diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index 15bf78d93e3b..819dce3755ab 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -299,9 +299,7 @@ "kata_config": { "confidential_guest": true }, - "cluster_config": { - "default_namespace": "default" - }, + "cluster_config": {}, "request_defaults": { "CreateContainerRequest": { "allow_env_regex": [ diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 627b767a1e40..1adafaab7532 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -69,7 +69,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} { # check sandbox name sandbox_name = i_oci.Annotations[S_NAME_KEY] add_sandbox_name_to_state := state_allows("sandbox_name", sandbox_name) - ops := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state) + ops_builder1 := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state) # Check if any element from the policy_data.containers array allows the input request. some p_container in policy_data.containers @@ -82,6 +82,13 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} { p_oci := p_container.OCI + # check namespace + p_namespace := p_oci.Annotations[S_NAMESPACE_KEY] + i_namespace := i_oci.Annotations[S_NAMESPACE_KEY] + print ("CreateContainerRequest: p_namespace =", p_namespace, "i_namespace =", i_namespace) + add_namespace_to_state := allow_namespace(p_namespace, i_namespace) + ops := concat_op_if_not_null(ops_builder1, add_namespace_to_state) + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) p_oci.Version == i_oci.Version @@ -129,6 +136,18 @@ allow_create_container_input { print("allow_create_container_input: true") } +allow_namespace(p_namespace, i_namespace) = add_namespace { + p_namespace == i_namespace + add_namespace := null + print("allow_namespace 1: input namespace matches policy data") +} + +allow_namespace(p_namespace, i_namespace) = add_namespace { + p_namespace == "" + print("allow_namespace 2: no namespace found on policy data") + add_namespace := state_allows("namespace", i_namespace) +} + # value hasn't been seen before, save it to state state_allows(key, value) = action { state := get_state() @@ -239,12 +258,9 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) { allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { print("allow_by_sandbox_name: start") - p_namespace := p_oci.Annotations[S_NAMESPACE_KEY] i_namespace := i_oci.Annotations[S_NAMESPACE_KEY] - print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) - p_namespace == i_namespace - allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_container_types(p_oci, i_oci, s_name, i_namespace) allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) allow_process(p_oci, i_oci, s_name) diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 012eb9add230..f3de3c91a24b 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -398,9 +398,7 @@ pub struct SandboxData { /// Configuration from "kubectl config". #[derive(Clone, Debug, Serialize, Deserialize)] -pub struct ClusterConfig { - default_namespace: String, -} +pub struct ClusterConfig {} enum K8sResourceEnum { ConfigMap(config_map::ConfigMap), @@ -533,11 +531,7 @@ impl AgentPolicy { let mut root = c_settings.Root.clone(); root.Readonly = yaml_container.read_only_root_filesystem(); - let namespace = if let Some(ns) = resource.get_namespace() { - ns - } else { - self.settings.cluster_config.default_namespace.clone() - }; + let namespace = resource.get_namespace().unwrap_or_default(); let use_host_network = resource.use_host_network(); let annotations = get_container_annotations(