Add support for resource policy

Resource policy can be updated in Trustee
using the correspondent config map

Signed-off-by: Leonardo Milleri <[email protected]>

README.md

@@ -46,6 +46,9 @@ type KbsConfigSpec struct {
 
   // KbsSecretResources is an array of secret names that contain the keys required by clients
   KbsSecretResources []string `json:"kbsSecretResources,omitempty"`
+
+// kbsResourcePolicyConfigMapName is the name of the configmap that contains the Resource Policy
+	KbsResourcePolicyConfigMapName string `json:"kbsResourcePolicyConfigMapName,omitempty"`
 }
 ```
 
@@ -133,6 +136,8 @@ spec:
   kbsHttpsCertSecretName: kbs-https-certificate
   # K8s Secrets to be made available to KBS clients
   kbsSecretResources: ["kbsres1"]
+  # Resource policy
+  kbsResourcePolicyConfigMapName: resource-policy
 ```
 
 ## Getting Started

api/v1alpha1/kbsconfig_types.go

@@ -73,6 +73,9 @@ type KbsConfigSpec struct {
 
 	// KbsSecretResources is an array of secret names that contain the keys required by clients
 	KbsSecretResources []string `json:"kbsSecretResources,omitempty"`
+
+	// kbsResourcePolicyConfigMapName is the name of the configmap that contains the Resource Policy
+	KbsResourcePolicyConfigMapName string `json:"kbsResourcePolicyConfigMapName,omitempty"`
 }
 
 // KbsConfigStatus defines the observed state of KbsConfig

bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml

@@ -66,6 +66,10 @@ spec:
                 description: KbsHttpsKeySecretName is the name of the secret that
                   contains the KBS https private key
                 type: string
+              kbsResourcePolicyConfigMapName:
+                description: kbsResourcePolicyConfigMapName is the name of the configmap
+                  that contains the Resource Policy
+                type: string
               kbsRvpsConfigMapName:
                 description: KbsRvpsConfigMapName is the name of the configmap that
                   contains the KBS RVPS configuration

bundle/manifests/resource-policy-sample_v1_configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+data:
+  policy.rego: |
+    package policy
+
+    default allow = false
+    allow {
+            input["tcb-status"]["sample.svn"] == "1"
+    }
+kind: ConfigMap
+metadata:
+  name: resource-policy-sample

config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml

@@ -66,6 +66,10 @@ spec:
                 description: KbsHttpsKeySecretName is the name of the secret that
                   contains the KBS https private key
                 type: string
+              kbsResourcePolicyConfigMapName:
+                description: kbsResourcePolicyConfigMapName is the name of the configmap
+                  that contains the Resource Policy
+                type: string
               kbsRvpsConfigMapName:
                 description: KbsRvpsConfigMapName is the name of the configmap that
                   contains the KBS RVPS configuration

config/samples/all-in-one/kustomization.yaml

@@ -19,11 +19,13 @@ generatorOptions:
 
 patches:
 - path: patch-ref-values.yaml
+- path: patch-resource-policy.yaml
 # uncomment the following line for injecting sample resources in kbs
 #- path: patch-kbs-resources.yaml
 
 resources:
 - kbsconfig_sample.yaml
 - kbs-config.yaml
 - rvps-reference-values.yaml
+- resource-policy.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples

config/samples/all-in-one/patch-resource-policy.yaml

@@ -0,0 +1,7 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  name: kbsconfig-sample
+  namespace: kbs-operator-system
+spec:
+  kbsResourcePolicyConfigMapName: resource-policy

config/samples/all-in-one/resource-policy.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: resource-policy
+  namespace: kbs-operator-system
+data:
+  policy.rego: |
+    package policy
+
+    default allow = false
+    allow {
+            input["tee"] != "sample"
+    }

config/samples/microservices/kustomization.yaml

@@ -20,6 +20,7 @@ generatorOptions:
 
 patches:
 - path: patch-ref-values.yaml
+- path: patch-resource-policy.yaml
 # uncomment the following line for injecting sample resources in kbs
 #- path: patch-kbs-resources.yaml
 
@@ -29,4 +30,5 @@ resources:
 - as-config.yaml
 - rvps-config.yaml
 - rvps-reference-values.yaml
+- resource-policy.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples

config/samples/microservices/patch-resource-policy.yaml

@@ -0,0 +1,7 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  name: kbsconfig-sample
+  namespace: kbs-operator-system
+spec:
+  kbsResourcePolicyConfigMapName: resource-policy

config/samples/microservices/resource-policy.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: resource-policy
+  namespace: kbs-operator-system
+data:
+  policy.rego: |
+    package policy
+
+    default allow = false
+    allow {
+            input["tee"] != "sample"
+    }

internal/controller/kbsconfig_controller.go

@@ -358,6 +358,15 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
 	volumes = append(volumes, *volume)
 	kbsVM = append(kbsVM, volumeMount)
 
+	// resource policy
+	volume, err = r.createConfigMapVolume(ctx, "opa", r.kbsConfig.Spec.KbsResourcePolicyConfigMapName)
+	if err != nil {
+		return nil, err
+	}
+	volumeMount = createVolumeMount(volume.Name, filepath.Join(confidentialContainersPath, volume.Name))
+	volumes = append(volumes, *volume)
+	kbsVM = append(kbsVM, volumeMount)
+
 	// auth-secret
 	volume, err = r.createSecretVolume(ctx, "auth-secret", r.kbsConfig.Spec.KbsAuthSecretName)
 	if err != nil {