-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add new policy for machine config modification #2879
Merged
yjst2012
merged 7 commits into
Azure:feature/guardrails-policy
from
ArrisLee:policy/deny-machine-config
Apr 27, 2023
Merged
add new policy for machine config modification #2879
yjst2012
merged 7 commits into
Azure:feature/guardrails-policy
from
ArrisLee:policy/deny-machine-config
Apr 27, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ArrisLee
requested review from
jewzaam,
bennerv,
hawkowl,
rogbas,
petrkotas,
jharrington22,
cblecker,
facchettos,
cadenmarchese,
UlrichSchlueter,
s-amann and
SudoBrendan
as code owners
April 27, 2023 12:15
ArrisLee
requested review from
yjst2012
and removed request for
jewzaam,
jharrington22,
cblecker,
hawkowl,
UlrichSchlueter,
petrkotas,
bennerv,
facchettos,
rogbas,
SudoBrendan,
cadenmarchese and
s-amann
April 27, 2023 12:15
thanks for putting it up, looks good to me. |
hawkowl
pushed a commit
that referenced
this pull request
Jul 18, 2023
* Revert "temporarily remove policies other than the machine one as the example and test policy to create a base code pr" This reverts commit 08d377d. * extracted shared rego resources to a separate lib * improvement: rego unit test and gator test polishing (#2767) * rego unit test and gator test polishing * lint fix * rego lint fix * adjusted user id related judgement plus match kinds for resources other than pod * added test cases for priv'd ns to cover pull-secret deletion * add new policy for machine config modification (#2879) * add new policy for machine config modification * reformat yaml * revise api group logic * added pod host path policy * dont run guardrails if a standard gatekeeper instance is already started * comment out corresponding gator tests as r/w PV check is temporarily removed * satisfy mega linter * temporarily backoff the standard gatekeeper check * enable standard gatekeeper check with proper test case modifications * comment out non-namespaced resources * add k8s specific namespaces to the priv'd list * update README plus add two SA to allowed list * update Guardrails README * a typo in README * allow policies to enforce on openshift-azure-guardrails namespace * added group support for user validation * update: Guardrail policy scripts and doc updates (#2941) * update generate.sh to support single dir gen * update scripts to support params * update README * added usage print for scripts * change to flexible mode for username, group and SA name validation * update get func to print more debug info * rely solely on userInfo for user authentication * extend audit-interval to slow down the audit run, plus display more violations * roll back a temp change for local test * dont allow updates for machine and machineset * removed MachineSet * unified the constraint filename and resource name to make the config easier * adjust constraint and template name and kind as per convention * update gatekeeper params, affinity and tolerations * log violations * white list more user and group * extend priv'd ns protection to ns itself * add guardrails policy generate entry in makefile * make gator in README lower cased to keep consistent with official doc --------- Co-authored-by: Arris Li <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which issue this PR addresses:
https://issues.redhat.com/browse/ARO-2885
What this PR does / why we need it:
Do not allow modification of cluster's machine config objects
machine config regex match:
^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$
Test plan for issue:
Rego unit test + Gator test
Is there any documentation that needs to be updated for this PR?
Need to update the policy design doc for guardrail