Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

agent: log policy prints for allow=false #275

Closed
wants to merge 1 commit into from
Closed

agent: log policy prints for allow=false #275

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 18 additions & 16 deletions src/agent/src/policy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ impl AgentPolicy {
/// Ask regorus if an API call should be allowed or not.
async fn allow_request(&mut self, ep: &str, ep_input: &str) -> Result<(bool, String)> {
debug!(sl!(), "policy check: {ep}");
self.log_eval_input(ep, ep_input).await;
self.log_request(ep, ep_input).await;

let query = format!("data.agent_policy.{ep}");
self.engine.set_input_json(ep_input)?;
Expand All @@ -174,16 +174,20 @@ impl AgentPolicy {
}
};

if !allow && self.allow_failures {
warn!(sl!(), "policy: ignoring error for {ep}");
allow = true;
}

let prints = match self.engine.take_prints() {
Ok(p) => p.join(" "),
Err(e) => format!("Failed to get policy log: {e}"),
};

if !allow {
self.log_request(ep, &prints).await;
}

if !allow && self.allow_failures {
warn!(sl!(), "policy: ignoring error for {ep}");
allow = true;
}

Ok((allow, prints))
}

Expand All @@ -197,24 +201,22 @@ impl AgentPolicy {
Ok(())
}

async fn log_eval_input(&mut self, ep: &str, input: &str) {
async fn log_request(&mut self, ep: &str, input: &str) {
if let Some(log_file) = &mut self.log_file {
match ep {
"StatsContainerRequest" | "ReadStreamRequest" | "SetPolicyRequest" => {
// - StatsContainerRequest and ReadStreamRequest are called
// relatively often, so we're not logging them, to avoid
// growing this log file too much.
// - Confidential Containers Policy documents are relatively
// large, so we're not logging them here, for SetPolicyRequest.
// The Policy text can be obtained directly from the pod YAML.
"StatsContainerRequest"
| "ReadStreamRequest"
| "SetPolicyRequest"
| "AllowRequestsFailingPolicy" => {
// Logging these request types would create too much unnecessary output.
}
_ => {
let log_entry = format!("[\"ep\":\"{ep}\",{input}],\n\n");

if let Err(e) = log_file.write_all(log_entry.as_bytes()).await {
warn!(sl!(), "policy: log_eval_input: write_all failed: {}", e);
warn!(sl!(), "policy: log_request: write_all failed: {}", e);
} else if let Err(e) = log_file.flush().await {
warn!(sl!(), "policy: log_eval_input: flush failed: {}", e);
warn!(sl!(), "policy: log_request: flush failed: {}", e);
}
}
}
Expand Down
Loading