diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index fe1625bac1..5bbb306e3f 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -305,7 +305,6 @@ "oci_version": "1.1.0" }, "cluster_config": { - "default_namespace": "default", "pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6" }, "request_defaults": { diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index b7aef4d8c5..6caba44357 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -68,7 +68,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} { # check sandbox name sandbox_name = i_oci.Annotations[S_NAME_KEY] add_sandbox_name_to_state := state_allows("sandbox_name", sandbox_name) - ops := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state) + ops_builder1 := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state) # Check if any element from the policy_data.containers array allows the input request. some p_container in policy_data.containers @@ -81,6 +81,13 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} { p_oci := p_container.OCI + # check namespace + p_namespace := p_oci.Annotations[S_NAMESPACE_KEY] + i_namespace := i_oci.Annotations[S_NAMESPACE_KEY] + print ("CreateContainerRequest: p_namespace =", p_namespace, "i_namespace =", i_namespace) + add_namespace_to_state := allow_namespace(p_namespace, i_namespace) + ops := concat_op_if_not_null(ops_builder1, add_namespace_to_state) + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) p_oci.Version == i_oci.Version @@ -131,6 +138,18 @@ allow_create_container_input { print("allow_create_container_input: true") } +allow_namespace(p_namespace, i_namespace) = add_namespace { + p_namespace == i_namespace + add_namespace := null + print("allow_namespace 1: input namespace matches policy data") +} + +allow_namespace(p_namespace, i_namespace) = add_namespace { + p_namespace == "" + print("allow_namespace 2: no namespace found on policy data") + add_namespace := state_allows("namespace", i_namespace) +} + # value hasn't been seen before, save it to state state_allows(key, value) = action { state := get_state() @@ -241,12 +260,9 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) { allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { print("allow_by_sandbox_name: start") - p_namespace := p_oci.Annotations[S_NAMESPACE_KEY] i_namespace := i_oci.Annotations[S_NAMESPACE_KEY] - print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) - p_namespace == i_namespace - allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_container_types(p_oci, i_oci, s_name, i_namespace) allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) allow_process(p_oci, i_oci, s_name) diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 973643e1f2..656e410668 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -388,8 +388,6 @@ pub struct CommonData { /// Configuration from "kubectl config". #[derive(Clone, Debug, Serialize, Deserialize)] pub struct ClusterConfig { - default_namespace: String, - /// Pause container image reference. pub pause_container_image: String, } @@ -532,15 +530,7 @@ impl AgentPolicy { let mut root = c_settings.Root.clone(); root.Readonly = yaml_container.read_only_root_filesystem(); - let namespace = match resource.get_namespace() { - Some(ns) if !ns.is_empty() => ns, - _ => self - .config - .settings - .cluster_config - .default_namespace - .clone(), - }; + let namespace = resource.get_namespace().unwrap_or_default(); let use_host_network = resource.use_host_network(); let annotations = get_container_annotations( diff --git a/tests/integration/kubernetes/k8s-limit-range.bats b/tests/integration/kubernetes/k8s-limit-range.bats index 6bf454db78..c3f2d6f33d 100644 --- a/tests/integration/kubernetes/k8s-limit-range.bats +++ b/tests/integration/kubernetes/k8s-limit-range.bats @@ -15,7 +15,6 @@ setup() { pod_yaml="${pod_config_dir}/pod-cpu-defaults.yaml" policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" - set_namespace_to_policy_settings "${policy_settings_dir}" "${namespace_name}" auto_generate_policy "${policy_settings_dir}" "${pod_yaml}" } diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index 6653322ccc..b3889baead 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -155,9 +155,6 @@ create_common_genpolicy_settings() { cp "${default_genpolicy_settings_dir}/genpolicy-settings.json" "${genpolicy_settings_dir}" cp "${default_genpolicy_settings_dir}/rules.rego" "${genpolicy_settings_dir}" - - # Set the default namespace of Kata CI tests in the genpolicy settings. - set_namespace_to_policy_settings "${genpolicy_settings_dir}" "${TEST_CLUSTER_NAMESPACE}" } # If auto-generated policy testing is enabled, make a copy of the common genpolicy settings @@ -273,21 +270,6 @@ add_copy_from_guest_to_policy_settings() { add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command[@]}" } -# Change genpolicy settings to use a pod namespace different than "default". -set_namespace_to_policy_settings() { - local -r settings_dir="$1" - local -r namespace="$2" - - auto_generate_policy_enabled || return 0 - - info "${settings_dir}/genpolicy-settings.json: namespace: ${namespace}" - jq --arg namespace "${namespace}" \ - '.cluster_config.default_namespace |= $namespace' \ - "${settings_dir}/genpolicy-settings.json" > \ - "${settings_dir}/new-genpolicy-settings.json" - mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json" -} - hard_coded_policy_tests_enabled() { # CI is testing hard-coded policies just on a the platforms listed here. Outside of CI, # users can enable testing of the same policies (plus the auto-generated policies) by