Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new gcs hooks, add expected mounts to security policy #1258

Merged
merged 3 commits into from
Mar 22, 2022
Merged

Add new gcs hooks, add expected mounts to security policy #1258

merged 3 commits into from
Mar 22, 2022

Commits on Mar 15, 2022

  1. Add new gcs hooks, add expected mounts to security policy 

    Introduce a new `wait-paths` binary, which polls file system
until requested paths are available or a timeout is reached.

Security policy has been updated to have ExpectedMounts entries,
which will be used in conjunction with "wait-paths" hook for
synchronization purposes.

Refactor oci-hook logic into its own internal package and update
existing code to use that package. Copy runc HookName and constants
definitions to break dependency on runc

Introduce ExpectedMounts as part of security policy language and
the logic to enforce the policy, which resolves the expected mounts
in the UVM and adds a wait-paths hook to the spec.

Signed-off-by: Maksim An <maksiman@microsoft.com>
    @anmaxvl
    anmaxvl committed Mar 15, 2022
    Configuration menu
    Copy the full SHA
    7ee3448 View commit details
    Browse the repository at this point in the history

  2. pr feedback: wait-path only supports paths under sandbox mounts 

    Per pr feedback, only container paths under sandbox mounts are
supported as wait-paths. The support for other 2 scenarios can be
added as needed.

Add positive and negative CRI tests.

Signed-off-by: Maksim An <maksiman@microsoft.com>
    @anmaxvl
    anmaxvl committed Mar 15, 2022
    Configuration menu
    Copy the full SHA
    f5c3596 View commit details
    Browse the repository at this point in the history

  3. pr feedback: explict split between positive and negative tests 

    Signed-off-by: Maksim An <maksiman@microsoft.com>
    @anmaxvl
    anmaxvl committed Mar 15, 2022
    Configuration menu
    Copy the full SHA
    f2d32fa View commit details
    Browse the repository at this point in the history