Merge pull request #295 from microsoft/saulparedes/validate_namespace…

…_env_var Saulparedes/validate namespace env var
microsoft · Jan 17, 2025 · 6058c26 · 6058c26
2 parents 02add57 + a3f20ba
commit 6058c26
Show file tree

Hide file tree

Showing 64 changed files with 117 additions and 87 deletions.
diff --git a/src/agent/samples/policy/yaml/configmap/pod-cm1.yaml b/src/agent/samples/policy/yaml/configmap/pod-cm1.yaml
diff --git a/src/agent/samples/policy/yaml/configmap/pod-cm2.yaml b/src/agent/samples/policy/yaml/configmap/pod-cm2.yaml
diff --git a/src/agent/samples/policy/yaml/configmap/pod-cm3.yaml b/src/agent/samples/policy/yaml/configmap/pod-cm3.yaml
diff --git a/src/agent/samples/policy/yaml/cron-job/test-cron-job.yaml b/src/agent/samples/policy/yaml/cron-job/test-cron-job.yaml
diff --git a/src/agent/samples/policy/yaml/deployment/deployment-back.yaml b/src/agent/samples/policy/yaml/deployment/deployment-back.yaml
diff --git a/src/agent/samples/policy/yaml/deployment/deployment-busybox.yaml b/src/agent/samples/policy/yaml/deployment/deployment-busybox.yaml
diff --git a/src/agent/samples/policy/yaml/deployment/deployment-front.yaml b/src/agent/samples/policy/yaml/deployment/deployment-front.yaml
diff --git a/src/agent/samples/policy/yaml/job/test-job.yaml b/src/agent/samples/policy/yaml/job/test-job.yaml
diff --git a/src/agent/samples/policy/yaml/job/test-job2.yaml b/src/agent/samples/policy/yaml/job/test-job2.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance/conformance-e2e.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance/conformance-e2e.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-plugin.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-plugin.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-testing.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-testing.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance/etcd-statefulset.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance/etcd-statefulset.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance/hello-populator-deploy.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance/hello-populator-deploy.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance/netexecrc.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance/netexecrc.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http-rc.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http-rc.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http2-rc.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http2-rc.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-multiple-certs-rc.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-multiple-certs-rc.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-nginx-rc.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-nginx-rc.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-static-ip-rc.yaml b/src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-static-ip-rc.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures/appsv1deployment.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures/appsv1deployment.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures/daemon.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures/daemon.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures/deploy-clientside.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures/deploy-clientside.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures/job.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures/job.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures/multi-resource-yaml.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures/multi-resource-yaml.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures/rc-lastapplied.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures/rc-lastapplied.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures/rc-noexist.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures/rc-noexist.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures/replication.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures/replication.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures2/rc-service.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures2/rc-service.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/fixtures2/valid-pod.yaml b/src/agent/samples/policy/yaml/kubernetes/fixtures2/valid-pod.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/incomplete-init/cassandra-statefulset.yaml b/src/agent/samples/policy/yaml/kubernetes/incomplete-init/cassandra-statefulset.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/incomplete-init/cockroachdb-statefulset.yaml b/src/agent/samples/policy/yaml/kubernetes/incomplete-init/cockroachdb-statefulset.yaml
