Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

genpolicy: improved ExecProcessRequest input validation #276

Open
wants to merge 7 commits into
base: msft-main
Choose a base branch
from
Open

genpolicy: improved ExecProcessRequest input validation #276

wants to merge 7 commits into from

Conversation

danmihai1
Copy link

Validate additional ExecProcessRequest process fields.

danmihai1 and others added 3 commits December 18, 2024 02:41
@danmihai1
agent: log policy prints for allow=false
4e09c54 
Log into Pod VM's /tmp/policy.txt the policy print output for requests
that get evaluated to false - to help debugging.

This output was already provided for interactive commands - e.g., when
ExecProcessRequest gets rejected for "kubectl exec". However, for non
interactive requests - e.g., ExecProcessRequest for a livenessProbe -
it can be helpful to set AllowRequestsFailingPolicy = true and to
collect the policy prints from the Pod VM log file.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
genpolicy: use process inputs for allow_process()
c5c1d9f 
Using process data inputs for allow_process() is easier to
read/understand compared with the older OCI data inputs.

Signed-off-by: Dan Mihai <[email protected]>
@Redent0r @danmihai1
policy: add constants to rules.rego
224583b 
Reuse constants where applicable

Signed-off-by: Saul Paredes <[email protected]>
@danmihai1 danmihai1 requested a review from Redent0r December 18, 2024 03:41
@danmihai1 danmihai1 requested review from a team as code owners December 18, 2024 03:41
@danmihai1 danmihai1 marked this pull request as draft December 18, 2024 03:42
@danmihai1 danmihai1 mentioned this pull request Dec 18, 2024
Closed
@danmihai1
genpolicy: validate process for commands from settings
b00768c 
Validate more process fields for commands enabled using the
ExecProcessRequest "commands" and/or "regex" fields from the
settings file.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
genpolicy: validate probe process fields
0188da0 
Validate more process fields for k8s probe commands - e.g.,
livenessProbe, readinessProbe, etc.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1 danmihai1 marked this pull request as ready for review December 18, 2024 15:25
@danmihai1
genpolicy: add exec container_id comment
e3cb8f6 
Add comment for missing ExecProcessRequest validation of container_id.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1 @Redent0r
samples: update policy samples
23fa27b 
Update samples with the latest policy.

Signed-off-by: Dan Mihai <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Redent0r Redent0r Redent0r approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danmihai1 @Redent0r