Skip to content

genpolicy: fix env variables that are always allowed #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 26, 2025
Merged

genpolicy: fix env variables that are always allowed #316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6aa40e5
genpolicy: fix env variables that are always allowed
Redent0r Feb 24, 2025
80d6c15
genpolicy: update settings for testing
Redent0r Feb 24, 2025
2592ea3
samples: update samples
Redent0r Feb 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/configmap/pod-cm1.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/configmap/pod-cm2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/configmap/pod-cm3.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/cron-job/test-cron-job.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/deployment/deployment-back.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/deployment/deployment-busybox.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/deployment/deployment-front.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/job/test-job.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/job/test-job2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/conformance-e2e.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-plugin.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-testing.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/etcd-statefulset.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/hello-populator-deploy.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/netexecrc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http2-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-multiple-certs-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-nginx-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-static-ip-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/appsv1deployment.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/daemon.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/deploy-clientside.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/job.yaml
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions src/agent/samples/policy/yaml/kubernetes/fixtures/multi-resource-yaml.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/rc-lastapplied.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/rc-noexist.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/replication.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures2/rc-service.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures2/valid-pod.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/incomplete-init/cassandra-statefulset.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/incomplete-init/controller.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-exec.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-lifecycle.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-many-layers.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-one-container.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-persistent-volumes.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-same-containers.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-spark.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-three-containers.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-ubuntu.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/replica-set/replica-busy.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/replica-set/replica2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/secrets/azure-file-secrets.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/stateful-set/web.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/stateful-set/web2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod1.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod3.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod4.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod5.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod6.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod7.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod10.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod11.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod12.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod13.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod8.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod9.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook3/dns-test.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook3/many-layers.yaml
View file
Open in desktop

Large diffs are not rendered by default.

5 changes: 3 additions & 2 deletions src/tools/genpolicy/genpolicy-settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,8 @@
"^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
"^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
"^TERM=xterm$"
]
],
"allow_env_regex_map": {}
},
"CopyFileRequest": [
"$(sfprefix)"
Expand All @@ -333,4 +334,4 @@
"UpdateEphemeralMountsRequest": false,
"WriteStreamRequest": false
}
}
}
13 changes: 9 additions & 4 deletions src/tools/genpolicy/rules.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -785,10 +785,15 @@ allow_var(p_process, i_process, i_var, s_name, s_namespace) {

p_name_value[0] == name_value[0]

# TODO: should these be handled in a different way?
always_allowed = ["$(resource-field)", "$(todo-annotation)"]
some allowed in always_allowed
contains(p_name_value[1], allowed)
# a variable we should be validating using a regex from settings
p_name_value[1] == "$(validate-from-settings)"

regex_val := policy_data.request_defaults.CreateContainerRequest.allow_env_regex_map[name_value[0]]

print("allow_var 7: val =", name_value[1])
print("allow_var 7: regex_val =", regex_val)

regex.match(regex_val, name_value[1])

print("allow_var 7: true")
}
Expand Down
18 changes: 12 additions & 6 deletions src/tools/genpolicy/src/pod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,7 @@ impl Container {
self.registry = registry::get_container(config, &self.image).await.unwrap();
}

#[allow(clippy::too_many_arguments)]
pub fn get_env_variables(
&self,
dest_env: &mut Vec<String>,
Expand All @@ -581,6 +582,7 @@ impl Container {
namespace: &str,
annotations: &Option<BTreeMap<String, String>>,
service_account_name: &str,
settings: &settings::Settings,
) {
if let Some(source_env) = &self.env {
for env_variable in source_env {
Expand All @@ -590,6 +592,7 @@ impl Container {
namespace,
annotations,
service_account_name,
settings,
);
let src_string = format!("{}={value}", &env_variable.name);

