policy: cherry pick state policy changes from upstream #273
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Redent0r
added
the
upstream/not-needed
Redent0r
changed the title
Redent0r
force-pushed
the
saulparedes/add_state_to_policy
branch
from
3a25d45 to
9a557d2
Compare
danmihai1
approved these changes
Dec 16, 2024
ms-mahuber
approved these changes
Dec 28, 2024
Redent0r
force-pushed
the
saulparedes/add_state_to_policy
branch
3 times, most recently
from
14a9224 to
e8deaca
Compare
Use regorous engine's add_data method to add state to the policy. This data can later be accessed inside rego context through the data namespace. Support state modifications (json-patches) that may be returned as a result from policy evaluation. Also initialize a policy engine data slice "pstate" dedicated for storing state. Signed-off-by: Saul Paredes <[email protected]>
Make sure all container sandbox names match the sandbox name of the first container. Signed-off-by: Saul Paredes <[email protected]>
Before this patch there was a mismatch between the JSON path under which the state of the rule evaluation is set in comparison to under which it is retrieved. This resulted in the behavior that each time the policy was evaluated, it thought it was the _first_ time the policy was evaluated. This also means that the consistency check for the `sandbox_name` was ineffective. Signed-off-by: Leonard Cohnen <[email protected]>
Reuse constants where applicable Signed-off-by: Saul Paredes <[email protected]>
- Remove default_namespace from settings - Ensure container namespaces in a pod match each other in case no namespace is specified in the YAML Signed-off-by: Saul Paredes <[email protected]>
Update samples policy annotations Signed-off-by: Saul Paredes <[email protected]>
Redent0r
force-pushed
the
saulparedes/add_state_to_policy
branch
from
e8deaca to
0d0b197
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
This PR downstream all available state policy changes from upstream. These are:
Test Methodology
Since we are changing the agent, I'm building a new image with updated kata(-cc) packages.