Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update rules to use more reliable container image predicates #513

Merged
merged 1 commit into from Feb 1, 2019

Conversation

Projects
None yet
3 participants
@mattpag
Copy link
Contributor

commented Feb 1, 2019

Instead of using container.image, that always reports the raw string used to spawn the container, switch to the more reliable container.image.{repository,tag}, since they are guaranteed to report the actual repository/tag of the container image.

This also give a little performance improvement (and better looking rules) since a single 'in' predicate can now be used instead of a sequence of startswith.

I've avoided to refactor user macros like user_trusted_containers to a single in predicate with a list ready to be overridden because, based on the specific use case, additional predicates might be needed (e.g. checking for additional repositories/registry just by prefix) but @mstemm let me know if you think otherwise and it's worth to simplify them.

Update rules to use more reliable container image predicates
Instead of using container.image, that always reports the raw string
used to spawn the container, switch to the more reliable
container.image.{repository,tag}, since they are guaranteed to report
the actual repository/tag of the container image.
This also give a little performance improvement since a single 'in'
predicate can now be used instead of a sequence of startswith.
@mstemm

mstemm approved these changes Feb 1, 2019

Copy link
Contributor

left a comment

Yeah I agree about leaving the structure of the user_ macros in a way that still allows appends.

Thanks for making the changes!

@mstemm mstemm merged commit 477fcb5 into dev Feb 1, 2019

2 checks passed

Travis CI - Branch Build Passed
Details
Travis CI - Pull Request Build Passed
Details

@mstemm mstemm deleted the use-container-subfilters branch Feb 1, 2019

daixiang0 added a commit to daixiang0/falco that referenced this pull request Feb 10, 2019

Update rules to use more reliable container image predicates (falcose…
…curity#513)

Instead of using container.image, that always reports the raw string
used to spawn the container, switch to the more reliable
container.image.{repository,tag}, since they are guaranteed to report
the actual repository/tag of the container image.
This also give a little performance improvement since a single 'in'
predicate can now be used instead of a sequence of startswith.

daixiang0 added a commit to daixiang0/falco that referenced this pull request Feb 10, 2019

Update rules to use more reliable container image predicates (falcose…
…curity#513)

Instead of using container.image, that always reports the raw string
used to spawn the container, switch to the more reliable
container.image.{repository,tag}, since they are guaranteed to report
the actual repository/tag of the container image.
This also give a little performance improvement since a single 'in'
predicate can now be used instead of a sequence of startswith.

@fntlnz fntlnz added the rules label May 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.