Skip to content

genpolicy: Introduce UpdateInterfaceRequest rules in genpolicy-settings + tests #329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

genpolicy: Introduce UpdateInterfaceRequest rules in genpolicy-settings + tests #329

wants to merge 2 commits into from

Conversation

@Camelron
Copy link

@Camelron Camelron commented Mar 4, 2025

Introduce rules for UpdateInterfaceRequest and genpolicy tests for them.

@Camelron Camelron requested review from a team as code owners March 4, 2025 23:53
@Camelron Camelron force-pushed the cameronbaird/updateinterfacerequest-hardening branch 2 times, most recently from 2b796a4 to 7e00311 Compare March 4, 2025 23:57
Camelron
Camelron commented Mar 4, 2025
View reviewed changes
Redent0r
Redent0r reviewed Mar 5, 2025
View reviewed changes
Redent0r
Redent0r reviewed Mar 5, 2025
View reviewed changes
@Redent0r
Copy link

Redent0r commented Mar 5, 2025

small genpolicy make check failure https://github.com/microsoft/kata-containers/actions/runs/13665312068/job/38205330704?pr=329

Redent0r
Redent0r reviewed Mar 5, 2025
View reviewed changes
@Camelron Camelron force-pushed the cameronbaird/updateinterfacerequest-hardening branch 2 times, most recently from 9c782e9 to 6172c64 Compare March 5, 2025 18:51
sprt
sprt reviewed Mar 5, 2025
View reviewed changes
@Camelron Camelron force-pushed the cameronbaird/updateinterfacerequest-hardening branch 3 times, most recently from 2d5a839 to fe06a2b Compare March 5, 2025 19:06
@Redent0r Redent0r force-pushed the cameronbaird/updateinterfacerequest-hardening branch from fe06a2b to caf6b58 Compare March 5, 2025 19:16
@Camelron Camelron force-pushed the cameronbaird/updateinterfacerequest-hardening branch from caf6b58 to dc85a8c Compare March 5, 2025 19:22
@sprt sprt added the upstream/missing PRs that are yet to be upstreamed label Mar 5, 2025
@sprt sprt marked this pull request as draft March 5, 2025 19:26
@Camelron Camelron force-pushed the cameronbaird/updateinterfacerequest-hardening branch from dc85a8c to 05a1609 Compare March 5, 2025 19:32
danmihai1
danmihai1 requested changes Mar 5, 2025
View reviewed changes
src/tools/genpolicy/genpolicy-settings.json Outdated
"IPAddresses": [
{
"family": 0,
"address": "10.244.0.14",
Copy link

@danmihai1 danmihai1 Mar 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our main goal here is to guard Guest's loopback interface, if needed. I don't think it's worth trying to hard-code non-loopback IP addresses.

Copy link
Author

@Camelron Camelron Mar 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I removed the policy checks for IPAddresses

Camelron added 2 commits March 5, 2025 20:04
@Camelron
genpolicy: Introduce UpdateInterfaceRequest rules in genpolicy-settings
bd23865 
Introduce rules for UpdateInterfaceRequest and genpolicy tests for them.

Signed-off-by: Cameron Baird <[email protected]>
@Camelron
genpolicy: Update samples for rego UpdateInterfaceRequest rules
2a9c385 
Make corresponding updates to sample pod yamls for
UpdateInterfaceRequest rules

Signed-off-by: Cameron Baird <[email protected]>
@Camelron Camelron force-pushed the cameronbaird/updateinterfacerequest-hardening branch from 05a1609 to 2a9c385 Compare March 5, 2025 21:14
manuelh-dev
manuelh-dev reviewed Mar 7, 2025
View reviewed changes
src/tools/genpolicy/tests/testdata/updateinterface/pod.yaml
metadata:
name: dummy
spec:
runtimeClassName: kata-cc-isolation
Copy link

@manuelh-dev manuelh-dev Mar 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we doing kata-cc-isolation here?

@Camelron
Copy link
Author

Camelron commented Mar 17, 2025

Dead branch, duplicate of this change: #333

@Camelron Camelron closed this Mar 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sprt sprt sprt left review comments

@Redent0r Redent0r Redent0r left review comments

@danmihai1 danmihai1 danmihai1 requested changes

+1 more reviewer

@manuelh-dev manuelh-dev manuelh-dev left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

upstream/missing PRs that are yet to be upstreamed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Camelron @Redent0r @sprt @danmihai1 @manuelh-dev