diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index c4cbf2dcbef1..ad231ccf8cd7 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -251,19 +251,20 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) { print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) allow_sandbox_name(p_s_name, i_s_name) - allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + i_s_namespace := i_oci.Annotations[S_NAMESPACE_KEY] + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name, i_s_namespace) print("allow_by_anno 2: true") } -allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name, s_namespace) { print("allow_by_sandbox_name: start") i_namespace := i_oci.Annotations[S_NAMESPACE_KEY] allow_by_container_types(p_oci, i_oci, s_name, i_namespace) allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) - allow_process(p_oci.Process, i_oci.Process, s_name) + allow_process(p_oci.Process, i_oci.Process, s_name, s_namespace) print("allow_by_sandbox_name: true") } @@ -557,7 +558,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { print("allow_by_bundle_or_sandbox_id: true") } -allow_process_common(p_process, i_process, s_name) { +allow_process_common(p_process, i_process, s_name, s_namespace) { print("allow_process_common: p_process =", p_process) print("allow_process_common: i_process = ", i_process) print("allow_process_common: s_name =", s_name) @@ -566,17 +567,17 @@ allow_process_common(p_process, i_process, s_name) { p_process.NoNewPrivileges == i_process.NoNewPrivileges allow_user(p_process, i_process) - allow_env(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name, s_namespace) print("allow_process_common: true") } # Compare the OCI Process field of a policy container with the input OCI Process from a CreateContainerRequest -allow_process(p_process, i_process, s_name) { +allow_process(p_process, i_process, s_name, s_namespace) { print("allow_process: start") allow_args(p_process, i_process, s_name) - allow_process_common(p_process, i_process, s_name) + allow_process_common(p_process, i_process, s_name, s_namespace) allow_caps(p_process.Capabilities, i_process.Capabilities) p_process.Terminal == i_process.Terminal @@ -675,27 +676,27 @@ allow_arg(i, i_arg, p_process, s_name) { } # OCI process.Env field -allow_env(p_process, i_process, s_name) { +allow_env(p_process, i_process, s_name, s_namespace) { print("allow_env: p env =", p_process.Env) print("allow_env: i env =", i_process.Env) every i_var in i_process.Env { print("allow_env: i_var =", i_var) - allow_var(p_process, i_process, i_var, s_name) + allow_var(p_process, i_process, i_var, s_name, s_namespace) } print("allow_env: true") } # Allow input env variables that are present in the policy data too. -allow_var(p_process, i_process, i_var, s_name) { +allow_var(p_process, i_process, i_var, s_name, s_namespace) { some p_var in p_process.Env p_var == i_var print("allow_var 1: true") } # Match input with one of the policy variables, after substituting $(sandbox-name). -allow_var(p_process, i_process, i_var, s_name) { +allow_var(p_process, i_process, i_var, s_name, s_namespace) { some p_var in p_process.Env p_var2 := replace(p_var, "$(sandbox-name)", s_name) @@ -706,7 +707,7 @@ allow_var(p_process, i_process, i_var, s_name) { } # Allow input env variables that match with a request_defaults regex. -allow_var(p_process, i_process, i_var, s_name) { +allow_var(p_process, i_process, i_var, s_name, s_namespace) { some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) @@ -720,7 +721,7 @@ allow_var(p_process, i_process, i_var, s_name) { } # Allow fieldRef "fieldPath: status.podIP" values. -allow_var(p_process, i_process, i_var, s_name) { +allow_var(p_process, i_process, i_var, s_name, s_namespace) { name_value := split(i_var, "=") count(name_value) == 2 is_ip(name_value[1]) @@ -731,8 +732,18 @@ allow_var(p_process, i_process, i_var, s_name) { print("allow_var 4: true") } +allow_var(p_process, i_process, i_var, s_name, s_namespace) { + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-namespace)", s_namespace) + + print("allow_var 5: p_var5 =", p_var2) + p_var2 == i_var + + print("allow_var 5: true") +} + # Allow common fieldRef variables. -allow_var(p_process, i_process, i_var, s_name) { +allow_var(p_process, i_process, i_var, s_name, s_namespace) { name_value := split(i_var, "=") count(name_value) == 2 @@ -751,7 +762,7 @@ allow_var(p_process, i_process, i_var, s_name) { } # Allow fieldRef "fieldPath: status.hostIP" values. -allow_var(p_process, i_process, i_var, s_name) { +allow_var(p_process, i_process, i_var, s_name, s_namespace) { name_value := split(i_var, "=") count(name_value) == 2 is_ip(name_value[1]) @@ -763,7 +774,7 @@ allow_var(p_process, i_process, i_var, s_name) { } # Allow resourceFieldRef values (e.g., "limits.cpu"). -allow_var(p_process, i_process, i_var, s_name) { +allow_var(p_process, i_process, i_var, s_name, s_namespace) { name_value := split(i_var, "=") count(name_value) == 2 diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs index 16d633aa2b29..b8af73846f92 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -748,7 +748,13 @@ impl EnvVar { let path: &str = &field_ref.fieldPath; match path { "metadata.name" => return "$(sandbox-name)".to_string(), - "metadata.namespace" => return namespace.to_string(), + "metadata.namespace" => { + return if namespace.is_empty() { + "$(sandbox-namespace)".to_string() + } else { + namespace.to_string() + }; + } "metadata.uid" => return "$(pod-uid)".to_string(), "status.hostIP" => return "$(host-ip)".to_string(), "status.podIP" => return "$(pod-ip)".to_string(),