mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-10 04:18:26 +00:00
genpolicy: validate container sandbox names
Make sure all container sandbox names match the sandbox name of the first container. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
This commit is contained in:
Saul Paredes
parent
52d1aea1f7
commit
c207312260
@ -51,7 +51,7 @@ default WriteStreamRequest := false
|
|||||||
# them and inspect OPA logs for the root cause of a failure.
|
# them and inspect OPA logs for the root cause of a failure.
|
||||||
default AllowRequestsFailingPolicy := false
|
default AllowRequestsFailingPolicy := false
|
||||||
|
|
||||||
CreateContainerRequest {
|
CreateContainerRequest:= {"ops": ops, "allowed": true} {
|
||||||
# Check if the input request should be rejected even before checking the
|
# Check if the input request should be rejected even before checking the
|
||||||
# policy_data.containers information.
|
# policy_data.containers information.
|
||||||
allow_create_container_input
|
allow_create_container_input
|
||||||
@ -60,6 +60,14 @@ CreateContainerRequest {
|
|||||||
i_storages := input.storages
|
i_storages := input.storages
|
||||||
i_devices := input.devices
|
i_devices := input.devices
|
||||||
|
|
||||||
|
# array of possible state operations
|
||||||
|
ops_builder := []
|
||||||
|
|
||||||
|
# check sandbox name
|
||||||
|
sandbox_name = i_oci.Annotations["io.kubernetes.cri.sandbox-name"]
|
||||||
|
add_sandbox_name_to_state := state_allows("sandbox_name", sandbox_name)
|
||||||
|
ops := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state)
|
||||||
|
|
||||||
# Check if any element from the policy_data.containers array allows the input request.
|
# Check if any element from the policy_data.containers array allows the input request.
|
||||||
some p_container in policy_data.containers
|
some p_container in policy_data.containers
|
||||||
print("======== CreateContainerRequest: trying next policy container")
|
print("======== CreateContainerRequest: trying next policy container")
|
||||||
@ -121,6 +129,47 @@ allow_create_container_input {
|
|||||||
print("allow_create_container_input: true")
|
print("allow_create_container_input: true")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# value hasn't been seen before, save it to state
|
||||||
|
state_allows(key, value) = action {
|
||||||
|
state := get_state()
|
||||||
|
not state[key]
|
||||||
|
print("state_allows: saving to state key =", key, "value =", value)
|
||||||
|
path := get_state_path(key)
|
||||||
|
action := {
|
||||||
|
"op": "add",
|
||||||
|
"path": path,
|
||||||
|
"value": value,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# value matches what's in state, allow it
|
||||||
|
state_allows(key, value) = action {
|
||||||
|
state := get_state()
|
||||||
|
value == state[key]
|
||||||
|
print("state_allows: found key =", key, "value =", value, " in state")
|
||||||
|
action := null
|
||||||
|
}
|
||||||
|
|
||||||
|
# helper functions to interact with the state
|
||||||
|
get_state() = state {
|
||||||
|
state := data["pstate"]
|
||||||
|
}
|
||||||
|
|
||||||
|
get_state_path(key) = path {
|
||||||
|
path := concat("/", ["", key]) # prepend "/" to key
|
||||||
|
}
|
||||||
|
|
||||||
|
# Helper functions to conditionally concatenate if op is not null
|
||||||
|
concat_op_if_not_null(ops, op) = result {
|
||||||
|
op == null
|
||||||
|
result := ops
|
||||||
|
}
|
||||||
|
|
||||||
|
concat_op_if_not_null(ops, op) = result {
|
||||||
|
op != null
|
||||||
|
result := array.concat(ops, [op])
|
||||||
|
}
|
||||||
|
|
||||||
# Reject unexpected annotations.
|
# Reject unexpected annotations.
|
||||||
allow_anno(p_oci, i_oci) {
|
allow_anno(p_oci, i_oci) {
|
||||||
print("allow_anno 1: start")
|
print("allow_anno 1: start")
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user