Skip to content

Commit

Permalink
genpolicy: validate node name
Browse files Browse the repository at this point in the history
  • Loading branch information
Redent0r committed Jan 21, 2025
1 parent 6058c26 commit 1a66219
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion src/tools/genpolicy/rules.rego
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ default AllowRequestsFailingPolicy := false
S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
BUNDLE_ID = "[a-z0-9]{64}"
NODE_NAME = "[a-z0-9]([-a-z0-9]*[a-z0-9])?"

CreateContainerRequest:= {"ops": ops, "allowed": true} {
# Check if the input request should be rejected even before checking the
Expand Down Expand Up @@ -669,9 +670,14 @@ allow_arg(i, i_arg, p_process, s_name) {
p_arg := p_process.Args[i]
print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg)

# TODO: can $(node-name) be handled better?
contains(p_arg, "$(node-name)")

p_arg2 := replace(p_arg, "$(node-name)", NODE_NAME)

print("allow_arg 2: p_arg2 =", p_arg2)

regex.match(p_arg2, i_arg)

print("allow_arg 2: true")
}
allow_arg(i, i_arg, p_process, s_name) {
Expand Down

0 comments on commit 1a66219

Please sign in to comment.