policy: cherry pick state policy changes from upstream #273
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Redent0r
added
the
upstream/not-needed
Redent0r
changed the title
Redent0r
force-pushed
the
saulparedes/add_state_to_policy
branch
from
3a25d45 to
9a557d2
Compare
danmihai1
approved these changes
Dec 16, 2024
manuelh-dev
approved these changes
Dec 28, 2024
Redent0r
force-pushed
the
saulparedes/add_state_to_policy
branch
4 times, most recently
from
e8deaca to
0d0b197
Compare
Use regorous engine's add_data method to add state to the policy. This data can later be accessed inside rego context through the data namespace. Support state modifications (json-patches) that may be returned as a result from policy evaluation. Also initialize a policy engine data slice "pstate" dedicated for storing state. Signed-off-by: Saul Paredes <[email protected]>
Make sure all container sandbox names match the sandbox name of the first container. Signed-off-by: Saul Paredes <[email protected]>
Before this patch there was a mismatch between the JSON path under which the state of the rule evaluation is set in comparison to under which it is retrieved. This resulted in the behavior that each time the policy was evaluated, it thought it was the _first_ time the policy was evaluated. This also means that the consistency check for the `sandbox_name` was ineffective. Signed-off-by: Leonard Cohnen <[email protected]>
Reuse constants where applicable Signed-off-by: Saul Paredes <[email protected]>
- Remove default_namespace from settings - Ensure container namespaces in a pod match each other in case no namespace is specified in the YAML Signed-off-by: Saul Paredes <[email protected]>
Update samples policy annotations Signed-off-by: Saul Paredes <[email protected]>
Redent0r
force-pushed
the
saulparedes/add_state_to_policy
branch
from
0d0b197 to
4d36cde
Compare
Redent0r
commented
Jan 9, 2025
Comment on lines
+95
to
+96
| "base64", | ||
| "base64url", |
There was a problem hiding this comment.
We might need to include these regorus features in upstream at some point.
I needed to add these to keep some existing functionality on rules.rego related to base64 and base64url. If these features don't get added, I get failures like
There was a problem hiding this comment.
Fyi I'm including base64 as part of my confidential storage PR.
Redent0r
added a commit
that referenced
this pull request
Jan 15, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
4 tasks
Redent0r
added a commit
that referenced
this pull request
Jan 16, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
Jan 16, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
Jan 16, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
Jan 16, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
Jan 17, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 19, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 25, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 26, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 26, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 26, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 26, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 26, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 28, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 28, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 28, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 28, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 28, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 29, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 31, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 31, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 31, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 31, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 31, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
pushed a commit
that referenced
this pull request
Mar 31, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added
upstream/merged
Redent0r
added a commit
that referenced
this pull request
May 2, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
May 13, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
May 13, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Ankita13-code
pushed a commit
to Ankita13-code/kata-containers
that referenced
this pull request
May 19, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in microsoft#273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Ankita13-code
pushed a commit
to Ankita13-code/kata-containers
that referenced
this pull request
May 20, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in microsoft#273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Ankita13-code
pushed a commit
to Ankita13-code/kata-containers
that referenced
this pull request
May 20, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in microsoft#273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
added a commit
that referenced
this pull request
Jun 6, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in #273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
alguimodd
pushed a commit
to DataDog/kata-containers
that referenced
this pull request
Sep 19, 2025
…space Use $(sandbox-namespace) wildcard in case none is specified in yaml. If wildcard is present, compare input against annotation value. Fixes regression introduced in microsoft#273 where samples that use metadata.namespace env var were no longer working. Signed-off-by: Saul Paredes <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
This PR downstream all available state policy changes from upstream. These are:
Test Methodology
Since we are changing the agent, I'm building a new image with updated kata(-cc) packages.