Skip to content

Commit

Permalink
wip validate variables from settings
Browse files Browse the repository at this point in the history
  • Loading branch information
@Redent0r
Redent0r committed Feb 21, 2025
1 parent e711e5f commit a333952
Show file tree
Hide file tree
Showing 7 changed files with 50 additions and 10 deletions.
7 changes: 6 additions & 1 deletion src/agent/samples/policy/yaml/pod/pod-exec.yaml
View file

Large diffs are not rendered by default.

3 changes: 2 additions & 1 deletion src/tools/genpolicy/create.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,8 @@
"KUBERNETES_PORT_443_TCP_PROTO=tcp",
"KUBERNETES_PORT_443_TCP_PORT=443",
"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1",
"KUBERNETES_SERVICE_HOST=10.0.0.1"
"KUBERNETES_SERVICE_HOST=10.0.0.1",
"JOB_COMPLETION_INDEX=999"
],
"NoNewPrivileges": false,
"OOMScoreAdj": 1000,
Expand Down
14 changes: 11 additions & 3 deletions src/tools/genpolicy/exec2.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -785,11 +785,15 @@ allow_var(p_process, i_process, i_var, s_name, s_namespace) {

p_name_value[0] == name_value[0]

# TODO: should these be handled in a different way?
always_allowed = ["$(resource-field)", "$(todo-annotation)"]
some allowed in always_allowed
contains(p_name_value[1], allowed)

# make sure variable validation is included in the settings
some key, val in policy_data.request_defaults.CreateContainerRequest.allow_env_regex_map
key == name_value[0]
regex.match(val, name_value[1])

print("allow_var 7: true")
}

Expand Down Expand Up @@ -1647,7 +1651,8 @@ policy_data := {
"ISTIO_META_POD_PORTS=[\n]",
"ISTIO_META_APP_CONTAINERS=serviceaclient",
"ISTIO_META_CLUSTER_ID=Kubernetes",
"ISTIO_META_NODE_NAME=$(node-name)"
"ISTIO_META_NODE_NAME=$(node-name)",
"JOB_COMPLETION_INDEX=$(todo-annotation)"
],
"Cwd": "/",
"Capabilities": {
Expand Down Expand Up @@ -2004,7 +2009,10 @@ policy_data := {
"^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
"^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
"^TERM=xterm$"
]
],
"allow_env_regex_map": {
"JOB_COMPLETION_INDEX": "^[0-9]+$"
}
},
"CopyFileRequest": [
"$(sfprefix)"
Expand Down
7 changes: 5 additions & 2 deletions src/tools/genpolicy/genpolicy-settings.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,10 @@
"^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
"^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
"^TERM=xterm$"
]
],
"allow_env_regex_map": {
"JOB_COMPLETION_INDEX": "^[0-9]+$"
}
},
"CopyFileRequest": [
"$(sfprefix)"
Expand All @@ -333,4 +336,4 @@
"UpdateEphemeralMountsRequest": false,
"WriteStreamRequest": false
}
}
}
6 changes: 5 additions & 1 deletion src/tools/genpolicy/rules.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -785,11 +785,15 @@ allow_var(p_process, i_process, i_var, s_name, s_namespace) {

p_name_value[0] == name_value[0]

# TODO: should these be handled in a different way?
always_allowed = ["$(resource-field)", "$(todo-annotation)"]
some allowed in always_allowed
contains(p_name_value[1], allowed)

# validate against regex in settings
some key, val in policy_data.request_defaults.CreateContainerRequest.allow_env_regex_map
key == name_value[0]
regex.match(val, name_value[1])

print("allow_var 7: true")
}

Expand Down
21 changes: 19 additions & 2 deletions src/tools/genpolicy/src/pod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -581,6 +581,7 @@ impl Container {
namespace: &str,
annotations: &Option<BTreeMap<String, String>>,
service_account_name: &str,
settings: &settings::Settings,
) {
if let Some(source_env) = &self.env {
for env_variable in source_env {
Expand All @@ -590,6 +591,7 @@ impl Container {
namespace,
annotations,
service_account_name,
settings,
);
let src_string = format!("{}={value}", &env_variable.name);

Expand Down Expand Up @@ -730,6 +732,7 @@ impl EnvVar {
namespace: &str,
annotations: &Option<BTreeMap<String, String>>,
service_account_name: &str,
settings: &settings::Settings,
) -> String {
if let Some(value) = &self.value {
return value.clone();
Expand Down Expand Up @@ -761,7 +764,8 @@ impl EnvVar {
"spec.nodeName" => return "$(node-name)".to_string(),
"spec.serviceAccountName" => return service_account_name.to_string(),
_ => {
if let Some(value) = self.get_annotation_value(path, annotations) {
if let Some(value) = self.get_annotation_value(path, annotations, settings)
{
return value;
} else {
panic!(
Expand Down Expand Up @@ -789,6 +793,7 @@ impl EnvVar {
&self,
reference: &str,
anno: &Option<BTreeMap<String, String>>,
settings: &settings::Settings,
) -> Option<String> {
let prefix = "metadata.annotations['";
let suffix = "']";
Expand All @@ -808,7 +813,19 @@ impl EnvVar {
}
}

// TODO: should missing annotations be handled differently?
// panic for unknown values that are not defined in the settings
if !settings
.request_defaults
.CreateContainerRequest
.allow_env_regex_map
.contains_key(&self.name)
{
panic!(
"Env var: please add an entry for {} in the settings request_defaults.CreateContainerRequest.allow_env_regex_map ",
&self.name
);
}

return Some("$(todo-annotation)".to_string());
}
None
Expand Down
2 changes: 2 additions & 0 deletions src/tools/genpolicy/src/policy.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,7 @@ pub struct PersistentVolumeClaimVolume {
pub struct CreateContainerRequestDefaults {
/// Allow env variables that match any of these regexes.
allow_env_regex: Vec<String>,
pub allow_env_regex_map: BTreeMap<String, String>,
}

/// ExecProcessRequest settings from genpolicy-settings.json.
Expand Down Expand Up @@ -655,6 +656,7 @@ impl AgentPolicy {
namespace,
resource.get_annotations(),
service_account_name,
&self.settings,
);

substitute_env_variables(&mut process.Env);
Expand Down

0 comments on commit a333952

Please sign in to comment.