP_PROFILE = "seccompProfile"
 ACI_FIELD_CONTAINERS_REGO_FRAGMENTS = "fragments"
 ACI_FIELD_CONTAINERS_REGO_FRAGMENTS_FEED = "feed"
 ACI_FIELD_CONTAINERS_REGO_FRAGMENTS_ISS = "iss"
@@ -51,6 +56,7 @@
 ACI_FIELD_TEMPLATE_VARIABLES = "variables"
 ACI_FIELD_TEMPLATE_VOLUMES = "volumes"
 ACI_FIELD_TEMPLATE_IMAGE = "image"
+ACI_FIELD_TEMPLATE_SECURITY_CONTEXT = "securityContext"
 ACI_FIELD_TEMPLATE_RESOURCE_LABEL = "Microsoft.ContainerInstance/containerGroups"
 ACI_FIELD_TEMPLATE_COMMAND = "command"
 ACI_FIELD_TEMPLATE_ENVS = "environmentVariables"
@@ -60,6 +66,10 @@
 ACI_FIELD_TEMPLATE_MOUNTS_READONLY = "readOnly"
 ACI_FIELD_TEMPLATE_CONFCOM_PROPERTIES = "confidentialComputeProperties"
 ACI_FIELD_TEMPLATE_CCE_POLICY = "ccePolicy"
+ACI_FIELD_CONTAINERS_PRIVILEGED = "privileged"
+ACI_FIELD_CONTAINERS_CAPABILITIES = "capabilities"
+ACI_FIELD_CONTAINERS_CAPABILITIES_ADD = "add"
+ACI_FIELD_CONTAINERS_CAPABILITIES_DROP = "drop"
 
 
 # output json values
@@ -84,9 +94,23 @@
 POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS_OPTIONS = "options"
 POLICY_FIELD_CONTAINERS_ELEMENTS_WAIT_MOUNT_POINTS = "wait_mount_points"
 POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED = "allow_elevated"
-POLICY_FIELD_CONTAINER_EXEC_PROCESSES = "exec_processes"
-POLICY_FIELD_CONTAINER_SIGNAL_CONTAINER_PROCESSES = "signals"
-POLICY_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS = "allow_stdio_access"
+POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES = "no_new_privileges"
+POLICY_FIELD_CONTAINERS_ELEMENTS_EXEC_PROCESSES = "exec_processes"
+POLICY_FIELD_CONTAINERS_ELEMENTS_SIGNAL_CONTAINER_PROCESSES = "signals"
+POLICY_FIELD_CONTAINERS_ELEMENTS_USER = "user"
+POLICY_FIELD_CONTAINERS_ELEMENTS_USER_USER_IDNAME = "user_idname"
+POLICY_FIELD_CONTAINERS_ELEMENTS_USER_GROUP_IDNAMES = "group_idnames"
+POLICY_FIELD_CONTAINERS_ELEMENTS_USER_UMASK = "umask"
+POLICY_FIELD_CONTAINERS_ELEMENTS_USER_PATTERN = "pattern"
+POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES = "capabilities"
+POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_BOUNDING = "bounding"
+POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_EFFECTIVE = "effective"
+POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_INHERITABLE = "inheritable"
+POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_PERMITTED = "permitted"
+POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_AMBIENT = "ambient"
+POLICY_FIELD_CONTAINERS_ELEMENTS_USER_STRATEGY = "strategy"
+POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256 = "seccomp_profile_sha256"
+POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS = "allow_stdio_access"
 POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS = "fragments"
 POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_FEED = "feed"
 POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_ISS = "iss"
@@ -132,5 +156,14 @@
 SIDECAR_REGO_FILE = "./data/sidecar_rego_policy.txt"
 SIDECAR_REGO_FILE_PATH = f"{script_directory}/{SIDECAR_REGO_FILE}"
 SIDECAR_REGO_POLICY = os_util.load_str_from_file(SIDECAR_REGO_FILE_PATH)
+
+# api version
+API_VERSION = _config["version_api"]
 # default containers to be added to all container groups
 DEFAULT_CONTAINERS = _config["default_containers"]
+# default container user config to be added for security context
+DEFAULT_USER = _config["default_user"]
+# default unpriviliged user capabilities to be added for security context
+DEFAULT_UNPRIVILEGED_CAPABILITIES = _config["default_unprivileged_capabilities"]
+# default priviliged user capabilities to be added for security context
+DEFAULT_PRIVILEGED_CAPABILITIES = _config["default_privileged_capabilities"]