diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index e15ad13b8..77ec29994 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -255,7 +255,7 @@ "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", "ip_p": "[0-9]{1,5}", "ipv4_a": "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])", - "svc_name": "[A-Z_\\.\\-]+", + "svc_name_downward_env": "[A-Z](?:[A-Z0-9_]{0,61}[A-Z0-9])?", "dns_label": "[a-zA-Z0-9_\\.\\-]+", "default_caps": [ "CAP_CHOWN", @@ -329,14 +329,14 @@ "CreateContainerRequest": { "allow_env_regex": [ "^HOSTNAME=$(dns_label)$", - "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", - "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$", - "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", - "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", - "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$", - "^$(svc_name)_SERVICE_PORT=$(ip_p)$", - "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$", - "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name_downward_env)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$", + "^$(svc_name_downward_env)_PORT_$(ip_p)_TCP_PROTO=tcp$", + "^$(svc_name_downward_env)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$", + "^$(svc_name_downward_env)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$", + "^$(svc_name_downward_env)_SERVICE_HOST=$(ipv4_a)$", + "^$(svc_name_downward_env)_SERVICE_PORT=$(ip_p)$", + "^$(svc_name_downward_env)_SERVICE_PORT_$(dns_label)=$(ip_p)$", + "^$(svc_name_downward_env)_PORT=tcp://$(ipv4_a):$(ip_p)$", "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index d9309004e..6e131f34b 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -835,7 +835,7 @@ allow_var(p_process, i_process, i_var, s_name, s_namespace) { some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) - p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + p_regex4 := replace(p_regex3, "$(svc_name_downward_env)", policy_data.common.svc_name_downward_env) p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) print("allow_var 3: p_regex5 =", p_regex5) diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 766a5b28b..ae6fdea82 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -407,8 +407,8 @@ pub struct CommonData { /// Regex for an IP port number. pub ip_p: String, - /// Regex for a K8s service name. - pub svc_name: String, + /// Regex for a K8s service name (RFC 1035), after downward API transformation. + pub svc_name_downward_env: String, // Regex for a DNS label (e.g., host name). pub dns_label: String,