Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

policy: cherry pick state policy changes from upstream #273

Merged
merged 6 commits into from
Jan 10, 2025

Conversation

Redent0r
Copy link

@Redent0r Redent0r commented Dec 16, 2024

Merge Checklist
  • Followed patch format from upstream recommendation: https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
    • Included a single commit in a given PR - at least unless there are related commits and each makes sense as a change on its own.
  • Aware about the PR to be merged using "create a merge commit" rather than "squash and merge" (or similar)
  • The upstream/missing label (or upstream/not-needed) has been set on the PR.
Summary

This PR downstream all available state policy changes from upstream. These are:

Test Methodology

Since we are changing the agent, I'm building a new image with updated kata(-cc) packages.

@Redent0r Redent0r added the upstream/not-needed PRs that will not be upstreamed (e.g. internal) label Dec 16, 2024
@Redent0r Redent0r changed the title Saulparedes/add state to policy policy: cherry pick state policy changes from upstream Dec 16, 2024
@Redent0r Redent0r force-pushed the saulparedes/add_state_to_policy branch from 3a25d45 to 9a557d2 Compare December 16, 2024 21:23
@Redent0r Redent0r force-pushed the saulparedes/add_state_to_policy branch 4 times, most recently from e8deaca to 0d0b197 Compare January 8, 2025 23:27
Redent0r and others added 6 commits January 9, 2025 09:40
Use regorous engine's add_data method to add state to the policy.
This data can later be accessed inside rego context through the data namespace.

Support state modifications (json-patches) that may be returned as a result from policy evaluation.

Also initialize a policy engine data slice "pstate" dedicated for storing state.

Signed-off-by: Saul Paredes <[email protected]>
Make sure all container sandbox names match the sandbox name of the first container.

Signed-off-by: Saul Paredes <[email protected]>
Before this patch there was a mismatch between the JSON path under which
the state of the rule evaluation is set in comparison to under which
it is retrieved.

This resulted in the behavior that each time the policy was evaluated,
it thought it was the _first_ time the policy was evaluated.
This also means that the consistency check for the `sandbox_name`
was ineffective.

Signed-off-by: Leonard Cohnen <[email protected]>
Reuse constants where applicable

Signed-off-by: Saul Paredes <[email protected]>
- Remove default_namespace from settings
- Ensure container namespaces in a pod match each other in case no namespace is specified in the YAML

Signed-off-by: Saul Paredes <[email protected]>
Update samples policy annotations

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r Redent0r force-pushed the saulparedes/add_state_to_policy branch from 0d0b197 to 4d36cde Compare January 9, 2025 17:41
Comment on lines +95 to +96
"base64",
"base64url",
Copy link
Author

@Redent0r Redent0r Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might need to include these regorus features in upstream at some point.

I needed to add these to keep some existing functionality on rules.rego related to base64 and base64url. If these features don't get added, I get failures like
image

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fyi I'm including base64 as part of my confidential storage PR.

@Redent0r Redent0r marked this pull request as ready for review January 9, 2025 22:34
@Redent0r Redent0r requested review from a team as code owners January 9, 2025 22:34
@Redent0r Redent0r merged commit a96690c into msft-main Jan 10, 2025
129 of 199 checks passed
@Redent0r Redent0r deleted the saulparedes/add_state_to_policy branch January 10, 2025 17:29
@Redent0r Redent0r restored the saulparedes/add_state_to_policy branch January 13, 2025 21:04
Redent0r added a commit that referenced this pull request Jan 15, 2025
…space

Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare
input against annotation value.

Fixes regression introduced in #273
where samples that use metadata.namespace env var were no longer working.

Signed-off-by: Saul Paredes <[email protected]>
Redent0r added a commit that referenced this pull request Jan 16, 2025
…space

Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare
input against annotation value.

Fixes regression introduced in #273
where samples that use metadata.namespace env var were no longer working.

Signed-off-by: Saul Paredes <[email protected]>
Redent0r added a commit that referenced this pull request Jan 16, 2025
…space

Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare
input against annotation value.

Fixes regression introduced in #273
where samples that use metadata.namespace env var were no longer working.

Signed-off-by: Saul Paredes <[email protected]>
Redent0r added a commit that referenced this pull request Jan 16, 2025
…space

Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare
input against annotation value.

Fixes regression introduced in #273
where samples that use metadata.namespace env var were no longer working.

Signed-off-by: Saul Paredes <[email protected]>
Redent0r added a commit that referenced this pull request Jan 16, 2025
…space

Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare
input against annotation value.

Fixes regression introduced in #273
where samples that use metadata.namespace env var were no longer working.

Signed-off-by: Saul Paredes <[email protected]>
Redent0r added a commit that referenced this pull request Jan 17, 2025
…space

Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare
input against annotation value.

Fixes regression introduced in #273
where samples that use metadata.namespace env var were no longer working.

Signed-off-by: Saul Paredes <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
upstream/not-needed PRs that will not be upstreamed (e.g. internal)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants