Skip to content
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions util-scripts/skip-init-container-evaluation/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Skip Init Container Evaluation

Starting in ACS 5.0, policies evaluate init containers by default. This script adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that don't already have an container type evaluation filter

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussion, we intentionally skip policies with any evaluation filter (not just container type). This avoids the risk of overwriting other filter configurations like a future base image filter.


## Usage

```bash
export ROX_ENDPOINT="central.example.com:443"
export ROX_API_TOKEN="your-api-token"

./skip-init-container-evaluation.sh
```

## Requirements

- ACS 5.0 or later
- `curl` and `jq` installed

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you suggest a version especially for "jq"? It behaves quite different for different versions.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need anything special here - we're using very basic jq features that I believe are standard across versions (.evaluationFilter, -r, -e)

- An API token with policy read/write permissions

## What it does

1. Checks that Central is running ACS 5.0+
2. Lists all policies and prompts for confirmation before making changes
3. For each policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could have other evaluation filters, so, "container type filter" should be better.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above comment.

4. Skips policies that already have a container type filter set
5. Skips build-only policies (container type filters are not applicable at build time)

## Policy-as-Code users

If you manage policies via SecurityPolicy CRDs and a GitOps workflow, update your policy manifests directly instead of running this script. Add the following to each policy spec:

```yaml
spec:
# ... existing policy fields ...
evaluationFilter:
skipContainerTypes:
- INIT
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
#!/bin/bash
# Adds skipContainerTypes: ["INIT"] to all existing policies that don't already have it.
# This is intended for customers upgrading to 5.0+ who want to preserve the pre-5.0 behavior
# where init containers were not evaluated by policies.

set -euo pipefail

if [[ -z "${ROX_ENDPOINT:-}" ]]; then
echo >&2 "ROX_ENDPOINT must be set"
exit 1
fi

if [[ -z "${ROX_API_TOKEN:-}" ]]; then
echo >&2 "ROX_API_TOKEN must be set"
exit 1
fi

API="https://${ROX_ENDPOINT}"
AUTH="Authorization: Bearer ${ROX_API_TOKEN}"

# Version check — require 5.0+
version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version')
Comment thread
coderabbitai[bot] marked this conversation as resolved.
major=$(echo "$version" | cut -d. -f1)

if [[ "$major" -lt 5 ]]; then
echo >&2 "This script requires ACS 5.0 or later (detected: $version)"
exit 1
fi

echo "ACS version: $version"

# List all policies
policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id')
total=$(echo "$policies" | wc -l | tr -d ' ')
updated=0
skipped=0
Comment thread
coderabbitai[bot] marked this conversation as resolved.

echo "Found $total policies"
echo ""
echo "This will add skipContainerTypes: [\"INIT\"] to all policies without an existing evaluation filter."
echo "This action is not easily reversible."
read -rp "Continue? (yes/no): " confirm
if [[ "$confirm" != "yes" ]]; then
echo "Aborted."
exit 0
fi
echo ""

for id in $policies; do
policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id")
name=$(echo "$policy" | jq -r '.name')

# Skip if any evaluation filter is already configured
existing_filter=$(echo "$policy" | jq -e '.evaluationFilter // empty' 2>/dev/null)
if [[ -n "$existing_filter" && "$existing_filter" != "{}" ]]; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could add base image filter later. Please look deeper into this structure.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussion, we've agreed that skipping any policy with an existing evaluation filter is the safest approach so as to not overwrite other filter types in the future.

Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
echo " SKIP: \"$name\" — already has evaluation filter"
skipped=$((skipped + 1))
continue
fi

# Skip build-only policies — container type filters don't apply at build time
lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]')
if [[ "$lifecycle_stages" == "BUILD" ]]; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am afraid there are more to skip.
LIke Audit log policies and node event policies.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great catch - I've added "AUDIT_LOG_EVENT" and "NODE_EVENT" checks here as well.

echo " SKIP: \"$name\" — build-only policy"
skipped=$((skipped + 1))
continue
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In readme, you mentioned that the customer needs to change the PAC policies themselves. So do we want to skip declarative policies here?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch - I've added a check here to skip Declarative sourced policies.


# Skip declarative (CRD-managed) policies — customers should update their CRD manifests directly
source=$(echo "$policy" | jq -r '.source')
if [[ "$source" == "DECLARATIVE" ]]; then
echo " SKIP: \"$name\" — declarative policy (update CRD directly)"
skipped=$((skipped + 1))
continue
fi

# Skip audit log and node event policies — they don't evaluate containers
event_source=$(echo "$policy" | jq -r '.eventSource')
if [[ "$event_source" == "AUDIT_LOG_EVENT" || "$event_source" == "NODE_EVENT" ]]; then
echo " SKIP: \"$name\" — $event_source policy (no container evaluation)"
skipped=$((skipped + 1))
continue
fi

# Add skipContainerTypes: ["INIT"] to the evaluation filter
updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}')

result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \
"$API/v1/policies/$id" --data "$updated_policy")

if [[ "$result" == "200" ]]; then
echo " UPDATED: \"$name\""
updated=$((updated + 1))
else
echo >&2 " ERROR: \"$name\" — HTTP $result"
fi
done

echo ""
echo "Done. Updated: $updated, Skipped: $skipped, Total: $total"