rego: Platform rules support#2792
Open
micromaomao wants to merge 9 commits into
Open
Conversation
…ching strategies This is to make it easier to parameterize environment rules. Currently, name and value for an environment rule are actually combined into one "pattern" field, and there is only one strategy for the combined pattern. This presents a problem when a fragment wants to delegate the decision of e.g. whether to match the value (but only the value, not the key) with a regex or with a fixed string. We split "pattern" and "strategy" out into "name", "name_strategy", "value" and "value_strategy" in order to allow more flexibility when fragment exposes env-var parameters. Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>
Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>
Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>
…ired rules present This refactors rule_ok (and renames it) to fix the `some env in envList` being applied at the wrong level. Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>
Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>
This currently support containers[_].env_rules and containers[_].mounts. If multiple platform_rules are defined, a container matching either one can be started (but in a consistent manner - e.g. if two platforms have different environment variables or mounts, a container can't "mix and match" between them). In order to achieve the above consistency, we "patch" the container objects instead of adding logic to e.g. env_rule_ok or envList_ok. This also means that the error_objects of a denial message will reflect the platform rules inserted. Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>
…e field Currently we only add input.rule to the original input, not the redacted input. This results in the case of create_container not having the "rule" field in the final deny message, but other enforcement points do have it since in those cases the redactSensitiveData return the original input map. Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>
Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>
There was a problem hiding this comment.
Pull request overview
This PR bumps the security policy framework version and extends the Rego framework to support platform_rules, allowing platform-specific env/mount allowances to be applied across containers (including those sourced from fragments). It also updates env rule matching to support a split name/value form, fixes an enforcement decision payload omission (input.rule), and expands the rego test suite with new platform-rules scenarios.
Changes:
- Bump framework version to
0.5.0and update Rego framework logic to applyplatform_ruleswhen building candidate containers. - Extend env rule evaluation to support both
"pattern"/"strategy"and"name"/"value"rule forms; fix required/non-required env rule evaluation for empty env lists. - Add/adjust tests and embedded Rego policy fixtures to validate platform rules across policy/fragments and error payload behavior.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/securitypolicy/version_framework | Updates embedded framework version to 0.5.0. |
| pkg/securitypolicy/securitypolicyenforcer_rego.go | Ensures input.rule is present in denial decision input prior to redaction/serialization. |
| pkg/securitypolicy/securitypolicy.go | Extends EnvRuleConfig with fields to support split name/value env rule form. |
| pkg/securitypolicy/securitypolicy_marshal.go | Marshals env rules in either legacy pattern form or new name/value form. |
| pkg/securitypolicy/framework.rego | Adds platform rules plumbing and applies them to candidate containers; refactors env rule matching. |
| pkg/securitypolicy/regopolicy_linux_test.go | Updates env tests and adds platform rules test coverage + embeds fixture policies. |
| pkg/securitypolicy/rego_utils_test.go | Adjusts random env generation and refactors fragment container setup helper used by tests. |
| pkg/securitypolicy/policy_with_platform_rules.rego | Adds an embedded test policy that includes platform_rules. |
| pkg/securitypolicy/fragment_test_policies/platform_rules.rego | Adds an embedded fragment fixture exporting platform_rules. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+111
to
+117
| // If UseNameValue is true, the marshalled Rego will use rules with name and | ||
| // value separately, and ignore .Rule and .Strategy. | ||
| UseNameValue bool | ||
| Name string | ||
| NameStrategy EnvVarRule | ||
| Value string | ||
| ValueStrategy EnvVarRule |
| } | ||
|
|
||
| env_ok(pattern, "string", value) { | ||
| # A env rule can be of two form: |
Comment on lines
+1246
to
+1247
| anyKeyInConstraints := strings.Split(envList[0], "=")[0] | ||
| return assertDecisionJSONContains(t, err, "invalid env list", anyKeyInConstraints) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR implements the
platform_rulesobject, which can define environment variables and mounts that are allowed to be added to any container, without having to include them again in the container definitions. This allows us to have fragments that are "platform independent", because these fragments would not need to include the rules for platform specific env and mounts, and potentially other container fields in the future.Example
platform_rulesdefinition:This can be part of the main policy, or can be put in a fragment. If this is in a fragment, it will only be imported if the includes field contains "platform_rules", e.g.:
If multiple platform rules are defined, a container matching any one of them can be started.
platform_rulesis introduced in framework version0.5.0. Policies/fragments with an olderframework_versionthat happen to contain aplatform_rulesfield will have it silently ignored (in case the name is reused for something else).This PR ports over some commits from #2789. Review just the new changes
Also, fix the following:
create_containerenforcement denial message missing theinput.rulefield.