-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
genpolicy: add support for cc-azurefile-csi driver #180
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a great start! Please add Policy rules for validating the SMB mount flags (e.g., execution not allowed, etc.)
Verified it build on Windows and started test run https://dev.azure.com/mariner-org/mariner/_build/results?buildId=556262&view=results Edit: started new run after updating samples: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=556371&view=results |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you update the samples using this script? https://github.com/microsoft/kata-containers/blob/msft-main/src/tools/genpolicy/update_policy_samples.py
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would squash commits 1 and 2 but LGTM!
src/tools/genpolicy/rules.rego
Outdated
@@ -912,10 +912,18 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { | |||
|
|||
p_storage.driver == "smb" | |||
count(p_storage.options) == 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this not redundant assuming we trust genpolicy?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree we don't need to check the count of policy arrays.
src/tools/genpolicy/rules.rego
Outdated
@@ -912,10 +912,18 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { | |||
|
|||
p_storage.driver == "smb" | |||
count(p_storage.options) == 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree we don't need to check the count of policy arrays.
141f180
to
3c303a3
Compare
This patch adds support for the cc-azurefile-csi driver to the genpolicy. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
This patch updates policy samples, required after adding support for cc-azurefile-csi driver in genpolicy. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
14c07ee
to
b5d68be
Compare
This patch adds support for the cc-azurefile-csi driver to the genpolicy.
Merge Checklist
upstream-missing
label (orupstream-not-needed
) has been set on the PR.Summary
Associated issues
Links to CVEs
Test Methodology