github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-22 13:38:26 +00:00
Code Issues Projects Releases Wiki Activity

policy: add constants to rules.rego

Browse Source 
Reuse constants where applicable

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
This commit is contained in:
Saul Paredes 2024-11-27 11:48:02 -08:00
parent 6f4f94a9f0
commit 9105c1fa0c
1 changed files with 12 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/tools/genpolicy/rules.rego
View File

@ -49,6 +49,10 @@ default WriteStreamRequest := false
# them and inspect OPA logs for the root cause of a failure. # them and inspect OPA logs for the root cause of a failure.
default AllowRequestsFailingPolicy := false default AllowRequestsFailingPolicy := false
# Constants
S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
CreateContainerRequest:= {"ops": ops, "allowed": true} { CreateContainerRequest:= {"ops": ops, "allowed": true} {
# Check if the input request should be rejected even before checking the # Check if the input request should be rejected even before checking the
# policy_data.containers information. # policy_data.containers information.
@ -62,7 +66,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
ops_builder := [] ops_builder := []
# check sandbox name # check sandbox name
sandbox_name = i_oci.Annotations["io.kubernetes.cri.sandbox-name"] sandbox_name = i_oci.Annotations[S_NAME_KEY]
add_sandbox_name_to_state := state_allows("sandbox_name", sandbox_name) add_sandbox_name_to_state := state_allows("sandbox_name", sandbox_name)
ops := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state) ops := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state)
@ -206,16 +210,14 @@ allow_anno_key(i_key, p_oci) {
print("allow_anno_key 2: true") print("allow_anno_key 2: true")
} }
# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and # Get the value of the S_NAME_KEY annotation and
# correlate it with other annotations and process fields. # correlate it with other annotations and process fields.
allow_by_anno(p_oci, i_oci, p_storages, i_storages) { allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
print("allow_by_anno 1: start") print("allow_by_anno 1: start")
s_name := "io.kubernetes.cri.sandbox-name" not p_oci.Annotations[S_NAME_KEY]
not p_oci.Annotations[s_name] i_s_name := i_oci.Annotations[S_NAME_KEY]
i_s_name := i_oci.Annotations[s_name]
print("allow_by_anno 1: i_s_name =", i_s_name) print("allow_by_anno 1: i_s_name =", i_s_name)
allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name)
@ -225,10 +227,8 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
allow_by_anno(p_oci, i_oci, p_storages, i_storages) { allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
print("allow_by_anno 2: start") print("allow_by_anno 2: start")
s_name := "io.kubernetes.cri.sandbox-name" p_s_name := p_oci.Annotations[S_NAME_KEY]
i_s_name := i_oci.Annotations[S_NAME_KEY]
p_s_name := p_oci.Annotations[s_name]
i_s_name := i_oci.Annotations[s_name]
print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name)
allow_sandbox_name(p_s_name, i_s_name) allow_sandbox_name(p_s_name, i_s_name)
@ -240,10 +240,8 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
print("allow_by_sandbox_name: start") print("allow_by_sandbox_name: start")
s_namespace := "io.kubernetes.cri.sandbox-namespace" p_namespace := p_oci.Annotations[S_NAMESPACE_KEY]
i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
p_namespace := p_oci.Annotations[s_namespace]
i_namespace := i_oci.Annotations[s_namespace]
print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)
p_namespace == i_namespace p_namespace == i_namespace