Skip to content

policy: validate pod generated name #331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 18, 2025
Merged

policy: validate pod generated name #331

merged 3 commits into from
Mar 18, 2025

Conversation

@Redent0r
Copy link

@Redent0r Redent0r commented Mar 10, 2025
edited
Loading

Merge Checklist
Summary

Mark on the policy data if a pod is using a generated name. If it is, validate that the policy sandbox name is a suffix of the input sandbox name as expected

Context: see generateName in https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta

upstream PR kata-containers#11012

Test Methodology

test run: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=765084&view=results [3 unexpected failures]
test rerun: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=765316&view=results [pass]

@Redent0r Redent0r force-pushed the saulparedes/validate_generated_name branch from 76a1459 to eeb8ad2 Compare March 17, 2025 19:33
@Redent0r Redent0r added the upstream/merged PRs that have been merged upstream label Mar 17, 2025
@Redent0r Redent0r marked this pull request as ready for review March 17, 2025 19:56
@Redent0r Redent0r requested review from a team as code owners March 17, 2025 19:56
Redent0r added 3 commits March 17, 2025 16:56
@Redent0r
policy: validate pod generated name
a175e12 
Validate sandbox name using a regex. If the YAML specifies metadata.name, use a regex that exact matches.
If the YAML specifies metadata.generateName, use a regex that matches the prefix of the generated name.

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
policy: mark protocols import as a dev dependency
42ecd51 
We only use protocols in the tests, so it should be a dev dependency.

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
samples: update samples
c481445 
Update samples

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r Redent0r force-pushed the saulparedes/validate_generated_name branch from 72df3c3 to c481445 Compare March 17, 2025 23:57
@Redent0r
Copy link
Author

Redent0r commented Mar 17, 2025

Test results revelead a few failing samples that reveal the sandbox name is used in variable validation too. Force pushed to include a175e12#diff-456165c5b51c7f523a8f6226bab85a095af361c1430c61141d40361fa0a25892R881-R894 and starting a new test run

@Redent0r Redent0r merged commit 9db7002 into msft-main Mar 18, 2025
116 of 156 checks passed
@Redent0r Redent0r deleted the saulparedes/validate_generated_name branch March 18, 2025 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danmihai1 danmihai1 danmihai1 approved these changes

+1 more reviewer

@manuelh-dev manuelh-dev manuelh-dev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

upstream/merged PRs that have been merged upstream

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Redent0r @danmihai1 @manuelh-dev