genpolicy: fix env variables that are always allowed #316
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Redent0r
commented
Feb 21, 2025
Redent0r
commented
Feb 21, 2025
Redent0r
commented
Feb 21, 2025
|
Please fix PR title |
Redent0r
changed the title
Redent0r
force-pushed
the
saulparedes/fix_always_allowed
branch
from
a333952 to
e43bd8f
Compare
4 tasks
Redent0r
commented
Feb 24, 2025
Redent0r
force-pushed
the
saulparedes/fix_always_allowed
branch
from
e43bd8f to
bde2d46
Compare
danmihai1
approved these changes
Feb 24, 2025
sprt
requested changes
Feb 25, 2025
Redent0r
force-pushed
the
saulparedes/fix_always_allowed
branch
from
bde2d46 to
777e7c3
Compare
manuelh-dev
reviewed
Feb 25, 2025
Redent0r
force-pushed
the
saulparedes/fix_always_allowed
branch
from
777e7c3 to
6d2a84c
Compare
Redent0r
commented
Feb 25, 2025
manuelh-dev
approved these changes
Feb 25, 2025
Redent0r
force-pushed
the
saulparedes/fix_always_allowed
branch
from
6d2a84c to
907a418
Compare
Instead, require the user to define a validation regex on the settings if not present and use that regex to validate in the rules. Signed-off-by: Saul Paredes <[email protected]>
Add regex validation in our settings for variables in our samples that need it. Signed-off-by: Saul Paredes <[email protected]>
Update samples Signed-off-by: Saul Paredes <[email protected]>
Redent0r
force-pushed
the
saulparedes/fix_always_allowed
branch
from
907a418 to
2592ea3
Compare
sprt
approved these changes
Feb 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
This forces the user to define a validation regex in the settings for the variables that we use to always allow, since we didn't know what value to expect. These 2 types of variables where:
kata-containers/src/agent/samples/policy/yaml/webhook2/webhook-pod12.yaml
Line 88 in f4192ca
kata-containers/tests/integration/kubernetes/runtimeclass_workloads/pod-env.yaml
Line 41 in f4192ca
As shown in https://github.com/microsoft/kata-containers/pull/316/files#diff-456165c5b51c7f523a8f6226bab85a095af361c1430c61141d40361fa0a25892L788, these variables where always allowed
Genpolicy tool will panic if one of these type of env variables is found and no validation regex is found in the settings as expected
Test Methodology
test run: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=744467&view=results [PASS]