Add support for resource policy

Resource policy can be updated in Trustee
using the correspondent config map

Signed-off-by: Leonardo Milleri <[email protected]>

README.md

@@ -46,6 +46,9 @@ type KbsConfigSpec struct {
 
   // KbsSecretResources is an array of secret names that contain the keys required by clients
   KbsSecretResources []string `json:"kbsSecretResources,omitempty"`
+
+// kbsResourcePolicyConfigMapName is the name of the configmap that contains the Resource Policy
+	KbsResourcePolicyConfigMapName string `json:"kbsResourcePolicyConfigMapName,omitempty"`
 }
 ```
 
@@ -133,6 +136,8 @@ spec:
   kbsHttpsCertSecretName: kbs-https-certificate
   # K8s Secrets to be made available to KBS clients
   kbsSecretResources: ["kbsres1"]
+  # Resource policy
+  kbsResourcePolicyConfigMapName: resource-policy
 ```
 
 ## Getting Started

api/v1alpha1/kbsconfig_types.go

@@ -73,6 +73,9 @@ type KbsConfigSpec struct {
 
 	// KbsSecretResources is an array of secret names that contain the keys required by clients
 	KbsSecretResources []string `json:"kbsSecretResources,omitempty"`
+
+	// kbsResourcePolicyConfigMapName is the name of the configmap that contains the Resource Policy
+	KbsResourcePolicyConfigMapName string `json:"kbsResourcePolicyConfigMapName,omitempty"`
 }
 
 // KbsConfigStatus defines the observed state of KbsConfig

bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml

@@ -66,6 +66,10 @@ spec:
                 description: KbsHttpsKeySecretName is the name of the secret that
                   contains the KBS https private key
                 type: string
+              kbsResourcePolicyConfigMapName:
+                description: kbsResourcePolicyConfigMapName is the name of the configmap
+                  that contains the Resource Policy
+                type: string
               kbsRvpsConfigMapName:
                 description: KbsRvpsConfigMapName is the name of the configmap that
                   contains the KBS RVPS configuration

bundle/manifests/resource-policy-sample_v1_configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+data:
+  policy.rego: |
+    package policy
+
+    default allow = false
+    allow {
+            input["tee"] != "sample"
+    }
+kind: ConfigMap
+metadata:
+  name: resource-policy-sample

bundle/manifests/trustee-operator.clusterserviceversion.yaml

@@ -22,17 +22,18 @@ metadata:
             "kbsAuthSecretName": "kbs-auth-public-key",
             "kbsConfigMapName": "kbs-config",
             "kbsDeploymentType": "AllInOneDeployment",
+            "kbsResourcePolicyConfigMapName": "resource-policy",
             "kbsRvpsRefValuesConfigMapName": "rvps-reference-values"
           }
         }
       ]
     capabilities: Basic Install
-    categories: "Security"
+    categories: Security
     containerImage: quay.io/confidential-containers/trustee-operator:v0.1.0
-    createdAt: "2024-06-07T10:06:06Z"
-    support: "Confidential Containers Community"
+    createdAt: "2024-06-26T09:55:58Z"
     operators.operatorframework.io/builder: operator-sdk-v1.33.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
+    support: Confidential Containers Community
   name: trustee-operator.v0.1.0
   namespace: placeholder
 spec:

config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml

@@ -66,6 +66,10 @@ spec:
                 description: KbsHttpsKeySecretName is the name of the secret that
                   contains the KBS https private key
                 type: string
+              kbsResourcePolicyConfigMapName:
+                description: kbsResourcePolicyConfigMapName is the name of the configmap
+                  that contains the Resource Policy
+                type: string
               kbsRvpsConfigMapName:
                 description: KbsRvpsConfigMapName is the name of the configmap that
                   contains the KBS RVPS configuration

config/manifests/bases/trustee-operator.clusterserviceversion.yaml

@@ -4,6 +4,9 @@ metadata:
   annotations:
     alm-examples: '[]'
     capabilities: Basic Install
+    categories: Security
+    containerImage: quay.io/confidential-containers/trustee-operator:v0.1.0
+    support: Confidential Containers Community
   name: trustee-operator.v0.0.0
   namespace: placeholder
 spec:
@@ -46,6 +49,8 @@ spec:
     name: Pradipta Banerjee
   - email: [email protected]
     name: Jens Freimann
+  - email: [email protected]
+    name: Leonardo Milleri
   maturity: alpha
   provider:
     name: Confidential Containers Community

config/samples/all-in-one/kustomization.yaml

@@ -19,11 +19,13 @@ generatorOptions:
 
 patches:
 - path: patch-ref-values.yaml
+- path: patch-resource-policy.yaml
 # uncomment the following line for injecting sample resources in kbs
 #- path: patch-kbs-resources.yaml
 
 resources:
 - kbsconfig_sample.yaml
 - kbs-config.yaml
 - rvps-reference-values.yaml
+- resource-policy.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples

config/samples/all-in-one/patch-resource-policy.yaml

@@ -0,0 +1,7 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  name: kbsconfig-sample
+  namespace: kbs-operator-system
+spec:
+  kbsResourcePolicyConfigMapName: resource-policy

config/samples/all-in-one/resource-policy.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: resource-policy
+  namespace: kbs-operator-system
+data:
+  policy.rego: |
+    package policy
+
+    default allow = false
+    allow {
+            input["tee"] != "sample"
+    }

config/samples/microservices/kustomization.yaml

@@ -20,6 +20,7 @@ generatorOptions:
 
 patches:
 - path: patch-ref-values.yaml
+- path: patch-resource-policy.yaml
 # uncomment the following line for injecting sample resources in kbs
 #- path: patch-kbs-resources.yaml
 
@@ -29,4 +30,5 @@ resources:
 - as-config.yaml
 - rvps-config.yaml
 - rvps-reference-values.yaml
+- resource-policy.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples

config/samples/microservices/patch-resource-policy.yaml

@@ -0,0 +1,7 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  name: kbsconfig-sample
+  namespace: kbs-operator-system
+spec:
+  kbsResourcePolicyConfigMapName: resource-policy

config/samples/microservices/resource-policy.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: resource-policy
+  namespace: kbs-operator-system
+data:
+  policy.rego: |
+    package policy
+
+    default allow = false
+    allow {
+            input["tee"] != "sample"
+    }

internal/controller/kbsconfig_controller.go

@@ -358,6 +358,15 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
 	volumes = append(volumes, *volume)
 	kbsVM = append(kbsVM, volumeMount)
 
+	// resource policy
+	volume, err = r.createConfigMapVolume(ctx, "opa", r.kbsConfig.Spec.KbsResourcePolicyConfigMapName)
+	if err != nil {
+		return nil, err
+	}
+	volumeMount = createVolumeMount(volume.Name, filepath.Join(confidentialContainersPath, volume.Name))
+	volumes = append(volumes, *volume)
+	kbsVM = append(kbsVM, volumeMount)
+
 	// auth-secret
 	volume, err = r.createSecretVolume(ctx, "auth-secret", r.kbsConfig.Spec.KbsAuthSecretName)
 	if err != nil {
@@ -680,7 +689,8 @@ func configMapToKbsConfigMapper(c client.Client, log logr.Logger) (handler.MapFu
 			if kbsConfig.Spec.KbsConfigMapName == configMap.Name ||
 				kbsConfig.Spec.KbsAsConfigMapName == configMap.Name ||
 				kbsConfig.Spec.KbsRvpsConfigMapName == configMap.Name ||
-				kbsConfig.Spec.KbsRvpsRefValuesConfigMapName == configMap.Name {
+				kbsConfig.Spec.KbsRvpsRefValuesConfigMapName == configMap.Name ||
+				kbsConfig.Spec.KbsResourcePolicyConfigMapName == configMap.Name {
 
 				requests = append(requests, reconcile.Request{
 					NamespacedName: types.NamespacedName{