diff --git a/src/agent/samples/policy/yaml/kubernetes/incomplete-init/controller.yaml b/src/agent/samples/policy/yaml/kubernetes/incomplete-init/controller.yaml
diff --git a/src/agent/samples/policy/yaml/pod/pod-exec.yaml b/src/agent/samples/policy/yaml/pod/pod-exec.yaml
diff --git a/src/agent/samples/policy/yaml/pod/pod-lifecycle.yaml b/src/agent/samples/policy/yaml/pod/pod-lifecycle.yaml
diff --git a/src/agent/samples/policy/yaml/pod/pod-many-layers.yaml b/src/agent/samples/policy/yaml/pod/pod-many-layers.yaml
diff --git a/src/agent/samples/policy/yaml/pod/pod-one-container.yaml b/src/agent/samples/policy/yaml/pod/pod-one-container.yaml
diff --git a/src/agent/samples/policy/yaml/pod/pod-persistent-volumes.yaml b/src/agent/samples/policy/yaml/pod/pod-persistent-volumes.yaml
diff --git a/src/agent/samples/policy/yaml/pod/pod-same-containers.yaml b/src/agent/samples/policy/yaml/pod/pod-same-containers.yaml
diff --git a/src/agent/samples/policy/yaml/pod/pod-spark.yaml b/src/agent/samples/policy/yaml/pod/pod-spark.yaml
diff --git a/src/agent/samples/policy/yaml/pod/pod-three-containers.yaml b/src/agent/samples/policy/yaml/pod/pod-three-containers.yaml
diff --git a/src/agent/samples/policy/yaml/pod/pod-ubuntu.yaml b/src/agent/samples/policy/yaml/pod/pod-ubuntu.yaml
diff --git a/src/agent/samples/policy/yaml/replica-set/replica-busy.yaml b/src/agent/samples/policy/yaml/replica-set/replica-busy.yaml
diff --git a/src/agent/samples/policy/yaml/replica-set/replica2.yaml b/src/agent/samples/policy/yaml/replica-set/replica2.yaml
diff --git a/src/agent/samples/policy/yaml/secrets/azure-file-secrets.yaml b/src/agent/samples/policy/yaml/secrets/azure-file-secrets.yaml
diff --git a/src/agent/samples/policy/yaml/stateful-set/web.yaml b/src/agent/samples/policy/yaml/stateful-set/web.yaml
diff --git a/src/agent/samples/policy/yaml/stateful-set/web2.yaml b/src/agent/samples/policy/yaml/stateful-set/web2.yaml
diff --git a/src/agent/samples/policy/yaml/webhook/webhook-pod1.yaml b/src/agent/samples/policy/yaml/webhook/webhook-pod1.yaml
diff --git a/src/agent/samples/policy/yaml/webhook/webhook-pod2.yaml b/src/agent/samples/policy/yaml/webhook/webhook-pod2.yaml
diff --git a/src/agent/samples/policy/yaml/webhook/webhook-pod3.yaml b/src/agent/samples/policy/yaml/webhook/webhook-pod3.yaml
diff --git a/src/agent/samples/policy/yaml/webhook/webhook-pod4.yaml b/src/agent/samples/policy/yaml/webhook/webhook-pod4.yaml
diff --git a/src/agent/samples/policy/yaml/webhook/webhook-pod5.yaml b/src/agent/samples/policy/yaml/webhook/webhook-pod5.yaml
diff --git a/src/agent/samples/policy/yaml/webhook/webhook-pod6.yaml b/src/agent/samples/policy/yaml/webhook/webhook-pod6.yaml
diff --git a/src/agent/samples/policy/yaml/webhook/webhook-pod7.yaml b/src/agent/samples/policy/yaml/webhook/webhook-pod7.yaml
diff --git a/src/agent/samples/policy/yaml/webhook2/webhook-pod10.yaml b/src/agent/samples/policy/yaml/webhook2/webhook-pod10.yaml
diff --git a/src/agent/samples/policy/yaml/webhook2/webhook-pod11.yaml b/src/agent/samples/policy/yaml/webhook2/webhook-pod11.yaml
diff --git a/src/agent/samples/policy/yaml/webhook2/webhook-pod12.yaml b/src/agent/samples/policy/yaml/webhook2/webhook-pod12.yaml
diff --git a/src/agent/samples/policy/yaml/webhook2/webhook-pod13.yaml b/src/agent/samples/policy/yaml/webhook2/webhook-pod13.yaml
diff --git a/src/agent/samples/policy/yaml/webhook2/webhook-pod8.yaml b/src/agent/samples/policy/yaml/webhook2/webhook-pod8.yaml
diff --git a/src/agent/samples/policy/yaml/webhook2/webhook-pod9.yaml b/src/agent/samples/policy/yaml/webhook2/webhook-pod9.yaml
diff --git a/src/agent/samples/policy/yaml/webhook3/dns-test.yaml b/src/agent/samples/policy/yaml/webhook3/dns-test.yaml
diff --git a/src/agent/samples/policy/yaml/webhook3/many-layers.yaml b/src/agent/samples/policy/yaml/webhook3/many-layers.yaml
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
@@ -175,6 +175,11 @@ get_state() = state {
   state := data["pstate"]
 }
 
