diff --git a/packages/default.nix b/packages/default.nix index 6c7f4d199..a31f0e914 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -269,4 +269,32 @@ rec { exit 1 ''; }; + + # write-coordinator-yaml prints a Nunki Coordinator deployment including the default policy. + # It's intended for two purposes: (1) releasing a portable coordinator.yaml and (2) updating the embedded policy hash. + write-coordinator-yaml = writeShellApplication { + name = "print-coordinator-policy"; + runtimeInputs = [ + yq-go + genpolicy + ]; + text = '' + imageRef=$1:v${version} + + tmpdir=$(mktemp -d) + trap 'rm -rf $tmpdir' EXIT + + # TODO(burgerdev): consider a dedicated coordinator template instead of the simple one + yq < deployments/simple/coordinator.yml > "$tmpdir/coordinator.yml" \ + "del(.metadata.namespace) | (select(.kind == \"Deployment\") | .spec.template.spec.containers[0].image) = \"$imageRef\"" + + pushd "$tmpdir" >/dev/null + # TODO(burgerdev): this should not be dev, but there are unknown env vars + cp ${genpolicy.settings-dev}/genpolicy-settings.json . + cp ${genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego + genpolicy < "$tmpdir/coordinator.yml" + popd >/dev/null + ''; + }; + } diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix index 25713848a..f0d239e87 100644 --- a/packages/genpolicy_msft.nix +++ b/packages/genpolicy_msft.nix @@ -62,6 +62,11 @@ rustPlatform.buildRustPackage rec { recursiveHash = true; postFetch = "install -D $downloadedFile $out/genpolicy-rules.rego"; }; + + rules-coordinator = applyPatches { + src = rules; + patches = [ ./genpolicy_msft_rules_coordinator.patch ]; + }; }; meta = { diff --git a/packages/genpolicy_msft_rules_coordinator.patch b/packages/genpolicy_msft_rules_coordinator.patch new file mode 100644 index 000000000..7ae9baf0e --- /dev/null +++ b/packages/genpolicy_msft_rules_coordinator.patch @@ -0,0 +1,15 @@ +diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego +index e1954e9..fb508bc 100644 +--- a/genpolicy-rules.rego ++++ b/genpolicy-rules.rego +@@ -137,9 +137,9 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) +- p_namespace == i_namespace ++ regex.match("^[a-z0-9-]{1,63}$", i_namespace) + +- allow_by_container_types(p_oci, i_oci, s_name, p_namespace) ++ allow_by_container_types(p_oci, i_oci, s_name, i_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name)