forked from kata-containers/kata-containers
-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
policy: cherry pick state policy changes from upstream #273
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Redent0r
added
the
upstream/not-needed
PRs that will not be upstreamed (e.g. internal)
label
Dec 16, 2024
Redent0r
changed the title
Saulparedes/add state to policy
policy: cherry pick state policy changes from upstream
Dec 16, 2024
Redent0r
force-pushed
the
saulparedes/add_state_to_policy
branch
from
December 16, 2024 21:23
3a25d45
to
9a557d2
Compare
danmihai1
approved these changes
Dec 16, 2024
ms-mahuber
approved these changes
Dec 28, 2024
Redent0r
force-pushed
the
saulparedes/add_state_to_policy
branch
4 times, most recently
from
January 8, 2025 23:27
e8deaca
to
0d0b197
Compare
Use regorous engine's add_data method to add state to the policy. This data can later be accessed inside rego context through the data namespace. Support state modifications (json-patches) that may be returned as a result from policy evaluation. Also initialize a policy engine data slice "pstate" dedicated for storing state. Signed-off-by: Saul Paredes <[email protected]>
Make sure all container sandbox names match the sandbox name of the first container. Signed-off-by: Saul Paredes <[email protected]>
Before this patch there was a mismatch between the JSON path under which the state of the rule evaluation is set in comparison to under which it is retrieved. This resulted in the behavior that each time the policy was evaluated, it thought it was the _first_ time the policy was evaluated. This also means that the consistency check for the `sandbox_name` was ineffective. Signed-off-by: Leonard Cohnen <[email protected]>
Reuse constants where applicable Signed-off-by: Saul Paredes <[email protected]>
- Remove default_namespace from settings - Ensure container namespaces in a pod match each other in case no namespace is specified in the YAML Signed-off-by: Saul Paredes <[email protected]>
Update samples policy annotations Signed-off-by: Saul Paredes <[email protected]>
Redent0r
force-pushed
the
saulparedes/add_state_to_policy
branch
from
January 9, 2025 17:41
0d0b197
to
4d36cde
Compare
Redent0r
commented
Jan 9, 2025
Comment on lines
+95
to
+96
"base64", | ||
"base64url", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fyi I'm including base64 as part of my confidential storage PR.
Redent0r
added a commit
that referenced
this pull request
Jan 15, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
4 tasks
Redent0r
added a commit
that referenced
this pull request
Jan 16, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
Jan 16, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
Jan 16, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
Jan 16, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
Jan 17, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missing
label (orupstream/not-needed
) has been set on the PR.Summary
This PR downstream all available state policy changes from upstream. These are:
Test Methodology
Since we are changing the agent, I'm building a new image with updated kata(-cc) packages.