Closed yakirk closed 4 months ago
Hey, is there anything I can do to make this PR merge? I am struggling to understand why the build failed.
I think the DCO check is failing. Details for how to fix that should be in the "details" link next to the failed check: https://github.com/open-policy-agent/gatekeeper-library/pull/529/checks?check_run_id=25572805190
I haven't looked at the code yet, but some high-level observations:
If we are switching to v2 (which this code would require, since this is a behavioral change), then we need to add a V2
suffix to the constraint kind.
I don't know if we want to try to distinguish between repos and images. That leads us to a place where we are trying to replicate docker's image parsing logic in Rego, which seems complex. Would it be better to just rename the field from "repos" to "prefix" to make it clear to users that this is merely a string check? Users can then decide what makes sense for them.
Hey Max, I appreciate the answer.
I will close this PR and open a new, clean one. The DCO caused some issues.
What this PR does / why we need it: This PR fixes security issues in the current "Allowed Repositories" (k8sallowedrepos) rule that can be bypassed in several ways. The previous rule only checked for a suffix match, so possible scenarios were:
This is why when a user adds a constraint to pull images from specific repositories or registries, the rule appends a '/' to the end if it's not already present. The PR also provides the option to allow only specific image names (because they require special checking). For example, in the previous rule, since the rule only checked for a suffix match, if the user defined to allow downloading only "ubuntu", it was possible to download images like "ubuntu-evil" and basically any image name that starts with the same prefix. This PR enhances security by preventing potential bypasses of the existing rule.