-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
securitypolicy: add security policy enforcer registration and defaults #1476
Conversation
cfb044b
to
8f2dc81
Compare
This might create a lot of merge conflicts with the coming rego engine PR, can we do this PR after that one? I think the merge conflicts for this PR will be easier to fix and less likely to result in a large round of debugging. |
b4181ae
to
8ec3ab5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nits, lgtm
@@ -21,6 +21,24 @@ import ( | |||
"github.com/Microsoft/hcsshim/pkg/annotations" | |||
) | |||
|
|||
type CreateEnforcerFunc func(_ SecurityPolicyState, criMounts, criPrivilegedMounts []oci.Mount) (SecurityPolicyEnforcer, error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can just define this as:
type CreateEnforcerFunc func(SecurityPolicyState, []oci.Mount, []oci.Mount) (SecurityPolicyEnforcer, error)
(Unless you want to keepthe names for regular vs privileged mounts)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, alternatively I can add a comment, but I think this way it's self explanatory.
Add enforcer registration logic and support for default enforcer. The host can request which security policy enforcer to use with supplied policy, if none supplied, GCS code tries to make a "guess" as to which enforcer should be used: "allow all" or "default". Default enforcer is set to `StandardSecurityPolicyEnforcer` unless GCS is built with "rego" tag present. In that case, the default enforcer will be set to `RegoEnforcer`. New annotation has been added that allows callers to pick which enforcer to use, e.g. ```pod.json { ... "annotations": { "io.microsoft.virtualmachine.lcow.enforcer": "rego" }, ... } ``` Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
8ec3ab5
to
32d1ddb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if can merge even with the integration tests failing
(we probably should add continueOnErrorr: true
to them until we fix the flaky-ness)
Somebody reported that the mingw issue was resolved for them on 1.19... I'm going to trial this |
Add enforcer registration logic and support for default enforcer.
The host can request which security policy enforcer to use with
supplied policy, if none supplied, GCS code tries to make a "guess"
as to which enforcer should be used: "allow all" or "default".
Default enforcer is set to
StandardSecurityPolicyEnforcer
unlessGCS is built with "rego" tag present. In that case, the default
enforcer will be set to
RegoEnforcer
.New annotation has been added that allows callers to pick which
enforcer to use, e.g.
Signed-off-by: Maksim An maksiman@microsoft.com