From 6c7363b23a2a6233ca185f58050ffcd20a53b651 Mon Sep 17 00:00:00 2001 From: "Sean T. Allen" Date: Mon, 20 Sep 2021 12:32:29 -0400 Subject: [PATCH] Update naming in internal security policy tool Maksim pointed out that when we added information beyond the image of an image that the "image" entries in a TOML policy generation file weren't describing images; the describe containers. The addition of command line, environment variables, and what not to allow is a description of a container that should be allowed to be created. The only image specific bit is the name. Signed-off-by: Sean T. Allen --- internal/tools/securitypolicy/README.md | 4 +-- internal/tools/securitypolicy/main.go | 34 ++++++++++++------------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/internal/tools/securitypolicy/README.md b/internal/tools/securitypolicy/README.md index 20c75b1535..fede4c931c 100644 --- a/internal/tools/securitypolicy/README.md +++ b/internal/tools/securitypolicy/README.md @@ -17,11 +17,11 @@ be downloaded, turned into an ext4, and finally a dm-verity root hash calculated ## Example TOML configuration file ```toml -[[image]] +[[container]] name = "rust:1.52.1" command = ["rustc", "--help"] -[[image.env_rule]] +[[container.env_rule]] strategy = "re2" rule = "PREFIX_.+=.+" ``` diff --git a/internal/tools/securitypolicy/main.go b/internal/tools/securitypolicy/main.go index 591b2ac7d0..0b2afb9b1f 100644 --- a/internal/tools/securitypolicy/main.go +++ b/internal/tools/securitypolicy/main.go @@ -38,8 +38,8 @@ func main() { } config := &Config{ - AllowAll: false, - Images: []Image{}, + AllowAll: false, + Containers: []Container{}, } err = toml.Unmarshal(configData, config) @@ -83,7 +83,7 @@ type EnvironmentVariableRule struct { Rule string `toml:"rule"` } -type Image struct { +type Container struct { Name string `toml:"name"` Auth ImageAuth `toml:"auth"` Command []string `toml:"command"` @@ -96,8 +96,8 @@ type ImageAuth struct { } type Config struct { - AllowAll bool `toml:"allow_all"` - Images []Image `toml:"image"` + AllowAll bool `toml:"allow_all"` + Containers []Container `toml:"container"` } func createOpenDoorPolicy() sp.SecurityPolicy { @@ -113,45 +113,45 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) { // Hardcode the pause container version and command. We still pull it // to get the root hash and any environment variable rules we might need. - pause := Image{ + pause := Container{ Name: "k8s.gcr.io/pause:3.1", Command: []string{"/pause"}, EnvRules: []EnvironmentVariableRule{}} - config.Images = append(config.Images, pause) + config.Containers = append(config.Containers, pause) - for _, image := range config.Images { + for _, configContainer := range config.Containers { var imageOptions []remote.Option - if image.Auth.Username != "" && image.Auth.Password != "" { + if configContainer.Auth.Username != "" && configContainer.Auth.Password != "" { auth := authn.Basic{ - Username: image.Auth.Username, - Password: image.Auth.Password} + Username: configContainer.Auth.Username, + Password: configContainer.Auth.Password} c, _ := auth.Authorization() authOption := remote.WithAuth(authn.FromConfig(*c)) imageOptions = append(imageOptions, authOption) } // validate EnvRules - err := validateEnvRules(image.EnvRules) + err := validateEnvRules(configContainer.EnvRules) if err != nil { return p, err } - command := convertCommand(image.Command) - envRules := convertEnvironmentVariableRules(image.EnvRules) + command := convertCommand(configContainer.Command) + envRules := convertEnvironmentVariableRules(configContainer.EnvRules) container := sp.SecurityPolicyContainer{ NumCommands: len(command), Command: command, EnvRules: envRules, Layers: map[string]string{}, } - ref, err := name.ParseReference(image.Name) + ref, err := name.ParseReference(configContainer.Name) if err != nil { - return p, fmt.Errorf("'%s' isn't a valid image name", image.Name) + return p, fmt.Errorf("'%s' isn't a valid image name", configContainer.Name) } img, err := remote.Image(ref, imageOptions...) if err != nil { - return p, fmt.Errorf("unable to fetch image '%s': %s", image.Name, err.Error()) + return p, fmt.Errorf("unable to fetch image '%s': %s", configContainer.Name, err.Error()) } layers, err := img.Layers()