securitypolicy: add security policy enforcer registration and defaults #1476
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anmaxvl
force-pushed
the
rego-enforcer-build-tags
branch
from
cfb044b
to
8f2dc81
Compare
|
This might create a lot of merge conflicts with the coming rego engine PR, can we do this PR after that one? I think the merge conflicts for this PR will be easier to fix and less likely to result in a large round of debugging. |
anmaxvl
force-pushed
the
rego-enforcer-build-tags
branch
2 times, most recently
from
b4181ae
to
8ec3ab5
Compare
anmaxvl
changed the title
helsaawy
reviewed
Aug 17, 2022
| @@ -21,6 +21,24 @@ import ( | |||
| "github.com/Microsoft/hcsshim/pkg/annotations" | |||
| ) | |||
|
|
|||
| type CreateEnforcerFunc func(_ SecurityPolicyState, criMounts, criPrivilegedMounts []oci.Mount) (SecurityPolicyEnforcer, error) | |||
There was a problem hiding this comment.
I think you can just define this as:
type CreateEnforcerFunc func(SecurityPolicyState, []oci.Mount, []oci.Mount) (SecurityPolicyEnforcer, error)(Unless you want to keepthe names for regular vs privileged mounts)
There was a problem hiding this comment.
right, alternatively I can add a comment, but I think this way it's self explanatory.
dcantah
approved these changes
Aug 17, 2022
Add enforcer registration logic and support for default enforcer.
The host can request which security policy enforcer to use with
supplied policy, if none supplied, GCS code tries to make a "guess"
as to which enforcer should be used: "allow all" or "default".
Default enforcer is set to `StandardSecurityPolicyEnforcer` unless
GCS is built with "rego" tag present. In that case, the default
enforcer will be set to `RegoEnforcer`.
New annotation has been added that allows callers to pick which
enforcer to use, e.g.
```pod.json
{
...
"annotations": {
"io.microsoft.virtualmachine.lcow.enforcer": "rego"
},
...
}
```
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
force-pushed
the
rego-enforcer-build-tags
branch
from
8ec3ab5
to
32d1ddb
Compare
helsaawy
approved these changes
Aug 18, 2022
|
Somebody reported that the mingw issue was resolved for them on 1.19... I'm going to trial this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add enforcer registration logic and support for default enforcer.
The host can request which security policy enforcer to use with
supplied policy, if none supplied, GCS code tries to make a "guess"
as to which enforcer should be used: "allow all" or "default".
Default enforcer is set to
StandardSecurityPolicyEnforcerunlessGCS is built with "rego" tag present. In that case, the default
enforcer will be set to
RegoEnforcer.New annotation has been added that allows callers to pick which
enforcer to use, e.g.
{ ... "annotations": { "io.microsoft.virtualmachine.lcow.enforcer": "rego" }, ... }Signed-off-by: Maksim An maksiman@microsoft.com