Merge pull request #11314 from katexochen/p/svc-name-regex

genpolicy: fix svc_name regex
2025-07-04 19:16:23 +00:00 · 2025-05-28 10:08:38 -07:00 · 2025-05-28 10:08:38 -07:00 · 353d0822fd
commit 353d0822fd
parent 7a9d919e3e 8de8b8185e
3 changed files with 12 additions and 12 deletions
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@ -255,7 +255,7 @@
        "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-",
        "ip_p": "[0-9]{1,5}",
        "ipv4_a": "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])",
-        "svc_name": "[A-Z_\\.\\-]+",
+        "svc_name_downward_env": "[A-Z](?:[A-Z0-9_]{0,61}[A-Z0-9])?",
        "dns_label": "[a-zA-Z0-9_\\.\\-]+",
        "default_caps": [
            "CAP_CHOWN",
@ -329,14 +329,14 @@
        "CreateContainerRequest": {
            "allow_env_regex": [
                "^HOSTNAME=$(dns_label)$",
-                "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$",
-                "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$",
-                "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$",
-                "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$",
-                "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$",
-                "^$(svc_name)_SERVICE_PORT=$(ip_p)$",
-                "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$",
-                "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$",
+                "^$(svc_name_downward_env)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$",
+                "^$(svc_name_downward_env)_PORT_$(ip_p)_TCP_PROTO=tcp$",
+                "^$(svc_name_downward_env)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$",
+                "^$(svc_name_downward_env)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$",
+                "^$(svc_name_downward_env)_SERVICE_HOST=$(ipv4_a)$",
+                "^$(svc_name_downward_env)_SERVICE_PORT=$(ip_p)$",
+                "^$(svc_name_downward_env)_SERVICE_PORT_$(dns_label)=$(ip_p)$",
+                "^$(svc_name_downward_env)_PORT=tcp://$(ipv4_a):$(ip_p)$",
                "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
                "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
                "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@ -835,7 +835,7 @@ allow_var(p_process, i_process, i_var, s_name, s_namespace) {
    some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex
    p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a)
    p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p)
-    p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name)
+    p_regex4 := replace(p_regex3, "$(svc_name_downward_env)", policy_data.common.svc_name_downward_env)
    p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label)

    print("allow_var 3: p_regex5 =", p_regex5)
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@ -407,8 +407,8 @@ pub struct CommonData {
    /// Regex for an IP port number.
    pub ip_p: String,

-    /// Regex for a K8s service name.
-    pub svc_name: String,
+    /// Regex for a K8s service name (RFC 1035), after downward API transformation.
+    pub svc_name_downward_env: String,

    // Regex for a DNS label (e.g., host name).
    pub dns_label: String,