genpolicy-msft: add namespace-flexible rule variant

We would like to have a coordinator policy that is portable across namespaces. This is not possible with the upstream rules.rego, because the namespace annotation on the OCI spec is checked against the original namespace in the resource definition, or a default. It turns out that this check is not necessary for our coordinator, though: 1. The namespace check guarantees a specific pattern of the log path. As there's only one container in the VM, we don't care about potential conflicts and only need to ensure that we're not writing into a totally unrelated directory. 2. The namespace check guarantees that the Kubernetes downward API is resolved correctly. We're not using that, so we don't need the check. A minimally invasive change that still addresses (1) is to relax the check so that it only guarantees namespace validity [1]. [1]: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns
edgelesssys · Feb 14, 2024 · 9651c95 · 9651c95
1 parent 9876edb
commit 9651c95
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix
@@ -62,6 +62,11 @@ rustPlatform.buildRustPackage rec {
       recursiveHash = true;
       postFetch = "install -D $downloadedFile $out/genpolicy-rules.rego";
     };
+
+    rules-coordinator = applyPatches {
+      src = rules;
+      patches = [ ./genpolicy_msft_rules_coordinator.patch ];
+    };
   };
 
   meta = {

diff --git a/packages/genpolicy_msft_rules_coordinator.patch b/packages/genpolicy_msft_rules_coordinator.patch
@@ -0,0 +1,15 @@
+diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego
+index e1954e9..fb508bc 100644
+--- a/genpolicy-rules.rego
++++ b/genpolicy-rules.rego
+@@ -137,9 +137,9 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
+     p_namespace := p_oci.Annotations[s_namespace]
+     i_namespace := i_oci.Annotations[s_namespace]
+     print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)
+-    p_namespace == i_namespace
++    regex.match("^[a-z0-9-]{1,63}$", i_namespace)
+
+-    allow_by_container_types(p_oci, i_oci, s_name, p_namespace)
++    allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
+     allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
+     allow_process(p_oci, i_oci, s_name)