+get_state_val(key) = value {
+    state := get_state()
+    value := state[key]
+}
+
 get_state_path(key) = path {
     # prepend "/pstate/" to key
     path := concat("/", ["/pstate", key])
@@ -239,7 +244,10 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
     i_s_name := i_oci.Annotations[S_NAME_KEY]
     print("allow_by_anno 1: i_s_name =", i_s_name)
 
-    allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name)
+    i_s_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    print("allow_by_anno 1: i_s_namespace =", i_s_namespace)
+
+    allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name, i_s_namespace)
 
     print("allow_by_anno 1: true")
 }
@@ -251,19 +259,23 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
     print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name)
 
     allow_sandbox_name(p_s_name, i_s_name)
-    allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name)
+
+    i_s_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    print("allow_by_anno 2: i_s_namespace =", i_s_namespace)
+
+    allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name, i_s_namespace)
 
     print("allow_by_anno 2: true")
 }
 
-allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
+allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name, s_namespace) {
     print("allow_by_sandbox_name: start")
 
     i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
 
     allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
     allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
-    allow_process(p_oci.Process, i_oci.Process, s_name)
+    allow_process(p_oci.Process, i_oci.Process, s_name, s_namespace)
 
     print("allow_by_sandbox_name: true")
 }
@@ -557,7 +569,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
     print("allow_by_bundle_or_sandbox_id: true")
 }
 
-allow_process_common(p_process, i_process, s_name) {
+allow_process_common(p_process, i_process, s_name, s_namespace) {
     print("allow_process_common: p_process =", p_process)
     print("allow_process_common: i_process = ", i_process)
     print("allow_process_common: s_name =", s_name)
@@ -566,28 +578,28 @@ allow_process_common(p_process, i_process, s_name) {
     p_process.NoNewPrivileges == i_process.NoNewPrivileges
 
     allow_user(p_process, i_process)
-    allow_env(p_process, i_process, s_name)
+    allow_env(p_process, i_process, s_name, s_namespace)
 
     print("allow_process_common: true")
 }
 
 # Compare the OCI Process field of a policy container with the input OCI Process from a CreateContainerRequest
-allow_process(p_process, i_process, s_name) {
+allow_process(p_process, i_process, s_name, s_namespace) {
     print("allow_process: start")
 
     allow_args(p_process, i_process, s_name)
-    allow_process_common(p_process, i_process, s_name)
+    allow_process_common(p_process, i_process, s_name, s_namespace)
     allow_caps(p_process.Capabilities, i_process.Capabilities)
     p_process.Terminal == i_process.Terminal
 
     print("allow_process: true")
 }
 
 # Compare the OCI Process field of a policy container with the input process field from ExecProcessRequest
-allow_interactive_process(p_process, i_process, s_name) {
+allow_interactive_process(p_process, i_process, s_name, s_namespace) {
     print("allow_interactive_process: start")
 
-    allow_process_common(p_process, i_process, s_name)
+    allow_process_common(p_process, i_process, s_name, s_namespace)
     allow_exec_caps(i_process.Capabilities)
 
     # These are commands enabled using ExecProcessRequest commands and/or regex from the settings file.
@@ -597,10 +609,10 @@ allow_interactive_process(p_process, i_process, s_name) {
 }
 
 # Compare the OCI Process field of a policy container with the input process field from ExecProcessRequest
-allow_probe_process(p_process, i_process, s_name) {
+allow_probe_process(p_process, i_process, s_name, s_namespace) {
     print("allow_probe_process: start")
 
-    allow_process_common(p_process, i_process, s_name)
+    allow_process_common(p_process, i_process, s_name, s_namespace)
     allow_exec_caps(i_process.Capabilities)
     p_process.Terminal == i_process.Terminal
 
@@ -675,27 +687,27 @@ allow_arg(i, i_arg, p_process, s_name) {
 }
 
 # OCI process.Env field
-allow_env(p_process, i_process, s_name) {
+allow_env(p_process, i_process, s_name, s_namespace) {
     print("allow_env: p env =", p_process.Env)
     print("allow_env: i env =", i_process.Env)
 
     every i_var in i_process.Env {
         print("allow_env: i_var =", i_var)
-        allow_var(p_process, i_process, i_var, s_name)
+        allow_var(p_process, i_process, i_var, s_name, s_namespace)
     }
 
     print("allow_env: true")
 }
 
 # Allow input env variables that are present in the policy data too.
-allow_var(p_process, i_process, i_var, s_name) {
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     some p_var in p_process.Env
     p_var == i_var
     print("allow_var 1: true")
 }
 