Expand Down Expand Up @@ -730,6 +733,7 @@ impl EnvVar {
namespace: &str,
annotations: &Option<BTreeMap<String, String>>,
service_account_name: &str,
settings: &settings::Settings,
) -> String {
if let Some(value) = &self.value {
return value.clone();
Expand Down Expand Up @@ -761,7 +765,8 @@ impl EnvVar {
"spec.nodeName" => return "$(node-name)".to_string(),
"spec.serviceAccountName" => return service_account_name.to_string(),
_ => {
if let Some(value) = self.get_annotation_value(path, annotations) {
if let Some(value) = self.get_annotation_value(path, annotations, settings)
{
return value;
} else {
panic!(
Expand All @@ -774,9 +779,8 @@ impl EnvVar {
}

if value_from.resourceFieldRef.is_some() {
// TODO: should resource fields such as "limits.cpu" or "limits.memory"
// be handled in a different way?
return "$(resource-field)".to_string();
settings.panic_on_undefined_variables(&self.name);
return "$(validate-from-settings)".to_string();
}
} else {
panic!("Environment variable without value or valueFrom!");
Expand All @@ -789,6 +793,7 @@ impl EnvVar {
&self,
reference: &str,
anno: &Option<BTreeMap<String, String>>,
settings: &settings::Settings,
) -> Option<String> {
let prefix = "metadata.annotations['";
let suffix = "']";
Expand All @@ -808,8 +813,9 @@ impl EnvVar {
}
}

// TODO: should missing annotations be handled differently?
return Some("$(todo-annotation)".to_string());
settings.panic_on_undefined_variables(&self.name);

return Some("$(validate-from-settings)".to_string());
}
None
}
Expand Down
2 changes: 2 additions & 0 deletions src/tools/genpolicy/src/policy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,7 @@ pub struct PersistentVolumeClaimVolume {
pub struct CreateContainerRequestDefaults {
/// Allow env variables that match any of these regexes.
allow_env_regex: Vec<String>,
pub allow_env_regex_map: BTreeMap<String, String>,
}

/// ExecProcessRequest settings from genpolicy-settings.json.
Expand Down Expand Up @@ -655,6 +656,7 @@ impl AgentPolicy {
namespace,
resource.get_annotations(),
service_account_name,
&self.settings,
);

substitute_env_variables(&mut process.Env);
Expand Down
13 changes: 13 additions & 0 deletions src/tools/genpolicy/src/settings.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,4 +86,17 @@ impl Settings {
&self.other_container
}
}

pub fn panic_on_undefined_variables(&self, var_name: &str) {
if !self
.request_defaults
.CreateContainerRequest
.allow_env_regex_map
.contains_key(var_name)
{
panic!(
"Env var: please add a regex validation entry for {} in the settings request_defaults.CreateContainerRequest.allow_env_regex_map",
var_name);
}
}
}
13 changes: 13 additions & 0 deletions src/tools/genpolicy/tests/adapt_settings_for_tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/sh
#
# Copyright (c) 2025 Microsoft Corporation
#
# SPDX-License-Identifier: Apache-2.0

# usage: ./tests/adapt_settings_for_tests.sh

jq '.request_defaults.CreateContainerRequest.allow_env_regex_map = {
"JOB_COMPLETION_INDEX": "^[0-9]+$",
"CPU_LIMIT": "^[0-9]+$",
"MEMORY_LIMIT": "^[0-9]+$"
}' genpolicy-settings.json > tmp-genpolicy-settings.json && mv tmp-genpolicy-settings.json genpolicy-settings.json
7 changes: 7 additions & 0 deletions src/tools/genpolicy/update_policy_samples.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,10 @@ def timeRunCmd(arg):
print("========== COMMAND: " + next_command)
runCmd(next_command)

print("Modifying settings for testing")
runCmd("cp genpolicy-settings.json default-genpolicy-settings.json")
runCmd("./tests/adapt_settings_for_tests.sh")

# update files
genpolicy_path = "./target/x86_64-unknown-linux-gnu/debug/genpolicy"

Expand All @@ -83,3 +87,6 @@ def timeRunCmd(arg):
total_end = time.time()

print(f"Total time taken: {total_end - total_start} seconds")

print("Restoring settings to default")
runCmd("mv default-genpolicy-settings.json genpolicy-settings.json")
Loading