Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

genpolicy: tighter symlink source rules #278

Merged
merged 9 commits into from
Dec 19, 2024
Merged

genpolicy: tighter symlink source rules #278

merged 9 commits into from
Dec 19, 2024

Conversation

danmihai1
Copy link

Allow symlink source file paths typically used for ConfigMaps and/or Secrets and reject other source paths.

danmihai1 and others added 8 commits December 18, 2024 02:41
@danmihai1
agent: log policy prints for allow=false
4e09c54 
Log into Pod VM's /tmp/policy.txt the policy print output for requests
that get evaluated to false - to help debugging.

This output was already provided for interactive commands - e.g., when
ExecProcessRequest gets rejected for "kubectl exec". However, for non
interactive requests - e.g., ExecProcessRequest for a livenessProbe -
it can be helpful to set AllowRequestsFailingPolicy = true and to
collect the policy prints from the Pod VM log file.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
genpolicy: use process inputs for allow_process()
c5c1d9f 
Using process data inputs for allow_process() is easier to
read/understand compared with the older OCI data inputs.

Signed-off-by: Dan Mihai <[email protected]>
@Redent0r @danmihai1
policy: add constants to rules.rego
224583b 
Reuse constants where applicable

Signed-off-by: Saul Paredes <[email protected]>
@danmihai1
genpolicy: validate process for commands from settings
b00768c 
Validate more process fields for commands enabled using the
ExecProcessRequest "commands" and/or "regex" fields from the
settings file.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
genpolicy: validate probe process fields
0188da0 
Validate more process fields for k8s probe commands - e.g.,
livenessProbe, readinessProbe, etc.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
genpolicy: add exec container_id comment
e3cb8f6 
Add comment for missing ExecProcessRequest validation of container_id.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
samples: update policy samples
79fc221 
Update samples with the latest policy.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
genpolicy: tighter symlink source rules
879fe80 
Allow symlink source file path rules typically used for ConfigMaps
and/or Secrets and reject other source paths.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1 danmihai1 requested a review from Redent0r December 18, 2024 20:26
@danmihai1 danmihai1 requested review from a team as code owners December 18, 2024 20:26
@Redent0r
Copy link

Redent0r commented Dec 18, 2024
edited
Loading

test runs:

@danmihai1 @Redent0r
samples: update policy samples
c355600 
Update samples with the latest policy.

Signed-off-by: Dan Mihai <[email protected]>
@Redent0r
Copy link

Force pushed last commit to update samples and pass PR check

@Redent0r Redent0r merged commit a68453b into msft-main Dec 19, 2024
47 of 55 checks passed
@Redent0r Redent0r deleted the danmihai1/symlink branch December 19, 2024 01:29
@danmihai1 danmihai1 mentioned this pull request Dec 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Redent0r Redent0r Redent0r approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danmihai1 @Redent0r