Skip to content

Commit

Permalink
Feature/security context (#18)
Browse files Browse the repository at this point in the history
* securityContext

---------

Co-authored-by: Seth Hollandsworth <[email protected]>
Co-authored-by: Seth Hollandsworth <[email protected]>
  • Loading branch information
3 people authored Apr 27, 2023
1 parent 34ddd1d commit aff3a33
Show file tree
Hide file tree
Showing 16 changed files with 2,359 additions and 117 deletions.
4 changes: 3 additions & 1 deletion src/confcom/.gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ azext_confcom/bin/
azext_confcom/bin/*
**/dmverity-vhd.exe
**/dmverity-vhd

# metadata file for coverage reports
**/.coverage
**/htmlcov

**/htmlcov
2 changes: 1 addition & 1 deletion src/confcom/azext_confcom/_params.py
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ def load_arguments(self, _):
help="Validate that the image used to generate the CCE Policy for a sidecar container will be allowed by its generated policy",
)
c.argument(
"print-existing-policy",
"print_existing_policy",
options_list=("--print-existing-policy"),
required=False,
action="store_true",
Expand Down
34 changes: 31 additions & 3 deletions src/confcom/azext_confcom/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@
ACI_FIELD_CONTAINERS_WAIT_MOUNT_POINTS = "wait_mount_points"
ACI_FIELD_CONTAINERS_ALLOW_ELEVATED = "allow_elevated"
ACI_FIELD_CONTAINERS_SECURITY_CONTEXT = "securityContext"
ACI_FIELD_CONTAINERS_ALLOW_PRIVILEGE_ESCALATION = "allowPrivilegeEscalation"
ACI_FIELD_CONTAINERS_RUN_AS_USER = "runAsUser"
ACI_FIELD_CONTAINERS_RUN_AS_GROUP = "runAsGroup"
ACI_FIELD_CONTAINERS_SECCOMP_PROFILE = "seccompProfile"
ACI_FIELD_CONTAINERS_REGO_FRAGMENTS = "fragments"
ACI_FIELD_CONTAINERS_REGO_FRAGMENTS_FEED = "feed"
ACI_FIELD_CONTAINERS_REGO_FRAGMENTS_ISS = "iss"
Expand Down Expand Up @@ -63,6 +67,9 @@
ACI_FIELD_TEMPLATE_CONFCOM_PROPERTIES = "confidentialComputeProperties"
ACI_FIELD_TEMPLATE_CCE_POLICY = "ccePolicy"
ACI_FIELD_CONTAINERS_PRIVILEGED = "privileged"
ACI_FIELD_CONTAINERS_CAPABILITIES = "capabilities"
ACI_FIELD_CONTAINERS_CAPABILITIES_ADD = "add"
ACI_FIELD_CONTAINERS_CAPABILITIES_DROP = "drop"


# output json values
Expand All @@ -87,9 +94,23 @@
POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS_OPTIONS = "options"
POLICY_FIELD_CONTAINERS_ELEMENTS_WAIT_MOUNT_POINTS = "wait_mount_points"
POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED = "allow_elevated"
POLICY_FIELD_CONTAINER_EXEC_PROCESSES = "exec_processes"
POLICY_FIELD_CONTAINER_SIGNAL_CONTAINER_PROCESSES = "signals"
POLICY_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS = "allow_stdio_access"
POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES = "no_new_privileges"
POLICY_FIELD_CONTAINERS_ELEMENTS_EXEC_PROCESSES = "exec_processes"
POLICY_FIELD_CONTAINERS_ELEMENTS_SIGNAL_CONTAINER_PROCESSES = "signals"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER = "user"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_USER_IDNAME = "user_idname"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_GROUP_IDNAMES = "group_idnames"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_UMASK = "umask"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_PATTERN = "pattern"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES = "capabilities"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_BOUNDING = "bounding"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_EFFECTIVE = "effective"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_INHERITABLE = "inheritable"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_PERMITTED = "permitted"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_AMBIENT = "ambient"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_STRATEGY = "strategy"
POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256 = "seccomp_profile_sha256"
POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS = "allow_stdio_access"
POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS = "fragments"
POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_FEED = "feed"
POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_ISS = "iss"
Expand Down Expand Up @@ -135,7 +156,14 @@
SIDECAR_REGO_FILE = "./data/sidecar_rego_policy.txt"
SIDECAR_REGO_FILE_PATH = f"{script_directory}/{SIDECAR_REGO_FILE}"
SIDECAR_REGO_POLICY = os_util.load_str_from_file(SIDECAR_REGO_FILE_PATH)

# api version
API_VERSION = _config["version_api"]
# default containers to be added to all container groups
DEFAULT_CONTAINERS = _config["default_containers"]
# default container user config to be added for security context
DEFAULT_USER = _config["default_user"]
# default unpriviliged user capabilities to be added for security context
DEFAULT_UNPRIVILEGED_CAPABILITIES = _config["default_unprivileged_capabilities"]
# default priviliged user capabilities to be added for security context
DEFAULT_PRIVILEGED_CAPABILITIES = _config["default_privileged_capabilities"]
Loading

0 comments on commit aff3a33

Please sign in to comment.