Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Guardrails policies (M1) #2970

Merged
merged 38 commits into from
Jul 18, 2023
Merged

Guardrails policies (M1) #2970

merged 38 commits into from
Jul 18, 2023

Conversation

yjst2012
Copy link
Contributor

Which issue this PR addresses:

Fixes:
https://issues.redhat.com/browse/ARO-2560
https://issues.redhat.com/browse/ARO-2885
https://issues.redhat.com/browse/ARO-2222
https://issues.redhat.com/browse/ARO-2322
https://issues.redhat.com/browse/ARO-2146
https://issues.redhat.com/browse/ARO-1393

What this PR does / why we need it:

added 4 Guardrails policies:
aro-deny-host-mount
aro-deny-labels
aro-deny-master-toleration-taints
aro-deny-privileged-namespace
under path

Test plan for issue:

policies have been tested with opa, gator, and on different dev clusters

Is there any documentation that needs to be updated for this PR?

partially refer to readme
Cx facing doc will be addressed separately in another jira https://issues.redhat.com/browse/ARO-3203

yjst2012 and others added 27 commits March 8, 2023 14:17
@yjst2012
Revert "temporarily remove policies other than the machine one as the…
07b2288 
… example and test policy to create a base code pr"

This reverts commit 08d377d.
@yjst2012
extracted shared rego resources to a separate lib
435fbae
@ArrisLee
improvement: rego unit test and gator test polishing (#2767)
154a962 
* rego unit test and gator test polishing
* lint fix
* rego lint fix
@yjst2012
adjusted user id related judgement plus match kinds for resources oth…
3b4ee3d 
…er than pod
@yjst2012
added test cases for priv'd ns to cover pull-secret deletion
7a3c4f4
@ArrisLee
add new policy for machine config modification (#2879)
dedc483 
* add new policy for machine config modification
* reformat yaml
* revise api group logic
@yjst2012
added pod host path policy
e23fb7c
@yjst2012
dont run guardrails if a standard gatekeeper instance is already started
47915df
@yjst2012
comment out corresponding gator tests as r/w PV check is temporarily …
793ff81 
…removed
@yjst2012
satisfy mega linter
e9650f6
@yjst2012
temporarily backoff the standard gatekeeper check
c946693
@yjst2012
enable standard gatekeeper check with proper test case modifications
f1a8910
@yjst2012
Merge branch 'feature/guardrails' into feature/guardrails-policy
b7f2e18
@yjst2012
comment out non-namespaced resources
719c7cc
@yjst2012
add k8s specific namespaces to the priv'd list
be66711
@yjst2012
update README plus add two SA to allowed list
0ef9435
@yjst2012
update Guardrails README
6c0f4c8
@yjst2012
Merge branch 'master' into feature/guardrails-policy
d811129
@yjst2012
a typo in README
f1fd83f
@yjst2012
allow policies to enforce on openshift-azure-guardrails namespace
50dabea
@yjst2012
added group support for user validation
e7b6b9b
@ArrisLee
update: Guardrail policy scripts and doc updates (#2941)
1f136e7 
* update generate.sh to support single dir gen
* update scripts to support params
* update README
@yjst2012
added usage print for scripts
5b179c9
@yjst2012
change to flexible mode for username, group and SA name validation
93fdbd9
@yjst2012
update get func to print more debug info
828058d
@yjst2012
rely solely on userInfo for user authentication
299a0e5
@yjst2012
extend audit-interval to slow down the audit run, plus display more v…
fd013b2 
…iolations
@yjst2012 yjst2012 added ready-for-review skippy pull requests raised by member of Team Skippy labels Jun 20, 2023
@yjst2012 yjst2012 force-pushed the feature/guardrails-policy branch 3 times, most recently from 7876f22 to 5761127 Compare July 7, 2023 01:20
hlipsig
hlipsig reviewed Jul 18, 2023
View reviewed changes
Copy link
Contributor

@hlipsig hlipsig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Questions I have here shouldn't be considered blocking. Just questions from the perspective of being very new to the project.

pkg/operator/controllers/guardrails/policies/README.md Show resolved Hide resolved
@yjst2012 yjst2012 requested a review from hlipsig July 18, 2023 01:12
jaitaiwan
jaitaiwan approved these changes Jul 18, 2023
View reviewed changes
Copy link
Contributor

@jaitaiwan jaitaiwan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

hlipsig
hlipsig approved these changes Jul 18, 2023
View reviewed changes
Copy link
Contributor

@hlipsig hlipsig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. But I don't have owner or anything so we still need some one with the powers for merge.

@hawkowl hawkowl merged commit b06512a into master Jul 18, 2023
19 checks passed
@yjst2012 yjst2012 deleted the feature/guardrails-policy branch September 7, 2023 04:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaitaiwan jaitaiwan jaitaiwan approved these changes

@hawkowl hawkowl hawkowl approved these changes

@hlipsig hlipsig hlipsig approved these changes

@jewzaam jewzaam Awaiting requested review from jewzaam jewzaam is a code owner

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@petrkotas petrkotas Awaiting requested review from petrkotas petrkotas is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cblecker cblecker Awaiting requested review from cblecker cblecker is a code owner

@facchettos facchettos Awaiting requested review from facchettos

@cadenmarchese cadenmarchese Awaiting requested review from cadenmarchese cadenmarchese is a code owner

@UlrichSchlueter UlrichSchlueter Awaiting requested review from UlrichSchlueter UlrichSchlueter is a code owner

@s-amann s-amann Awaiting requested review from s-amann

@SudoBrendan SudoBrendan Awaiting requested review from SudoBrendan SudoBrendan is a code owner

@ellis-johnson ellis-johnson Awaiting requested review from ellis-johnson

@anshulvermapatel anshulvermapatel Awaiting requested review from anshulvermapatel anshulvermapatel is a code owner

Assignees
No one assigned
Labels
ready-for-review skippy pull requests raised by member of Team Skippy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@yjst2012 @jaitaiwan @hawkowl @hlipsig @ArrisLee