From 9105c1fa0c38cef11533d35afc60d3d0501e05bd Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Wed, 27 Nov 2024 11:48:02 -0800 Subject: [PATCH] policy: add constants to rules.rego Reuse constants where applicable Signed-off-by: Saul Paredes --- src/tools/genpolicy/rules.rego | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index b990f6ee65..b91612d172 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -49,6 +49,10 @@ default WriteStreamRequest := false # them and inspect OPA logs for the root cause of a failure. default AllowRequestsFailingPolicy := false +# Constants +S_NAME_KEY = "io.kubernetes.cri.sandbox-name" +S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace" + CreateContainerRequest:= {"ops": ops, "allowed": true} { # Check if the input request should be rejected even before checking the # policy_data.containers information. @@ -62,7 +66,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} { ops_builder := [] # check sandbox name - sandbox_name = i_oci.Annotations["io.kubernetes.cri.sandbox-name"] + sandbox_name = i_oci.Annotations[S_NAME_KEY] add_sandbox_name_to_state := state_allows("sandbox_name", sandbox_name) ops := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state) @@ -206,16 +210,14 @@ allow_anno_key(i_key, p_oci) { print("allow_anno_key 2: true") } -# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# Get the value of the S_NAME_KEY annotation and # correlate it with other annotations and process fields. allow_by_anno(p_oci, i_oci, p_storages, i_storages) { print("allow_by_anno 1: start") - s_name := "io.kubernetes.cri.sandbox-name" + not p_oci.Annotations[S_NAME_KEY] - not p_oci.Annotations[s_name] - - i_s_name := i_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[S_NAME_KEY] print("allow_by_anno 1: i_s_name =", i_s_name) allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) @@ -225,10 +227,8 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) { allow_by_anno(p_oci, i_oci, p_storages, i_storages) { print("allow_by_anno 2: start") - s_name := "io.kubernetes.cri.sandbox-name" - - p_s_name := p_oci.Annotations[s_name] - i_s_name := i_oci.Annotations[s_name] + p_s_name := p_oci.Annotations[S_NAME_KEY] + i_s_name := i_oci.Annotations[S_NAME_KEY] print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) allow_sandbox_name(p_s_name, i_s_name) @@ -240,10 +240,8 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) { allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { print("allow_by_sandbox_name: start") - s_namespace := "io.kubernetes.cri.sandbox-namespace" - - p_namespace := p_oci.Annotations[s_namespace] - i_namespace := i_oci.Annotations[s_namespace] + p_namespace := p_oci.Annotations[S_NAMESPACE_KEY] + i_namespace := i_oci.Annotations[S_NAMESPACE_KEY] print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) p_namespace == i_namespace