Skip to content

genpolicy: add state to policy #10431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 13, 2024
Merged

genpolicy: add state to policy #10431

merged 2 commits into from
Nov 13, 2024

Conversation

@Redent0r
Copy link
Contributor

@Redent0r Redent0r commented Oct 16, 2024

Fixes #10087

This PR adds the ability for the policy to save and load data to a state kept in the regorus engine, and also validates one field (sandbox name) to show capabilities.

@Redent0r Redent0r mentioned this pull request Oct 16, 2024
Closed
@katacontainersbot katacontainersbot added the size/huge Largest and most complex task (probably needs breaking into small pieces) label Oct 16, 2024
@Redent0r Redent0r mentioned this pull request Oct 16, 2024
Closed
burgerdev
burgerdev approved these changes Oct 24, 2024
View reviewed changes
Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this is great!

@fidencio
Copy link
Member

fidencio commented Oct 28, 2024

@Redent0r, please, rebase this PR atop of the current main.

I've done a reasonable amount of changes in the workflows in order to get measured rootfs working, and that will requires PRs to be rebased, sorry.

@Redent0r Redent0r force-pushed the saulparedes/add-policy-state branch 2 times, most recently from 4ec207d to fa4e605 Compare October 30, 2024 20:35
@Redent0r Redent0r force-pushed the saulparedes/add-policy-state branch 3 times, most recently from 31f99cd to 51e2678 Compare November 1, 2024 22:34
@Redent0r Redent0r marked this pull request as ready for review November 4, 2024 02:58
fidencio
fidencio approved these changes Nov 4, 2024
View reviewed changes
Copy link
Member

@fidencio fidencio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks @Redent0r!

@fidencio
Copy link
Member

fidencio commented Nov 4, 2024

@Redent0r, I've approved and re-triggered the failing CI (which is NOT related to the changes you're proposing).

danmihai1
danmihai1 requested changes Nov 5, 2024
View reviewed changes
anakrish
anakrish reviewed Nov 6, 2024
View reviewed changes
@danmihai1 danmihai1 mentioned this pull request Nov 11, 2024
Closed
@3u13r
Copy link
Contributor

3u13r commented Nov 12, 2024

Since we can now use the state to model more complex request chains, can we add some unit tests so that the expected requests are allowed (technically already covered by the e2e tests) and no other requests on a certain state are allowed (not yet covered by e2e tests as far as I understand).

@Redent0r Redent0r mentioned this pull request Nov 12, 2024
Open
@Redent0r Redent0r force-pushed the saulparedes/add-policy-state branch from 51e2678 to 56020fc Compare November 12, 2024 22:57
@Redent0r
Copy link
Contributor Author

Redent0r commented Nov 12, 2024

Since we can now use the state to model more complex request chains, can we add some unit tests so that the expected requests are allowed (technically already covered by the e2e tests) and no other requests on a certain state are allowed (not yet covered by e2e tests as far as I understand).

Thanks! Created #10529 to tackle on a separate PR

@Redent0r
genpolicy: Add state
52d1aea 
Use regorous engine's add_data method to add state to the policy.
This data can later be accessed inside rego context through the data namespace.

Support state modifications (json-patches) that may be returned as a result from policy evaluation.

Also initialize a policy engine data slice "pstate" dedicated for storing state.

Fixes kata-containers#10087

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
genpolicy: validate container sandbox names
c207312 
Make sure all container sandbox names match the sandbox name of the first container.

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r Redent0r force-pushed the saulparedes/add-policy-state branch from 56020fc to c207312 Compare November 12, 2024 23:20
@katacontainersbot katacontainersbot added size/large Task of significant size and removed size/huge Largest and most complex task (probably needs breaking into small pieces) labels Nov 12, 2024
@Redent0r Redent0r requested a review from danmihai1 November 13, 2024 18:41
@danmihai1 danmihai1 merged commit d9977b3 into kata-containers:main Nov 13, 2024
282 of 364 checks passed
@Redent0r Redent0r deleted the saulparedes/add-policy-state branch November 13, 2024 19:50
@Redent0r Redent0r mentioned this pull request Dec 16, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fidencio fidencio fidencio approved these changes

@burgerdev burgerdev burgerdev approved these changes

@danmihai1 danmihai1 danmihai1 approved these changes

+1 more reviewer

@anakrish anakrish anakrish left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ok-to-test size/large Task of significant size

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

genpolicy: Add state to policy

7 participants

@Redent0r @fidencio @3u13r @burgerdev @danmihai1 @anakrish @katacontainersbot