packages/kata-runtime: alow arbitrary CDI annotations

As discussed via Teams, there is no sense in checking CDI annotations if the agent doesn't care about them anyway. This allows arbitrary CDI annotations in the policy.

Author: msanft

Diff for: packages/by-name/kata/kata-runtime/0018-agent-remove-CDI-support.patch

@@ -20,10 +20,10 @@ Fixes: #10680
  1 file changed, 15 insertions(+), 7 deletions(-)
 
 diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs
-index fd824e9ec26728bf8088939aac7a1edb6d886aac..cb5dac7a4a941e11fb9a086ff01633672364902a 100644
+index 5f2a3eb955ea427478c842ba80ad2a17299b182f..06fbcca57e8f5d8e729a379809950ce4f87359e4 100644
 --- a/src/agent/src/rpc.rs
 +++ b/src/agent/src/rpc.rs
-@@ -638,11 +638,11 @@ impl AgentService {
+@@ -649,11 +649,11 @@ impl AgentService {
 
      async fn do_read_stream(
          &self,
@@ -38,7 +38,7 @@ index fd824e9ec26728bf8088939aac7a1edb6d886aac..cb5dac7a4a941e11fb9a086ff0163367
 
          let term_exit_notifier;
          let reader = {
-@@ -889,8 +889,12 @@ impl agent_ttrpc::AgentService for AgentService {
+@@ -900,8 +900,12 @@ impl agent_ttrpc::AgentService for AgentService {
          _ctx: &TtrpcContext,
          req: protocols::agent::ReadStreamRequest,
      ) -> ttrpc::Result<ReadStreamResponse> {
@@ -53,7 +53,7 @@ index fd824e9ec26728bf8088939aac7a1edb6d886aac..cb5dac7a4a941e11fb9a086ff0163367
      }
 
      async fn read_stderr(
-@@ -898,8 +902,12 @@ impl agent_ttrpc::AgentService for AgentService {
+@@ -909,8 +913,12 @@ impl agent_ttrpc::AgentService for AgentService {
          _ctx: &TtrpcContext,
          req: protocols::agent::ReadStreamRequest,
      ) -> ttrpc::Result<ReadStreamResponse> {

Diff for: packages/by-name/kata/kata-runtime/0019-genpolicy-support-dynamic-annotations.patch renamed to packages/by-name/kata/kata-runtime/0018-genpolicy-support-dynamic-annotations.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Moritz Sanft <[email protected]>
+Date: Fri, 7 Feb 2025 13:12:28 +0100
+Subject: [PATCH] runtime: remove CDI annotations
+
+We want to remove CDI annotations before they get to the agent, as they should only influence VM creation. Passing them to the agent is likely to create problems in policy checking, as they are often dynamically injected.
+---
+ src/runtime/virtcontainers/kata_agent.go | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go
+index 9a794392b927fc8fa231a72ce35bc3fcb2773d85..8e6385e274b16f5ab5be0a90a2229b9cf9f1f83e 100644
+--- a/src/runtime/virtcontainers/kata_agent.go
++++ b/src/runtime/virtcontainers/kata_agent.go
+@@ -14,6 +14,7 @@ import (
+ 	"os"
+ 	"path"
+ 	"path/filepath"
++	"regexp"
+ 	"strconv"
+ 	"strings"
+ 	"sync"
+@@ -1080,6 +1081,17 @@ func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool, dis
+ 		grpcSpec.Linux.Devices = linuxDevices
+ 	}
+ 
++	cdiRegexp, err := regexp.Compile(`^cdi\.k8s\.io\/.*$`)
++	if err != nil {
++		k.Logger().WithError(err).Error("compile CDI annotation regexp")
++	}
++
++	for key := range grpcSpec.Annotations {
++		if cdiRegexp.MatchString(key) {
++			delete(grpcSpec.Annotations, key)
++		}
++	}
++
+ 	return nil
+ }
+ 

Diff for: packages/by-name/kata/kata-runtime/0020-agent-clear-log-pipes-if-denied-by-policy.patch renamed to packages/by-name/kata/kata-runtime/0019-agent-clear-log-pipes-if-denied-by-policy.patch

@@ -114,25 +114,25 @@ buildGoModule rec {
       # Upstream issue: https://github.com/kata-containers/kata-containers/issues/10633
       ./0017-genpolicy-support-guest-hooks.patch
 
-      # Revert CDI support in kata-agent, which breaks legacy mode GPU facilitation which
-      # we currently use.
-      # TODO(msanft): Get native CDI working, which will allow us to drop this patch / undo the revert.
-      # See https://dev.azure.com/Edgeless/Edgeless/_workitems/edit/5061
-      ./0018-agent-remove-CDI-support.patch
-
       # This adds support for annotations with dynamic keys *and* values to Genpolicy.
       # This is required for e.g. GPU containers, which get annotated by an in-cluster
       # component (i.e. after policy generation based on the Pod spec) with an annotation
       # like `cdi.k8s.io/vfioXY`, where `XY` corresponds to a dynamic ID.
       # Upstream issue: https://github.com/kata-containers/kata-containers/issues/10745
-      ./0019-genpolicy-support-dynamic-annotations.patch
+      ./0018-genpolicy-support-dynamic-annotations.patch
 
       # This allows denying ReadStream requests without blocking the container on its
       # stdout/stderr, by redacting the streams instead of blocking them.
       # Upstream:
       # * https://github.com/kata-containers/kata-containers/issues/10680
       # * https://github.com/kata-containers/kata-containers/pull/10818
-      ./0020-agent-clear-log-pipes-if-denied-by-policy.patch
+      ./0019-agent-clear-log-pipes-if-denied-by-policy.patch
+
+      # This removes CDI annotations from the OCI spec before it is passed to the agent,
+      # which helps with policy handling of the (oftentimes dynamic) CDI annotations.
+      # TODO(msanft): Get native CDI working, which will allow us to drop this patch / undo the revert.
+      # See https://dev.azure.com/Edgeless/Edgeless/_workitems/edit/5061
+      ./0020-runtime-remove-CDI-annotations.patch
     ];
   };