 # Match input with one of the policy variables, after substituting $(sandbox-name).
-allow_var(p_process, i_process, i_var, s_name) {
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     some p_var in p_process.Env
     p_var2 := replace(p_var, "$(sandbox-name)", s_name)
 
@@ -706,7 +718,7 @@ allow_var(p_process, i_process, i_var, s_name) {
 }
 
 # Allow input env variables that match with a request_defaults regex.
-allow_var(p_process, i_process, i_var, s_name) {
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex
     p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a)
     p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p)
@@ -720,7 +732,7 @@ allow_var(p_process, i_process, i_var, s_name) {
 }
 
 # Allow fieldRef "fieldPath: status.podIP" values.
-allow_var(p_process, i_process, i_var, s_name) {
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     name_value := split(i_var, "=")
     count(name_value) == 2
     is_ip(name_value[1])
@@ -732,7 +744,7 @@ allow_var(p_process, i_process, i_var, s_name) {
 }
 
 # Allow common fieldRef variables.
-allow_var(p_process, i_process, i_var, s_name) {
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     name_value := split(i_var, "=")
     count(name_value) == 2
 
@@ -751,7 +763,7 @@ allow_var(p_process, i_process, i_var, s_name) {
 }
 
 # Allow fieldRef "fieldPath: status.hostIP" values.
-allow_var(p_process, i_process, i_var, s_name) {
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     name_value := split(i_var, "=")
     count(name_value) == 2
     is_ip(name_value[1])
@@ -763,7 +775,7 @@ allow_var(p_process, i_process, i_var, s_name) {
 }
 
 # Allow resourceFieldRef values (e.g., "limits.cpu").
-allow_var(p_process, i_process, i_var, s_name) {
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
     name_value := split(i_var, "=")
     count(name_value) == 2
 
@@ -781,6 +793,16 @@ allow_var(p_process, i_process, i_var, s_name) {
     print("allow_var 7: true")
 }
 
+allow_var(p_process, i_process, i_var, s_name, s_namespace) {
+    some p_var in p_process.Env
+    p_var2 := replace(p_var, "$(sandbox-namespace)", s_namespace)
+
+    print("allow_var 8: p_var2 =", p_var2)
+    p_var2 == i_var
+
+    print("allow_var 8: true")
+}
+
 allow_pod_ip_var(var_name, p_var) {
     print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var)
 
@@ -1323,7 +1345,8 @@ allow_exec(p_container, i_process) {
 
     p_oci = p_container.OCI
     p_s_name = p_oci.Annotations[S_NAME_KEY]
-    allow_probe_process(p_oci.Process, i_process, p_s_name)
+    s_namespace = get_state_val("namespace")
+    allow_probe_process(p_oci.Process, i_process, p_s_name, s_namespace)
 
     print("allow_exec: true")
 }
@@ -1333,7 +1356,8 @@ allow_interactive_exec(p_container, i_process) {
 
     p_oci = p_container.OCI
     p_s_name = p_oci.Annotations[S_NAME_KEY]
-    allow_interactive_process(p_oci.Process, i_process, p_s_name)
+    s_namespace = get_state_val("namespace")
+    allow_interactive_process(p_oci.Process, i_process, p_s_name, s_namespace)
 
     print("allow_interactive_exec: true")
 }

diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
@@ -748,7 +748,13 @@ impl EnvVar {
                 let path: &str = &field_ref.fieldPath;
                 match path {
                     "metadata.name" => return "$(sandbox-name)".to_string(),
-                    "metadata.namespace" => return namespace.to_string(),
+                    "metadata.namespace" => {
+                        return if namespace.is_empty() {
+                            "$(sandbox-namespace)".to_string()
+                        } else {
+                            namespace.to_string()
+                        };
+                    }
                     "metadata.uid" => return "$(pod-uid)".to_string(),
                     "status.hostIP" => return "$(host-ip)".to_string(),
                     "status.podIP" => return "$(pod-ip)".to_string(),