-
Notifications
You must be signed in to change notification settings - Fork 44
ROX-35289: add post-upgrade script to skip init container evaluation #123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 1 commit
52dd31f
4c67286
6cc34fb
38b4e47
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # Skip Init Container Evaluation | ||
|
|
||
| Starting in ACS 5.0, policies evaluate init containers by default. This script adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated. | ||
|
|
||
| ## Usage | ||
|
|
||
| ```bash | ||
| export ROX_ENDPOINT="central.example.com:443" | ||
| export ROX_API_TOKEN="your-api-token" | ||
|
|
||
| ./skip-init-container-evaluation.sh | ||
| ``` | ||
|
|
||
| ## Requirements | ||
|
|
||
| - ACS 5.0 or later | ||
| - `curl` and `jq` installed | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would you suggest a version especially for "jq"? It behaves quite different for different versions.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think we need anything special here - we're using very basic jq features that I believe are standard across versions ( |
||
| - An API token with policy read/write permissions | ||
|
|
||
| ## What it does | ||
|
|
||
| 1. Checks that Central is running ACS 5.0+ | ||
| 2. Lists all policies and prompts for confirmation before making changes | ||
| 3. For each policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]` | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We could have other evaluation filters, so, "container type filter" should be better.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same as above comment. |
||
| 4. Skips policies that already have a container type filter set | ||
| 5. Skips build-only policies (container type filters are not applicable at build time) | ||
|
|
||
| ## Policy-as-Code users | ||
|
|
||
| If you manage policies via SecurityPolicy CRDs and a GitOps workflow, update your policy manifests directly instead of running this script. Add the following to each policy spec: | ||
|
|
||
| ```yaml | ||
| spec: | ||
| # ... existing policy fields ... | ||
| evaluationFilter: | ||
| skipContainerTypes: | ||
| - INIT | ||
| ``` | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| #!/bin/bash | ||
| # Adds skipContainerTypes: ["INIT"] to all existing policies that don't already have it. | ||
| # This is intended for customers upgrading to 5.0+ who want to preserve the pre-5.0 behavior | ||
| # where init containers were not evaluated by policies. | ||
|
|
||
| set -euo pipefail | ||
|
|
||
| if [[ -z "${ROX_ENDPOINT:-}" ]]; then | ||
| echo >&2 "ROX_ENDPOINT must be set" | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [[ -z "${ROX_API_TOKEN:-}" ]]; then | ||
| echo >&2 "ROX_API_TOKEN must be set" | ||
| exit 1 | ||
| fi | ||
|
|
||
| API="https://${ROX_ENDPOINT}" | ||
| AUTH="Authorization: Bearer ${ROX_API_TOKEN}" | ||
|
|
||
| # Version check — require 5.0+ | ||
| version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version') | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
| major=$(echo "$version" | cut -d. -f1) | ||
|
|
||
| if [[ "$major" -lt 5 ]]; then | ||
| echo >&2 "This script requires ACS 5.0 or later (detected: $version)" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "ACS version: $version" | ||
|
|
||
| # List all policies | ||
| policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id') | ||
| total=$(echo "$policies" | wc -l | tr -d ' ') | ||
| updated=0 | ||
| skipped=0 | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
|
|
||
| echo "Found $total policies" | ||
| echo "" | ||
| echo "This will add skipContainerTypes: [\"INIT\"] to all policies without an existing evaluation filter." | ||
| echo "This action is not easily reversible." | ||
| read -rp "Continue? (yes/no): " confirm | ||
| if [[ "$confirm" != "yes" ]]; then | ||
| echo "Aborted." | ||
| exit 0 | ||
| fi | ||
| echo "" | ||
|
|
||
| for id in $policies; do | ||
| policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id") | ||
| name=$(echo "$policy" | jq -r '.name') | ||
|
|
||
| # Skip if any evaluation filter is already configured | ||
| existing_filter=$(echo "$policy" | jq -e '.evaluationFilter // empty' 2>/dev/null) | ||
| if [[ -n "$existing_filter" && "$existing_filter" != "{}" ]]; then | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We could add base image filter later. Please look deeper into this structure.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. After discussion, we've agreed that skipping any policy with an existing evaluation filter is the safest approach so as to not overwrite other filter types in the future.
coderabbitai[bot] marked this conversation as resolved.
Outdated
|
||
| echo " SKIP: \"$name\" — already has evaluation filter" | ||
| skipped=$((skipped + 1)) | ||
| continue | ||
| fi | ||
|
|
||
| # Skip build-only policies — container type filters don't apply at build time | ||
| lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]') | ||
| if [[ "$lifecycle_stages" == "BUILD" ]]; then | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am afraid there are more to skip.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is a great catch - I've added "AUDIT_LOG_EVENT" and "NODE_EVENT" checks here as well. |
||
| echo " SKIP: \"$name\" — build-only policy" | ||
| skipped=$((skipped + 1)) | ||
| continue | ||
| fi | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In readme, you mentioned that the customer needs to change the PAC policies themselves. So do we want to skip declarative policies here?
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nice catch - I've added a check here to skip Declarative sourced policies. |
||
|
|
||
| # Add skipContainerTypes: ["INIT"] to the evaluation filter | ||
| updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}') | ||
|
|
||
| result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \ | ||
| "$API/v1/policies/$id" --data "$updated_policy") | ||
|
|
||
| if [[ "$result" == "200" ]]; then | ||
| echo " UPDATED: \"$name\"" | ||
| updated=$((updated + 1)) | ||
| else | ||
| echo >&2 " ERROR: \"$name\" — HTTP $result" | ||
| fi | ||
| done | ||
|
|
||
| echo "" | ||
| echo "Done. Updated: $updated, Skipped: $skipped, Total: $total" | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that don't already have an container type evaluation filter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After discussion, we intentionally skip policies with any evaluation filter (not just container type). This avoids the risk of overwriting other filter configurations like a future base image filter.