Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

genpolicy: add support for cc-azurefile-csi driver #180

Merged
merged 2 commits into from
Apr 24, 2024
Merged

genpolicy: add support for cc-azurefile-csi driver #180

merged 2 commits into from
Apr 24, 2024

Conversation

arc9693
Copy link

@arc9693 arc9693 commented Apr 19, 2024
edited by sprt
Loading

This patch adds support for the cc-azurefile-csi driver to the genpolicy.

Merge Checklist
  • Followed patch format from upstream recommendation: https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
    • Included a single commit in a given PR - at least unless there are related commits and each makes sense as a change on its own.
  • Aware about the PR to be merged using "create a merge commit" rather than "squash and merge" (or similar)
  • genPolicy only: Ensured the tool still builds on Windows
  • genPolicy only: Updated sample YAMLs' policy annotations, if applicable
  • The upstream-missing label (or upstream-not-needed) has been set on the PR.
Summary
Associated issues
Links to CVEs
Test Methodology

@arc9693 arc9693 requested review from a team as code owners April 19, 2024 11:47
@arc9693 arc9693 added the upstream/missing PRs that are yet to be upstreamed label Apr 19, 2024
danmihai1
danmihai1 approved these changes Apr 19, 2024
View reviewed changes
Copy link

@danmihai1 danmihai1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a great start! Please add Policy rules for validating the SMB mount flags (e.g., execution not allowed, etc.)

@Redent0r
Copy link

Redent0r commented Apr 23, 2024
edited
Loading

Verified it build on Windows and started test run https://dev.azure.com/mariner-org/mariner/_build/results?buildId=556262&view=results

Edit: started new run after updating samples: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=556371&view=results

sprt
sprt requested changes Apr 23, 2024
View reviewed changes
Copy link
Collaborator

@sprt sprt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you update the samples using this script? https://github.com/microsoft/kata-containers/blob/msft-main/src/tools/genpolicy/update_policy_samples.py

sprt
sprt approved these changes Apr 23, 2024
View reviewed changes
Copy link
Collaborator

@sprt sprt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would squash commits 1 and 2 but LGTM!

src/tools/genpolicy/rules.rego Outdated
@@ -912,10 +912,18 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {

p_storage.driver == "smb"
count(p_storage.options) == 0
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not redundant assuming we trust genpolicy?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree we don't need to check the count of policy arrays.

@danmihai1 danmihai1 self-requested a review April 23, 2024 19:47
danmihai1
danmihai1 approved these changes Apr 23, 2024
View reviewed changes
src/tools/genpolicy/rules.rego Outdated
@@ -912,10 +912,18 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {

p_storage.driver == "smb"
count(p_storage.options) == 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree we don't need to check the count of policy arrays.

@arc9693 arc9693 force-pushed the archana1/azurefile-genpolicy branch 2 times, most recently from 141f180 to 3c303a3 Compare April 24, 2024 11:22
@arc9693
genpolicy: add support for cc-azurefile-csi driver
0cb2324 
This patch adds support for the cc-azurefile-csi driver to the genpolicy.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
@arc9693
genpolicy: update policy samples
b5d68be 
This patch updates policy samples, required after adding support for
cc-azurefile-csi driver in genpolicy.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
@arc9693 arc9693 force-pushed the archana1/azurefile-genpolicy branch from 14c07ee to b5d68be Compare April 24, 2024 11:38
@arc9693
Copy link
Author

arc9693 commented Apr 24, 2024

Test rerun: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=556788&view=results

@sprt sprt merged commit 3d38906 into msft-main Apr 24, 2024
42 of 54 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sprt sprt sprt approved these changes

@danmihai1 danmihai1 danmihai1 approved these changes

@Redent0r Redent0r Redent0r approved these changes

@ms-mahuber ms-mahuber ms-mahuber approved these changes

Assignees
No one assigned
Labels
upstream/missing PRs that are yet to be upstreamed
Projects
None yet
Milestone
No milestone
5 participants
@arc9693 @Redent0r @sprt @danmihai1 @ms-mahuber