Skip to content

Commit f703a57

Browse files
Redent0rRedent0r
authored
Merge pull request #285 from microsoft/saulparedes/strengthen_bundle_id_validation
policy: strengthen bundle id validation
2 parents 3627201 + 724d9bf commit f703a57

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

63 files changed

+68
-64
lines changed

src/agent/samples/policy/yaml/configmap/pod-cm1.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/configmap/pod-cm2.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/configmap/pod-cm3.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/cron-job/test-cron-job.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/deployment/deployment-back.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/deployment/deployment-busybox.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/deployment/deployment-front.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/job/test-job.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/job/test-job2.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance/conformance-e2e.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-plugin.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-testing.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance/etcd-statefulset.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance/hello-populator-deploy.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance/netexecrc.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http-rc.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http2-rc.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-multiple-certs-rc.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-nginx-rc.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-static-ip-rc.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures/appsv1deployment.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures/daemon.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures/deploy-clientside.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures/job.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures/multi-resource-yaml.yaml

+2-2
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures/rc-lastapplied.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures/rc-noexist.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures/replication.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures2/rc-service.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/fixtures2/valid-pod.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/incomplete-init/cassandra-statefulset.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/incomplete-init/cockroachdb-statefulset.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/kubernetes/incomplete-init/controller.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/pod/pod-exec.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/pod/pod-lifecycle.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/pod/pod-many-layers.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/pod/pod-one-container.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/pod/pod-persistent-volumes.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/pod/pod-same-containers.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/pod/pod-spark.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/pod/pod-three-containers.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/pod/pod-ubuntu.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/replica-set/replica-busy.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/replica-set/replica2.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/secrets/azure-file-secrets.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/stateful-set/web.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/stateful-set/web2.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook/webhook-pod1.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook/webhook-pod2.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook/webhook-pod3.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook/webhook-pod4.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook/webhook-pod5.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook/webhook-pod6.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook/webhook-pod7.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook2/webhook-pod10.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook2/webhook-pod11.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook2/webhook-pod12.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook2/webhook-pod13.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook2/webhook-pod8.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook2/webhook-pod9.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook3/dns-test.yaml

+1-1
Large diffs are not rendered by default.

src/agent/samples/policy/yaml/webhook3/many-layers.yaml

+1-1
Large diffs are not rendered by default.

src/tools/genpolicy/rules.rego

+5-1
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@ default AllowRequestsFailingPolicy := false
5454
# Constants
5555
S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
5656
S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
57+
BUNDLE_ID = "[a-z0-9]{64}"
5758

5859
CreateContainerRequest {
5960
# Check if the input request should be rejected even before checking the
@@ -468,6 +469,9 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
468469
bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]
469470
bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "")
470471

472+
bundle_id_format := concat("", ["^", BUNDLE_ID, "$"])
473+
regex.match(bundle_id_format, bundle_id)
474+
471475
key := "io.kubernetes.cri.sandbox-id"
472476

473477
p_regex := p_oci.Annotations[key]
@@ -1226,7 +1230,7 @@ CopyFileRequest {
12261230
some regex1 in policy_data.request_defaults.CopyFileRequest
12271231
regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
12281232
regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
1229-
regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}")
1233+
regex4 := replace(regex3, "$(bundle-id)", BUNDLE_ID)
12301234
print("CopyFileRequest: regex4 =", regex4)
12311235

12321236
regex.match(regex4, input.path)

0 commit comments

Comments
 (0)