From 41d1935d4597080d8d1100f1624edd7711673293 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 22 Sep 2025 09:49:17 +0000 Subject: [PATCH 01/16] Add confcom parse aci arm command --- src/confcom/azext_confcom/_params.py | 52 ++++++++++++++++++ .../azext_confcom/command/parse_aci_arm.py | 54 +++++++++++++++++++ src/confcom/azext_confcom/commands.py | 3 ++ src/confcom/azext_confcom/custom.py | 23 ++++++++ 4 files changed, 132 insertions(+) create mode 100644 src/confcom/azext_confcom/command/parse_aci_arm.py diff --git a/src/confcom/azext_confcom/_params.py b/src/confcom/azext_confcom/_params.py index 855973176ac..1d66c8e9451 100644 --- a/src/confcom/azext_confcom/_params.py +++ b/src/confcom/azext_confcom/_params.py @@ -42,6 +42,58 @@ def load_arguments(self, _): c.argument("tags", tags_type) c.argument("confcom_name", confcom_name_type, options_list=["--name", "-n"]) + with self.argument_context("confcom parse aci arm") as c: + c.positional( + "arm_template_path", + help="Path to the ARM template file to parse.", + ) + c.argument( + "arm_template_parameters_path", + options_list=("--parameters", "-p"), + required=False, + help="ARM template parameters", + # validator=validate_params_file + ) + c.argument( + "exclude_default_fragments", + options_list=("--exclude-default-fragments", "-e"), + default=False, + action="store_true", + required=False, + help="Exclude default fragments in the generated policy", + ) + c.argument( + "infrastructure_svn", + options_list=("--infrastructure-svn",), + required=False, + help="Minimum Allowed Software Version Number for Infrastructure Fragment", + validator=validate_infrastructure_svn, + ) + c.argument( + "debug_mode", + options_list=("--debug-mode",), + default=False, + action="store_true", + required=False, + help="Debug mode will enable processes in a container group that are helpful for debugging", + ) + c.argument( + "disable_stdio", + options_list=("--disable-stdio",), + default=False, + action="store_true", + required=False, + help="Disabling container stdio will disable the ability to see the output of the container in the terminal for Confidential ACI", + ) + c.argument( + "approve_wildcards", + options_list=("--approve-wildcards", "-y"), + default=False, + action="store_true", + required=False, + help="Approving wildcards by default will get rid of the prompts during the wildcard environment variable use case and auto-approve the use of wildcards", + ) + with self.argument_context("confcom acipolicygen") as c: c.argument( "input_path", diff --git a/src/confcom/azext_confcom/command/parse_aci_arm.py b/src/confcom/azext_confcom/command/parse_aci_arm.py new file mode 100644 index 00000000000..11a152b54f8 --- /dev/null +++ b/src/confcom/azext_confcom/command/parse_aci_arm.py @@ -0,0 +1,54 @@ + +from dataclasses import asdict +from typing import Optional +from azext_confcom import os_util, config +from azext_confcom.lib.arm_to_aci_policy_spec import AciFragmentSpec, arm_to_aci_policy_spec + + +def _omit_none_dict_factory(items): + """Dict factory for dataclasses.asdict that drops None values.""" + return {key: value for key, value in items if ( + value is not None and + value != [] + )} + + +def parse_aci_arm( + arm_template_path: str, + arm_template_parameters_path: Optional[str], + debug_mode: bool, + exclude_default_fragments: bool, + infrastructure_svn: Optional[str], + disable_stdio: bool, + approve_wildcards: bool, +) -> list[dict[str, str]]: + + with open(arm_template_path, 'r') as f: + arm_template = os_util.load_json_from_str(f.read()) + + arm_template_parameters = {} + if arm_template_parameters_path is not None: + with open(arm_template_parameters_path, 'r') as f: + arm_template_parameters = os_util.load_json_from_str(f.read()) + + aci_policy_specs = list(arm_to_aci_policy_spec( + arm_template=arm_template, + arm_template_parameters=arm_template_parameters, + fragments=[ + AciFragmentSpec( + feed=fragment["feed"], + issuer=fragment["issuer"], + includes=fragment["includes"], + minimum_svn=infrastructure_svn or fragment["minimum_svn"], + ) + for fragment in config.DEFAULT_REGO_FRAGMENTS + ] if not exclude_default_fragments else [], + debug_mode=debug_mode, + allow_stdio_access=not disable_stdio, + approve_wildcards=approve_wildcards, + )) + + return [ + asdict(spec, dict_factory=_omit_none_dict_factory) + for spec in aci_policy_specs + ] \ No newline at end of file diff --git a/src/confcom/azext_confcom/commands.py b/src/confcom/azext_confcom/commands.py index 1d2bb45f724..e8777238ee8 100644 --- a/src/confcom/azext_confcom/commands.py +++ b/src/confcom/azext_confcom/commands.py @@ -11,5 +11,8 @@ def load_command_table(self, _): g.custom_command("acifragmentgen", "acifragmentgen_confcom") g.custom_command("katapolicygen", "katapolicygen_confcom") + with self.command_group("confcom parse aci") as g: + g.custom_command("arm", "parse_aci_arm", is_preview=True) + with self.command_group("confcom"): pass diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index 7dabb5f3a89..358faad1591 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -6,6 +6,7 @@ import json import os import sys +from typing import Optional from azext_confcom import oras_proxy, os_util, security_policy from azext_confcom.config import ( @@ -21,6 +22,7 @@ extract_confidential_properties, get_image_name, inject_policy_into_template, inject_policy_into_yaml, pretty_print_func, print_existing_policy_from_arm_template, print_existing_policy_from_yaml, print_func, str_to_sha256) +from azext_confcom.command.parse_aci_arm import parse_aci_arm as _parse_aci_arm from knack.log import get_logger from pkg_resources import parse_version @@ -488,3 +490,24 @@ def get_fragment_output_type(outraw): if outraw: output_type = security_policy.OutputType.RAW return output_type + +# This should be *args, **kwargs to avoid having to touch this, however the az +# extension frameworks then expects literal args and kwargs parameters. +def parse_aci_arm( + arm_template_path: str, + arm_template_parameters_path: Optional[str], + debug_mode: bool, + exclude_default_fragments: bool, + infrastructure_svn: Optional[str], + disable_stdio: bool, + approve_wildcards: bool, +) -> str: + return _parse_aci_arm( + arm_template_path, + arm_template_parameters_path, + debug_mode, + exclude_default_fragments, + infrastructure_svn, + disable_stdio, + approve_wildcards, + ) From cbdea0ff3c02fc9756922bbad45063a6bb6e8033 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Wed, 24 Sep 2025 20:21:36 +0000 Subject: [PATCH 02/16] Add parse tests --- .../latest/test_confcom_parse_aci_arm.py | 65 ++++++ .../samples/aci/command/policy_spec.json | 99 ++++++++ .../aci/command/policy_spec_debug.json | 113 +++++++++ .../command/policy_spec_disable_stdio.json | 99 ++++++++ .../policy_spec_exclude_default_fragment.json | 88 +++++++ .../policy_spec_infrastructure_svn.json | 99 ++++++++ .../conflicting_variables/policy_spec.json | 94 ++++++++ .../policy_spec_debug.json | 108 +++++++++ .../policy_spec_disable_stdio.json | 94 ++++++++ .../policy_spec_exclude_default_fragment.json | 83 +++++++ .../policy_spec_infrastructure_svn.json | 94 ++++++++ .../container_group_profiles/policy_spec.json | 94 ++++++++ .../policy_spec_debug.json | 108 +++++++++ .../policy_spec_disable_stdio.json | 94 ++++++++ .../policy_spec_exclude_default_fragment.json | 83 +++++++ .../policy_spec_infrastructure_svn.json | 94 ++++++++ .../aci/default_variables/policy_spec.json | 94 ++++++++ .../default_variables/policy_spec_debug.json | 108 +++++++++ .../policy_spec_disable_stdio.json | 94 ++++++++ .../policy_spec_exclude_default_fragment.json | 83 +++++++ .../policy_spec_infrastructure_svn.json | 94 ++++++++ .../policy_spec.json | 94 ++++++++ .../policy_spec_debug.json | 108 +++++++++ .../policy_spec_disable_stdio.json | 94 ++++++++ .../policy_spec_exclude_default_fragment.json | 83 +++++++ .../policy_spec_infrastructure_svn.json | 94 ++++++++ .../environment_variables/policy_spec.json | 100 ++++++++ .../policy_spec_debug.json | 114 ++++++++++ .../policy_spec_disable_stdio.json | 100 ++++++++ .../policy_spec_exclude_default_fragment.json | 89 ++++++++ .../policy_spec_infrastructure_svn.json | 100 ++++++++ .../samples/aci/minimal/policy_spec.json | 94 ++++++++ .../aci/minimal/policy_spec_debug.json | 108 +++++++++ .../minimal/policy_spec_disable_stdio.json | 94 ++++++++ .../policy_spec_exclude_default_fragment.json | 83 +++++++ .../policy_spec_infrastructure_svn.json | 94 ++++++++ .../multi_container_groups/policy_spec.json | 186 +++++++++++++++ .../policy_spec_debug.json | 214 ++++++++++++++++++ .../policy_spec_disable_stdio.json | 186 +++++++++++++++ .../policy_spec_exclude_default_fragment.json | 164 ++++++++++++++ .../policy_spec_infrastructure_svn.json | 186 +++++++++++++++ .../aci/multi_containers/policy_spec.json | 171 ++++++++++++++ .../multi_containers/policy_spec_debug.json | 199 ++++++++++++++++ .../policy_spec_disable_stdio.json | 171 ++++++++++++++ .../policy_spec_exclude_default_fragment.json | 160 +++++++++++++ .../policy_spec_infrastructure_svn.json | 171 ++++++++++++++ .../policy_spec.json | 102 +++++++++ .../policy_spec_debug.json | 116 ++++++++++ .../policy_spec_disable_stdio.json | 102 +++++++++ .../policy_spec_exclude_default_fragment.json | 91 ++++++++ .../policy_spec_infrastructure_svn.json | 102 +++++++++ .../policy_spec.json | 106 +++++++++ .../policy_spec_debug.json | 120 ++++++++++ .../policy_spec_disable_stdio.json | 106 +++++++++ .../policy_spec_exclude_default_fragment.json | 95 ++++++++ .../policy_spec_infrastructure_svn.json | 106 +++++++++ .../policy_spec.json | 102 +++++++++ .../policy_spec_debug.json | 116 ++++++++++ .../policy_spec_disable_stdio.json | 102 +++++++++ .../policy_spec_exclude_default_fragment.json | 91 ++++++++ .../policy_spec_infrastructure_svn.json | 102 +++++++++ .../policy_spec.json | 97 ++++++++ .../policy_spec_debug.json | 111 +++++++++ .../policy_spec_disable_stdio.json | 97 ++++++++ .../policy_spec_exclude_default_fragment.json | 86 +++++++ .../policy_spec_infrastructure_svn.json | 97 ++++++++ .../policy_spec.json | 97 ++++++++ .../policy_spec_debug.json | 111 +++++++++ .../policy_spec_disable_stdio.json | 97 ++++++++ .../policy_spec_exclude_default_fragment.json | 86 +++++++ .../policy_spec_infrastructure_svn.json | 97 ++++++++ .../samples/aci/variables/policy_spec.json | 94 ++++++++ .../aci/variables/policy_spec_debug.json | 108 +++++++++ .../variables/policy_spec_disable_stdio.json | 94 ++++++++ .../policy_spec_exclude_default_fragment.json | 83 +++++++ .../policy_spec_infrastructure_svn.json | 94 ++++++++ .../aci/volume_mount_secret/policy_spec.json | 99 ++++++++ .../policy_spec_debug.json | 113 +++++++++ .../policy_spec_disable_stdio.json | 99 ++++++++ .../policy_spec_exclude_default_fragment.json | 88 +++++++ .../policy_spec_infrastructure_svn.json | 99 ++++++++ .../aci/volume_mounts/policy_spec.json | 99 ++++++++ .../aci/volume_mounts/policy_spec_debug.json | 113 +++++++++ .../policy_spec_disable_stdio.json | 99 ++++++++ .../policy_spec_exclude_default_fragment.json | 88 +++++++ .../policy_spec_infrastructure_svn.json | 99 ++++++++ 86 files changed, 9243 insertions(+) create mode 100644 src/confcom/azext_confcom/tests/latest/test_confcom_parse_aci_arm.py create mode 100644 src/confcom/samples/aci/command/policy_spec.json create mode 100644 src/confcom/samples/aci/command/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/command/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/conflicting_variables/policy_spec.json create mode 100644 src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/container_group_profiles/policy_spec.json create mode 100644 src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/default_variables/policy_spec.json create mode 100644 src/confcom/samples/aci/default_variables/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/default_variables_override/policy_spec.json create mode 100644 src/confcom/samples/aci/default_variables_override/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/environment_variables/policy_spec.json create mode 100644 src/confcom/samples/aci/environment_variables/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/minimal/policy_spec.json create mode 100644 src/confcom/samples/aci/minimal/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/multi_container_groups/policy_spec.json create mode 100644 src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/multi_containers/policy_spec.json create mode 100644 src/confcom/samples/aci/multi_containers/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/security_context_run_as_group/policy_spec.json create mode 100644 src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/security_context_run_as_user/policy_spec.json create mode 100644 src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/variables/policy_spec.json create mode 100644 src/confcom/samples/aci/variables/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/variables/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/volume_mount_secret/policy_spec.json create mode 100644 src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json create mode 100644 src/confcom/samples/aci/volume_mounts/policy_spec.json create mode 100644 src/confcom/samples/aci/volume_mounts/policy_spec_debug.json create mode 100644 src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json create mode 100644 src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json create mode 100644 src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_parse_aci_arm.py b/src/confcom/azext_confcom/tests/latest/test_confcom_parse_aci_arm.py new file mode 100644 index 00000000000..a93b84fc145 --- /dev/null +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_parse_aci_arm.py @@ -0,0 +1,65 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# -------------------------------------------------------------------------------------------- + +import json +import os +import pytest +from itertools import product +from deepdiff import DeepDiff + +from azext_confcom.custom import parse_aci_arm + + +TEST_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__), "..")) +SAMPLES_ROOT = os.path.abspath(os.path.join(TEST_DIR, "..", "..", "..", "samples", "aci")) + + +ARGS = { + "policy_spec.json": {}, + "policy_spec_debug.json": {"debug_mode": True}, + "policy_spec_exclude_default_fragment.json": {"exclude_default_fragments": True}, + "policy_spec_infrastructure_svn.json": {"infrastructure_svn": "99"}, + "policy_spec_disable_stdio.json": {"disable_stdio": True}, +} + + +@pytest.mark.parametrize( + "sample_directory,generated_policy_spec_path", + product(os.listdir(SAMPLES_ROOT), ARGS.keys()) +) +def test_parse_aci_arm(sample_directory, generated_policy_spec_path): + + for failing_sample_directory, failing_generated_policy_path in [ + ]: + if ( + failing_sample_directory in (None, sample_directory) + and failing_generated_policy_path in (None, generated_policy_spec_path) + ): + pytest.skip("Skipping test due to known issue") + + arm_template_path = os.path.join(SAMPLES_ROOT, sample_directory, "arm_template.json") + parameters_path = os.path.join(SAMPLES_ROOT, sample_directory, "parameters.json") + if not os.path.isfile(parameters_path): + parameters_path = None + flags = ARGS[generated_policy_spec_path] + + with open(os.path.join(SAMPLES_ROOT, sample_directory, generated_policy_spec_path), "r", encoding="utf-8") as f: + expected_policy_spec = json.load(f) + + actual_policy_spec = parse_aci_arm( + arm_template_path=arm_template_path, + arm_template_parameters_path=parameters_path, + debug_mode=flags.get("debug_mode", False), + exclude_default_fragments=flags.get("exclude_default_fragments", False), + infrastructure_svn=flags.get("infrastructure_svn", None), + disable_stdio=flags.get("disable_stdio", False), + approve_wildcards=False, + ) + + assert DeepDiff(actual_policy_spec, expected_policy_spec, ignore_order=True) == {}, ( + "Policy generation mismatch, actual output for " + f"{os.path.join(sample_directory, generated_policy_spec_path)}:\n" + f"{json.dumps(actual_policy_spec, indent=2)}" + ) diff --git a/src/confcom/samples/aci/command/policy_spec.json b/src/confcom/samples/aci/command/policy_spec.json new file mode 100644 index 00000000000..c1ff7371e6e --- /dev/null +++ b/src/confcom/samples/aci/command/policy_spec.json @@ -0,0 +1,99 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "command": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/command/policy_spec_debug.json b/src/confcom/samples/aci/command/policy_spec_debug.json new file mode 100644 index 00000000000..1887699aa68 --- /dev/null +++ b/src/confcom/samples/aci/command/policy_spec_debug.json @@ -0,0 +1,113 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "command": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/command/policy_spec_disable_stdio.json b/src/confcom/samples/aci/command/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..0134f8e01c5 --- /dev/null +++ b/src/confcom/samples/aci/command/policy_spec_disable_stdio.json @@ -0,0 +1,99 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "command": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..501f35e48c5 --- /dev/null +++ b/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json @@ -0,0 +1,88 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "command": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..10ccc1cf5e3 --- /dev/null +++ b/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json @@ -0,0 +1,99 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "command": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec.json b/src/confcom/samples/aci/conflicting_variables/policy_spec.json new file mode 100644 index 00000000000..f3fa1b10966 --- /dev/null +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json new file mode 100644 index 00000000000..0f252e6f889 --- /dev/null +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json @@ -0,0 +1,108 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..af5f104a49c --- /dev/null +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..cd101792a46 --- /dev/null +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json @@ -0,0 +1,83 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..41cb51a0c1f --- /dev/null +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec.json b/src/confcom/samples/aci/container_group_profiles/policy_spec.json new file mode 100644 index 00000000000..e9e19db5518 --- /dev/null +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json new file mode 100644 index 00000000000..5de92ea1974 --- /dev/null +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json @@ -0,0 +1,108 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..294c00082d4 --- /dev/null +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..088603e0a32 --- /dev/null +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json @@ -0,0 +1,83 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..114fa863305 --- /dev/null +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables/policy_spec.json b/src/confcom/samples/aci/default_variables/policy_spec.json new file mode 100644 index 00000000000..e9e19db5518 --- /dev/null +++ b/src/confcom/samples/aci/default_variables/policy_spec.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_debug.json b/src/confcom/samples/aci/default_variables/policy_spec_debug.json new file mode 100644 index 00000000000..5de92ea1974 --- /dev/null +++ b/src/confcom/samples/aci/default_variables/policy_spec_debug.json @@ -0,0 +1,108 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..294c00082d4 --- /dev/null +++ b/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..088603e0a32 --- /dev/null +++ b/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json @@ -0,0 +1,83 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..114fa863305 --- /dev/null +++ b/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec.json b/src/confcom/samples/aci/default_variables_override/policy_spec.json new file mode 100644 index 00000000000..f3fa1b10966 --- /dev/null +++ b/src/confcom/samples/aci/default_variables_override/policy_spec.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json b/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json new file mode 100644 index 00000000000..0f252e6f889 --- /dev/null +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json @@ -0,0 +1,108 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json b/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..af5f104a49c --- /dev/null +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..cd101792a46 --- /dev/null +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json @@ -0,0 +1,83 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..41cb51a0c1f --- /dev/null +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec.json b/src/confcom/samples/aci/environment_variables/policy_spec.json new file mode 100644 index 00000000000..2ada0e616af --- /dev/null +++ b/src/confcom/samples/aci/environment_variables/policy_spec.json @@ -0,0 +1,100 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "MY_VAR", + "required": false, + "strategy": "string", + "value": "MY_VAL" + }, + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_debug.json b/src/confcom/samples/aci/environment_variables/policy_spec_debug.json new file mode 100644 index 00000000000..e3b01877b20 --- /dev/null +++ b/src/confcom/samples/aci/environment_variables/policy_spec_debug.json @@ -0,0 +1,114 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "MY_VAR", + "required": false, + "strategy": "string", + "value": "MY_VAL" + }, + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..5899b6a3e69 --- /dev/null +++ b/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json @@ -0,0 +1,100 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "MY_VAR", + "required": false, + "strategy": "string", + "value": "MY_VAL" + }, + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..d3e9db77c72 --- /dev/null +++ b/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json @@ -0,0 +1,89 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "MY_VAR", + "required": false, + "strategy": "string", + "value": "MY_VAL" + }, + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..6aa8c1f1faa --- /dev/null +++ b/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json @@ -0,0 +1,100 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "MY_VAR", + "required": false, + "strategy": "string", + "value": "MY_VAL" + }, + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/minimal/policy_spec.json b/src/confcom/samples/aci/minimal/policy_spec.json new file mode 100644 index 00000000000..e9e19db5518 --- /dev/null +++ b/src/confcom/samples/aci/minimal/policy_spec.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/minimal/policy_spec_debug.json b/src/confcom/samples/aci/minimal/policy_spec_debug.json new file mode 100644 index 00000000000..5de92ea1974 --- /dev/null +++ b/src/confcom/samples/aci/minimal/policy_spec_debug.json @@ -0,0 +1,108 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json b/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..294c00082d4 --- /dev/null +++ b/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..088603e0a32 --- /dev/null +++ b/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json @@ -0,0 +1,83 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..114fa863305 --- /dev/null +++ b/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec.json b/src/confcom/samples/aci/multi_container_groups/policy_spec.json new file mode 100644 index 00000000000..5fbd021214f --- /dev/null +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec.json @@ -0,0 +1,186 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + }, + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json new file mode 100644 index 00000000000..73636eff9c7 --- /dev/null +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json @@ -0,0 +1,214 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + }, + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..805e716069f --- /dev/null +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json @@ -0,0 +1,186 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + }, + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..cd494a812ed --- /dev/null +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json @@ -0,0 +1,164 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + }, + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..57342aa3600 --- /dev/null +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json @@ -0,0 +1,186 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + }, + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec.json b/src/confcom/samples/aci/multi_containers/policy_spec.json new file mode 100644 index 00000000000..877e898ad5d --- /dev/null +++ b/src/confcom/samples/aci/multi_containers/policy_spec.json @@ -0,0 +1,171 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + }, + { + "name": "container2", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_debug.json b/src/confcom/samples/aci/multi_containers/policy_spec_debug.json new file mode 100644 index 00000000000..82eb27468b4 --- /dev/null +++ b/src/confcom/samples/aci/multi_containers/policy_spec_debug.json @@ -0,0 +1,199 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + }, + { + "name": "container2", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json b/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..f8931409f45 --- /dev/null +++ b/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json @@ -0,0 +1,171 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + }, + { + "name": "container2", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..4c6084de7a4 --- /dev/null +++ b/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json @@ -0,0 +1,160 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + }, + { + "name": "container2", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..d5dadc66b4c --- /dev/null +++ b/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json @@ -0,0 +1,171 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + }, + { + "name": "container2", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json new file mode 100644 index 00000000000..1ce5021de2e --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json @@ -0,0 +1,102 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json new file mode 100644 index 00000000000..ba65d88f134 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json @@ -0,0 +1,116 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..6ff549d70b5 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json @@ -0,0 +1,102 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..da524699682 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json @@ -0,0 +1,91 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..77c33ceb10d --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json @@ -0,0 +1,102 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json new file mode 100644 index 00000000000..6e3308db119 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json @@ -0,0 +1,106 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ], + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json new file mode 100644 index 00000000000..4a68a1f5fe4 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json @@ -0,0 +1,120 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ], + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..60816dc4644 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json @@ -0,0 +1,106 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ], + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..751f5a9c903 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json @@ -0,0 +1,95 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ], + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..1509f3f269d --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json @@ -0,0 +1,106 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ], + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json new file mode 100644 index 00000000000..5152083c85e --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json @@ -0,0 +1,102 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json new file mode 100644 index 00000000000..4016c4b7bd5 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json @@ -0,0 +1,116 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..e674d085793 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json @@ -0,0 +1,102 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..00176a897f8 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json @@ -0,0 +1,91 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..6c5d18358de --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json @@ -0,0 +1,102 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json new file mode 100644 index 00000000000..6c5c107d06a --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json @@ -0,0 +1,97 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsGroup": 4567 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json new file mode 100644 index 00000000000..a1a4cf20296 --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json @@ -0,0 +1,111 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsGroup": 4567 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..5a17856bcca --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json @@ -0,0 +1,97 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsGroup": 4567 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..dcbe20d1e5c --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json @@ -0,0 +1,86 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsGroup": 4567 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..c7fafffd4ac --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json @@ -0,0 +1,97 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsGroup": 4567 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json new file mode 100644 index 00000000000..43ca0455645 --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json @@ -0,0 +1,97 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsUser": 1234 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json new file mode 100644 index 00000000000..48a560a95b4 --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json @@ -0,0 +1,111 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsUser": 1234 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..6291f2d79be --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json @@ -0,0 +1,97 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsUser": 1234 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..44e77cd435e --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json @@ -0,0 +1,86 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsUser": 1234 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..6297d212c0b --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json @@ -0,0 +1,97 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsUser": 1234 + }, + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/variables/policy_spec.json b/src/confcom/samples/aci/variables/policy_spec.json new file mode 100644 index 00000000000..e9e19db5518 --- /dev/null +++ b/src/confcom/samples/aci/variables/policy_spec.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/variables/policy_spec_debug.json b/src/confcom/samples/aci/variables/policy_spec_debug.json new file mode 100644 index 00000000000..5de92ea1974 --- /dev/null +++ b/src/confcom/samples/aci/variables/policy_spec_debug.json @@ -0,0 +1,108 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..294c00082d4 --- /dev/null +++ b/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..088603e0a32 --- /dev/null +++ b/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json @@ -0,0 +1,83 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..114fa863305 --- /dev/null +++ b/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json @@ -0,0 +1,94 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec.json new file mode 100644 index 00000000000..7948b8c6af4 --- /dev/null +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec.json @@ -0,0 +1,99 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/secret", + "mountType": "secret", + "readonly": true + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json new file mode 100644 index 00000000000..5d5abcc2f18 --- /dev/null +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json @@ -0,0 +1,113 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/secret", + "mountType": "secret", + "readonly": true + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..2ff9bd29237 --- /dev/null +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json @@ -0,0 +1,99 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/secret", + "mountType": "secret", + "readonly": true + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..da4371bbb1a --- /dev/null +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json @@ -0,0 +1,88 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/secret", + "mountType": "secret", + "readonly": true + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..1d1ee2e8156 --- /dev/null +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json @@ -0,0 +1,99 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/secret", + "mountType": "secret", + "readonly": true + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec.json b/src/confcom/samples/aci/volume_mounts/policy_spec.json new file mode 100644 index 00000000000..9778b66ca97 --- /dev/null +++ b/src/confcom/samples/aci/volume_mounts/policy_spec.json @@ -0,0 +1,99 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/logs", + "mountType": "azureFile", + "readonly": false + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json b/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json new file mode 100644 index 00000000000..150318ce7e1 --- /dev/null +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json @@ -0,0 +1,113 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "execProcesses": [ + { + "allow_stdio_access": true, + "command": [ + "/bin/sh" + ] + }, + { + "allow_stdio_access": true, + "command": [ + "/bin/bash" + ] + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/logs", + "mountType": "azureFile", + "readonly": false + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json b/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json new file mode 100644 index 00000000000..6f4b2759dc5 --- /dev/null +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json @@ -0,0 +1,99 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": false, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/logs", + "mountType": "azureFile", + "readonly": false + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json new file mode 100644 index 00000000000..ad0a34848aa --- /dev/null +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json @@ -0,0 +1,88 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/logs", + "mountType": "azureFile", + "readonly": false + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json new file mode 100644 index 00000000000..2b1403a9360 --- /dev/null +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json @@ -0,0 +1,99 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "allowStdioAccess": true, + "environmentVariables": [ + { + "name": "TERM", + "required": false, + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "required": false, + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "required": false, + "strategy": "re2", + "value": ".+" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/logs", + "mountType": "azureFile", + "readonly": false + }, + { + "mountPath": "/etc/resolv.conf", + "mountType": "resolvconf", + "name": "dns_resolve", + "readonly": false + } + ] + } + } + ], + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] + } +] From dd2090f2a8cfcf319bb1fbb04d8e3c0f4a47f7c7 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Fri, 26 Sep 2025 12:56:35 +0000 Subject: [PATCH 03/16] Add tests from generated policy specs to policies --- src/confcom/azext_confcom/security_policy.py | 255 +++++++++--------- ...en_arm.py => test_confcom_acipolicygen.py} | 43 ++- 2 files changed, 175 insertions(+), 123 deletions(-) rename src/confcom/azext_confcom/tests/latest/{test_confcom_acipolicygen_arm.py => test_confcom_acipolicygen.py} (66%) diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index 0ddcb1dfb7a..90685e45b44 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -751,161 +751,172 @@ def load_policy_from_json( disable_stdio: bool = False, infrastructure_svn: str = None, exclude_default_fragments: bool = False, -) -> AciPolicy: +) -> List[AciPolicy]: output_containers = [] # 1) Parse incoming string as JSON policy_input_json = os_util.load_json_from_str(data) - if not isinstance(policy_input_json, dict): - eprint("Input JSON is not a valid dictionary") - is_old_format = detect_old_format(policy_input_json) - if is_old_format: - policy_input_json = convert_config_v0_to_v1(policy_input_json) + if not isinstance(policy_input_json, list): + policy_input_json = [policy_input_json] - # 2) Extract top-level fields - input_containers = case_insensitive_dict_get( - policy_input_json, config.ACI_FIELD_CONTAINERS - ) or [] + policies = [] - version = case_insensitive_dict_get( - policy_input_json, config.ACI_FIELD_VERSION - ) + for policy_spec in policy_input_json: + if not isinstance(policy_spec, dict): + eprint("Input JSON is not a valid dictionary") - if not version: - version = "1.0" - policy_input_json[config.ACI_FIELD_VERSION] = "1.0" + is_old_format = detect_old_format(policy_spec) + if is_old_format: + policy_spec = convert_config_v0_to_v1(policy_spec) - rego_fragments = case_insensitive_dict_get( - policy_input_json, config.ACI_FIELD_CONTAINERS_REGO_FRAGMENTS - ) or [] + # 2) Extract top-level fields + input_containers = case_insensitive_dict_get( + policy_spec, config.ACI_FIELD_CONTAINERS + ) or [] - scenario = case_insensitive_dict_get( - policy_input_json, config.ACI_FIELD_SCENARIO - ) or "" + version = case_insensitive_dict_get( + policy_spec, config.ACI_FIELD_VERSION + ) - # 3) Process rego_fragments - standalone_rego_fragments = case_insensitive_dict_get( - policy_input_json, config.ACI_FIELD_TEMPLATE_STANDALONE_REGO_FRAGMENTS - ) + if not version: + version = "1.0" + policy_spec[config.ACI_FIELD_VERSION] = "1.0" - if rego_fragments: - process_fragment_imports(rego_fragments) + rego_fragments = case_insensitive_dict_get( + policy_spec, config.ACI_FIELD_CONTAINERS_REGO_FRAGMENTS + ) or [] - if standalone_rego_fragments: - rego_fragments.extend(standalone_rego_fragments) + scenario = case_insensitive_dict_get( + policy_spec, config.ACI_FIELD_SCENARIO + ) or "" - if not input_containers and not rego_fragments: - eprint( - f'Field ["{config.ACI_FIELD_CONTAINERS}"]' + - f' and field ["{config.ACI_FIELD_CONTAINERS_REGO_FRAGMENTS}"] can not both be empty.' + # 3) Process rego_fragments + standalone_rego_fragments = case_insensitive_dict_get( + policy_spec, config.ACI_FIELD_TEMPLATE_STANDALONE_REGO_FRAGMENTS ) - for container in input_containers: - container_properties = case_insensitive_dict_get( - container, config.ACI_FIELD_TEMPLATE_PROPERTIES - ) + if rego_fragments: + process_fragment_imports(rego_fragments) - image_name = case_insensitive_dict_get( - container_properties, config.ACI_FIELD_TEMPLATE_IMAGE - ) + if standalone_rego_fragments: + rego_fragments.extend(standalone_rego_fragments) - if not image_name: + if not input_containers and not rego_fragments: eprint( - f'Field ["{config.ACI_FIELD_TEMPLATE_IMAGE}"] is empty or cannot be found' + f'Field ["{config.ACI_FIELD_CONTAINERS}"]' + + f' and field ["{config.ACI_FIELD_CONTAINERS_REGO_FRAGMENTS}"] can not both be empty.' ) - container_name = case_insensitive_dict_get( - container, config.ACI_FIELD_CONTAINERS_NAME - ) or image_name + for container in input_containers: + container_properties = case_insensitive_dict_get( + container, config.ACI_FIELD_TEMPLATE_PROPERTIES + ) - if not container_name: - eprint(f'Field ["{config.ACI_FIELD_CONTAINERS_NAME}"] is empty or cannot be found') + image_name = case_insensitive_dict_get( + container_properties, config.ACI_FIELD_TEMPLATE_IMAGE + ) - exec_processes = case_insensitive_dict_get( - container_properties, config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES - ) or [] + if not image_name: + eprint( + f'Field ["{config.ACI_FIELD_TEMPLATE_IMAGE}"] is empty or cannot be found' + ) - # add the signal section if it's not present - for exec_process in exec_processes: - if config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES not in exec_process: - exec_process[config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES] = [] + container_name = case_insensitive_dict_get( + container, config.ACI_FIELD_CONTAINERS_NAME + ) or image_name - extract_probe(exec_processes, container_properties, config.ACI_FIELD_CONTAINERS_READINESS_PROBE) - extract_probe(exec_processes, container_properties, config.ACI_FIELD_CONTAINERS_LIVENESS_PROBE) + if not container_name: + eprint(f'Field ["{config.ACI_FIELD_CONTAINERS_NAME}"] is empty or cannot be found') - container_security_context = case_insensitive_dict_get( - container_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT - ) or {} + exec_processes = case_insensitive_dict_get( + container_properties, config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES + ) or [] - working_dir = case_insensitive_dict_get(container_properties, config.ACI_FIELD_CONTAINERS_WORKINGDIR) + # add the signal section if it's not present + for exec_process in exec_processes: + if config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES not in exec_process: + exec_process[config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES] = [] - mounts = process_mounts_from_config(container_properties) + process_configmap(container_properties) - if ( - scenario.lower() == config.VN2 and - case_insensitive_dict_get(container_security_context, config.ACI_FIELD_CONTAINERS_PRIVILEGED) - ): - mounts += config.DEFAULT_MOUNTS_PRIVILEGED_VIRTUAL_NODE - - labels = case_insensitive_dict_get(policy_input_json, config.VIRTUAL_NODE_YAML_LABELS) or [] - envs = [] - # use workload identity - if ( - scenario.lower() == config.VN2 and - config.VIRTUAL_NODE_YAML_LABEL_WORKLOAD_IDENTITY in labels and - case_insensitive_dict_get(labels, config.VIRTUAL_NODE_YAML_LABEL_WORKLOAD_IDENTITY) - ): - envs += config.VIRTUAL_NODE_ENV_RULES_WORKLOAD_IDENTITY - mounts += config.DEFAULT_MOUNTS_WORKLOAD_IDENTITY_VIRTUAL_NODE + extract_probe(exec_processes, container_properties, config.ACI_FIELD_CONTAINERS_READINESS_PROBE) + extract_probe(exec_processes, container_properties, config.ACI_FIELD_CONTAINERS_LIVENESS_PROBE) - envs += process_env_vars_from_config(container_properties) + container_security_context = case_insensitive_dict_get( + container_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT + ) or {} - if debug_mode: - for exec_process in config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES, []): - if exec_process not in exec_processes: - exec_processes.append(exec_process) + working_dir = case_insensitive_dict_get(container_properties, config.ACI_FIELD_CONTAINERS_WORKINGDIR) - output_containers.append( - { - config.ACI_FIELD_CONTAINERS_ID: image_name, - config.ACI_FIELD_CONTAINERS_NAME: container_name, - config.ACI_FIELD_CONTAINERS_CONTAINERIMAGE: image_name, - config.ACI_FIELD_CONTAINERS_WORKINGDIR: working_dir, - config.ACI_FIELD_CONTAINERS_ENVS: envs, - config.ACI_FIELD_CONTAINERS_COMMAND: case_insensitive_dict_get( - container_properties, config.ACI_FIELD_TEMPLATE_COMMAND - ) or [], - config.ACI_FIELD_CONTAINERS_MOUNTS: mounts, - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes, - config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], - config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, - config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( - container_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT - ), - } - ) + mounts = process_mounts_from_config(container_properties) + process_configmap(container_properties) + if ( + scenario.lower() == config.VN2 and + case_insensitive_dict_get(container_security_context, config.ACI_FIELD_CONTAINERS_PRIVILEGED) + ): + mounts += config.DEFAULT_MOUNTS_PRIVILEGED_VIRTUAL_NODE - # Add default fragments if necessary - if not exclude_default_fragments: - rego_fragments.extend(copy.deepcopy(config.DEFAULT_REGO_FRAGMENTS)) + labels = case_insensitive_dict_get(policy_spec, config.VIRTUAL_NODE_YAML_LABELS) or [] + envs = [] + # use workload identity + if ( + scenario.lower() == config.VN2 and + config.VIRTUAL_NODE_YAML_LABEL_WORKLOAD_IDENTITY in labels and + case_insensitive_dict_get(labels, config.VIRTUAL_NODE_YAML_LABEL_WORKLOAD_IDENTITY) + ): + envs += config.VIRTUAL_NODE_ENV_RULES_WORKLOAD_IDENTITY + mounts += config.DEFAULT_MOUNTS_WORKLOAD_IDENTITY_VIRTUAL_NODE - # changes the svn of the infrastructure fragment provided by ACI - if infrastructure_svn: - # assumes the first DEFAULT_REGO_FRAGMENT is always the - # infrastructure fragment - rego_fragments[0][ - config.POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_MINIMUM_SVN - ] = infrastructure_svn + envs += process_env_vars_from_config(container_properties) - return AciPolicy( - { - config.ACI_FIELD_VERSION: version, - config.ACI_FIELD_CONTAINERS: output_containers, - }, - disable_stdio=disable_stdio, - rego_fragments=rego_fragments, - debug_mode=debug_mode, - is_vn2=scenario.lower() == config.VN2, - ) + if debug_mode: + for exec_process in config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES, []): + if exec_process not in exec_processes: + exec_processes.append(exec_process) + + output_containers.append( + { + config.ACI_FIELD_CONTAINERS_ID: image_name, + config.ACI_FIELD_CONTAINERS_NAME: container_name, + config.ACI_FIELD_CONTAINERS_CONTAINERIMAGE: image_name, + config.ACI_FIELD_CONTAINERS_WORKINGDIR: working_dir, + config.ACI_FIELD_CONTAINERS_ENVS: envs, + config.ACI_FIELD_CONTAINERS_COMMAND: case_insensitive_dict_get( + container_properties, config.ACI_FIELD_TEMPLATE_COMMAND + ) or [], + config.ACI_FIELD_CONTAINERS_MOUNTS: mounts, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes, + config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], + config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, + config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( + container_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT + ), + } + ) + + # Add default fragments if necessary + if not exclude_default_fragments: + for fragment in config.DEFAULT_REGO_FRAGMENTS: + if not any(fragment["feed"] == f["feed"] for f in rego_fragments): + rego_fragments.append(copy.deepcopy(fragment)) + + # changes the svn of the infrastructure fragment provided by ACI + if infrastructure_svn: + # assumes the first DEFAULT_REGO_FRAGMENT is always the + # infrastructure fragment + rego_fragments[0][ + config.POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_MINIMUM_SVN + ] = infrastructure_svn + + policies.append(AciPolicy( + { + config.ACI_FIELD_VERSION: version, + config.ACI_FIELD_CONTAINERS: output_containers, + }, + disable_stdio=disable_stdio, + rego_fragments=rego_fragments, + debug_mode=debug_mode, + is_vn2=scenario.lower() == config.VN2, + )) + + return policies def load_policy_from_virtual_node_yaml_file( diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py b/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py similarity index 66% rename from src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py rename to src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py index a1959228c96..6bfb256130c 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py @@ -6,6 +6,7 @@ import contextlib import io import os +from pathlib import Path import pytest from itertools import product @@ -35,7 +36,7 @@ "sample_directory,generated_policy_path", product(os.listdir(SAMPLES_ROOT), POLICYGEN_ARGS.keys()) ) -def test_acipolicygen(sample_directory, generated_policy_path): +def test_acipolicygen_arm(sample_directory, generated_policy_path): # Ensure we're always in the same dir because fragments input json defines # the path relative to the signed fragment to the current dir and cannot use @@ -77,3 +78,43 @@ def test_acipolicygen(sample_directory, generated_policy_path): actual_policy = buffer.getvalue() assert actual_policy == expected_policy, f"Policy generation mismatch, actual output for {os.path.join(sample_directory, generated_policy_path)}:\n{actual_policy}" + + +@pytest.mark.parametrize( + "policy_spec_path", + [str(path.relative_to(SAMPLES_ROOT)) for path in Path(SAMPLES_ROOT).rglob("policy_spec*")] +) +def test_acipolicygen_spec(policy_spec_path): + + if policy_spec_path in { + ("multi_container_groups/policy_spec.json"), + ("multi_container_groups/policy_spec_disable_stdio.json"), + ("multi_container_groups/policy_spec_debug.json"), + ("multi_container_groups/policy_spec_infrastructure_svn.json"), + ("multi_container_groups/policy_spec_exclude_default_fragment.json"), + }: + pytest.skip("Skipping test due to known issue") + + policy_spec_path = os.path.join(SAMPLES_ROOT, policy_spec_path) + expected_policy_path = policy_spec_path.replace("policy_spec", "policy").replace(".json", ".rego") + with open(expected_policy_path, "r", encoding="utf-8") as f: + expected_policy = f.read() + + flags = POLICYGEN_ARGS[os.path.basename(expected_policy_path)] + + buffer = io.StringIO() + with contextlib.redirect_stdout(buffer): + acipolicygen_confcom( + input_path=policy_spec_path, + arm_template=None, + arm_template_parameters=None, + image_name=None, + virtual_node_yaml_path=None, + infrastructure_svn=flags.pop("infrastructure_svn", None), + tar_mapping_location=None, + outraw=True, + **flags, + ) + actual_policy = buffer.getvalue() + + assert actual_policy == expected_policy, f"Policy generation mismatch, actual output for {expected_policy_path}:\n{actual_policy}" \ No newline at end of file From 0a9080bde528433de9ab60cfb91a3ce96a0beb9c Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Fri, 26 Sep 2025 16:45:54 +0000 Subject: [PATCH 04/16] Get all tests passing --- .../azext_confcom/command/parse_aci_arm.py | 16 ++---- .../azext_confcom/lib/aci_policy_spec.py | 8 +++ .../lib/arm_to_aci_policy_spec.py | 27 +++++++--- src/confcom/azext_confcom/security_policy.py | 49 ++++++++++--------- .../tests/latest/test_confcom_acipolicygen.py | 15 ++---- .../samples/aci/command/policy_spec.json | 16 ++---- .../aci/command/policy_spec_debug.json | 21 +++----- .../command/policy_spec_disable_stdio.json | 16 ++---- .../policy_spec_exclude_default_fragment.json | 7 ++- .../policy_spec_infrastructure_svn.json | 17 +++---- .../conflicting_variables/policy_spec.json | 17 +++---- .../policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../container_group_profiles/policy_spec.json | 17 +++---- .../policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../aci/default_variables/policy_spec.json | 17 +++---- .../default_variables/policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../policy_spec.json | 17 +++---- .../policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../environment_variables/policy_spec.json | 17 +++---- .../policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../samples/aci/minimal/policy_spec.json | 17 +++---- .../aci/minimal/policy_spec_debug.json | 22 ++++----- .../minimal/policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../multi_container_groups/policy_spec.json | 34 +++++-------- .../policy_spec_debug.json | 44 +++++++---------- .../policy_spec_disable_stdio.json | 34 +++++-------- .../policy_spec_exclude_default_fragment.json | 16 +++++- .../policy_spec_infrastructure_svn.json | 36 ++++++-------- .../aci/multi_containers/policy_spec.json | 19 +++---- .../multi_containers/policy_spec_debug.json | 29 ++++++----- .../policy_spec_disable_stdio.json | 19 +++---- .../policy_spec_exclude_default_fragment.json | 10 +++- .../policy_spec_infrastructure_svn.json | 20 ++++---- .../policy_spec.json | 20 +++----- .../policy_spec_debug.json | 25 +++++----- .../policy_spec_disable_stdio.json | 20 +++----- .../policy_spec_exclude_default_fragment.json | 11 ++++- .../policy_spec_infrastructure_svn.json | 21 ++++---- .../policy_spec.json | 17 +++---- .../policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../policy_spec.json | 18 +++---- .../policy_spec_debug.json | 23 ++++----- .../policy_spec_disable_stdio.json | 18 +++---- .../policy_spec_exclude_default_fragment.json | 9 +++- .../policy_spec_infrastructure_svn.json | 19 +++---- .../policy_spec.json | 17 +++---- .../policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../policy_spec.json | 17 +++---- .../policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../samples/aci/variables/policy_spec.json | 17 +++---- .../aci/variables/policy_spec_debug.json | 22 ++++----- .../variables/policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../aci/volume_mount_secret/policy_spec.json | 17 +++---- .../policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- .../aci/volume_mounts/policy_spec.json | 17 +++---- .../aci/volume_mounts/policy_spec_debug.json | 22 ++++----- .../policy_spec_disable_stdio.json | 17 +++---- .../policy_spec_exclude_default_fragment.json | 8 ++- .../policy_spec_infrastructure_svn.json | 18 +++---- 90 files changed, 715 insertions(+), 906 deletions(-) diff --git a/src/confcom/azext_confcom/command/parse_aci_arm.py b/src/confcom/azext_confcom/command/parse_aci_arm.py index 11a152b54f8..18e5503cdfe 100644 --- a/src/confcom/azext_confcom/command/parse_aci_arm.py +++ b/src/confcom/azext_confcom/command/parse_aci_arm.py @@ -7,10 +7,7 @@ def _omit_none_dict_factory(items): """Dict factory for dataclasses.asdict that drops None values.""" - return {key: value for key, value in items if ( - value is not None and - value != [] - )} + return {key: value for key, value in items if (value is not None)} def parse_aci_arm( @@ -34,15 +31,8 @@ def parse_aci_arm( aci_policy_specs = list(arm_to_aci_policy_spec( arm_template=arm_template, arm_template_parameters=arm_template_parameters, - fragments=[ - AciFragmentSpec( - feed=fragment["feed"], - issuer=fragment["issuer"], - includes=fragment["includes"], - minimum_svn=infrastructure_svn or fragment["minimum_svn"], - ) - for fragment in config.DEFAULT_REGO_FRAGMENTS - ] if not exclude_default_fragments else [], + include_infrastructure_fragment=not exclude_default_fragments, + infrastructure_fragment_min_svn=infrastructure_svn, debug_mode=debug_mode, allow_stdio_access=not disable_stdio, approve_wildcards=approve_wildcards, diff --git a/src/confcom/azext_confcom/lib/aci_policy_spec.py b/src/confcom/azext_confcom/lib/aci_policy_spec.py index 52c39a1a979..41ca55c0051 100644 --- a/src/confcom/azext_confcom/lib/aci_policy_spec.py +++ b/src/confcom/azext_confcom/lib/aci_policy_spec.py @@ -8,6 +8,9 @@ from typing_extensions import Literal +AciProfile = Literal["strict", "debug"] + + @dataclass class AciContainerPropertyEnvVariable: name: str @@ -82,3 +85,8 @@ class AciContainerSpec: class AciPolicySpec: fragments: Optional[list[AciFragmentSpec]] containers: Optional[list[AciContainerSpec]] + profile: AciProfile = "strict" + include_infrastructure_fragment: bool = True + infrastructure_fragment_min_svn: Optional[str] = None + allow_stdio_access: bool = True + diff --git a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py index c2711563f30..f2fcd221593 100644 --- a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py +++ b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py @@ -192,7 +192,8 @@ def arm_container_group_to_aci_policy_spec_fragments( def arm_container_group_to_aci_policy_spec( container_group: dict, parameters: dict, - fragments: list[AciFragmentSpec], + include_infrastructure_fragment: bool, + infrastructure_fragment_min_svn: Optional[str], debug_mode: bool, allow_stdio_access: bool, approve_wildcards: bool, @@ -203,7 +204,6 @@ def arm_container_group_to_aci_policy_spec( return AciPolicySpec( fragments=[ - *(fragments if not container_group.get("tags", {}).get("Annotate-zero-sidecar") else []), *arm_container_group_to_aci_policy_spec_fragments(container_group), ], containers=[ @@ -216,14 +216,19 @@ def arm_container_group_to_aci_policy_spec( approve_wildcards=approve_wildcards, ) for c in containers + container_group.get("properties", {}).get("initContainers", []) - ] + ], + profile="debug" if debug_mode else "strict", + include_infrastructure_fragment=include_infrastructure_fragment, + infrastructure_fragment_min_svn=infrastructure_fragment_min_svn, + allow_stdio_access=allow_stdio_access, ) def arm_to_aci_policy_spec( arm_template: dict, arm_template_parameters: dict, - fragments: list[AciFragmentSpec], + include_infrastructure_fragment: bool = True, + infrastructure_fragment_min_svn: Optional[str] = None, debug_mode: bool = False, allow_stdio_access: bool = True, approve_wildcards: bool = False, @@ -238,8 +243,16 @@ def arm_to_aci_policy_spec( parser = { "Microsoft.ContainerInstance/containerGroups": arm_container_group_to_aci_policy_spec, "Microsoft.ContainerInstance/containerGroupProfiles": arm_container_group_to_aci_policy_spec, - }.get(resource["type"], (lambda r, p, f, d, io, w: None)) - - spec = parser(resource, parameters, fragments, debug_mode, allow_stdio_access, approve_wildcards) + }.get(resource["type"], (lambda r, p, f, m, d, io, w: None)) + + spec = parser( + resource, + parameters, + include_infrastructure_fragment, + infrastructure_fragment_min_svn, + debug_mode, + allow_stdio_access, + approve_wildcards + ) if spec is not None: yield spec diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index 90685e45b44..87255f495e6 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -628,32 +628,25 @@ def load_policy_from_arm_template_str( aci_policies = [] - if included_fragments is None: - included_fragments = [] - - if not exclude_default_fragments: - for idx, fragment in enumerate(config.DEFAULT_REGO_FRAGMENTS): - if infrastructure_svn: - fragment["minimum_svn"] = infrastructure_svn - included_fragments.insert(idx, fragment) - try: for policy_spec in arm_to_aci_policy_spec( arm_template=json.loads(template_data), arm_template_parameters=json.loads(parameter_data) if parameter_data else {}, - fragments=[AciFragmentSpec(**fragment) for fragment in included_fragments], + include_infrastructure_fragment=not exclude_default_fragments, + infrastructure_fragment_min_svn=infrastructure_svn, debug_mode=debug_mode, allow_stdio_access=not disable_stdio, approve_wildcards=approve_wildcards, ): - aci_policies.append(load_policy_from_json( + policy_spec.fragments.extend(included_fragments or []) + aci_policies.extend(load_policy_from_json( json.dumps(asdict(policy_spec)), debug_mode, disable_stdio, infrastructure_svn, - # Fragments are already parsed - True, + exclude_default_fragments, )) + # Catch broad exception since we don't want to assume what errors might occur pylint: disable=W0718 except Exception as e: eprint(f"Error processing ARM template: {e}") @@ -734,7 +727,7 @@ def load_policy_from_json_file( disable_stdio: bool = False, infrastructure_svn: str = None, exclude_default_fragments: bool = False, -) -> AciPolicy: +) -> List[AciPolicy]: json_content = os_util.load_str_from_file(data) return load_policy_from_json( json_content, @@ -752,7 +745,6 @@ def load_policy_from_json( infrastructure_svn: str = None, exclude_default_fragments: bool = False, ) -> List[AciPolicy]: - output_containers = [] # 1) Parse incoming string as JSON policy_input_json = os_util.load_json_from_str(data) @@ -762,6 +754,19 @@ def load_policy_from_json( policies = [] for policy_spec in policy_input_json: + + output_containers = [] + + policy_spec_exclude_default_fragments = exclude_default_fragments or ( + not policy_spec.get("include_infrastructure_fragment", True) + ) + + policy_spec_debug_mode = debug_mode or policy_spec.get("profile", "strict") == "debug" + + policy_spec_disable_stdio = disable_stdio or not policy_spec.get("allow_stdio_access", True) + + policy_spec_infrastructure_svn = infrastructure_svn or policy_spec.get("infrastructure_fragment_min_svn") + if not isinstance(policy_spec, dict): eprint("Input JSON is not a valid dictionary") @@ -866,7 +871,7 @@ def load_policy_from_json( envs += process_env_vars_from_config(container_properties) - if debug_mode: + if policy_spec_debug_mode: for exec_process in config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES, []): if exec_process not in exec_processes: exec_processes.append(exec_process) @@ -884,7 +889,7 @@ def load_policy_from_json( config.ACI_FIELD_CONTAINERS_MOUNTS: mounts, config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes, config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], - config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, + config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not policy_spec_disable_stdio, config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( container_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT ), @@ -892,27 +897,27 @@ def load_policy_from_json( ) # Add default fragments if necessary - if not exclude_default_fragments: + if not policy_spec_exclude_default_fragments: for fragment in config.DEFAULT_REGO_FRAGMENTS: if not any(fragment["feed"] == f["feed"] for f in rego_fragments): rego_fragments.append(copy.deepcopy(fragment)) # changes the svn of the infrastructure fragment provided by ACI - if infrastructure_svn: + if policy_spec_infrastructure_svn: # assumes the first DEFAULT_REGO_FRAGMENT is always the # infrastructure fragment rego_fragments[0][ config.POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_MINIMUM_SVN - ] = infrastructure_svn + ] = policy_spec_infrastructure_svn policies.append(AciPolicy( { config.ACI_FIELD_VERSION: version, config.ACI_FIELD_CONTAINERS: output_containers, }, - disable_stdio=disable_stdio, + disable_stdio=policy_spec_disable_stdio, rego_fragments=rego_fragments, - debug_mode=debug_mode, + debug_mode=policy_spec_debug_mode, is_vn2=scenario.lower() == config.VN2, )) diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py b/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py index 6bfb256130c..19d38a3a8ae 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py @@ -86,13 +86,9 @@ def test_acipolicygen_arm(sample_directory, generated_policy_path): ) def test_acipolicygen_spec(policy_spec_path): - if policy_spec_path in { - ("multi_container_groups/policy_spec.json"), - ("multi_container_groups/policy_spec_disable_stdio.json"), - ("multi_container_groups/policy_spec_debug.json"), - ("multi_container_groups/policy_spec_infrastructure_svn.json"), - ("multi_container_groups/policy_spec_exclude_default_fragment.json"), - }: + if policy_spec_path in [ + # Add known failing tests here + ]: pytest.skip("Skipping test due to known issue") policy_spec_path = os.path.join(SAMPLES_ROOT, policy_spec_path) @@ -100,8 +96,6 @@ def test_acipolicygen_spec(policy_spec_path): with open(expected_policy_path, "r", encoding="utf-8") as f: expected_policy = f.read() - flags = POLICYGEN_ARGS[os.path.basename(expected_policy_path)] - buffer = io.StringIO() with contextlib.redirect_stdout(buffer): acipolicygen_confcom( @@ -110,10 +104,9 @@ def test_acipolicygen_spec(policy_spec_path): arm_template_parameters=None, image_name=None, virtual_node_yaml_path=None, - infrastructure_svn=flags.pop("infrastructure_svn", None), + infrastructure_svn=None, tar_mapping_location=None, outraw=True, - **flags, ) actual_policy = buffer.getvalue() diff --git a/src/confcom/samples/aci/command/policy_spec.json b/src/confcom/samples/aci/command/policy_spec.json index c1ff7371e6e..2f24ef2aa63 100644 --- a/src/confcom/samples/aci/command/policy_spec.json +++ b/src/confcom/samples/aci/command/policy_spec.json @@ -1,5 +1,6 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", @@ -72,6 +73,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,16 +86,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/command/policy_spec_debug.json b/src/confcom/samples/aci/command/policy_spec_debug.json index 1887699aa68..b9d04762ba7 100644 --- a/src/confcom/samples/aci/command/policy_spec_debug.json +++ b/src/confcom/samples/aci/command/policy_spec_debug.json @@ -1,5 +1,6 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", @@ -77,13 +78,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -98,16 +101,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/command/policy_spec_disable_stdio.json b/src/confcom/samples/aci/command/policy_spec_disable_stdio.json index 0134f8e01c5..b24a4f36f89 100644 --- a/src/confcom/samples/aci/command/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/command/policy_spec_disable_stdio.json @@ -1,5 +1,6 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", @@ -72,6 +73,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,16 +86,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json index 501f35e48c5..1f4ce0f8326 100644 --- a/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json @@ -1,5 +1,6 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", @@ -72,6 +73,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -83,6 +85,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json index 10ccc1cf5e3..55f5c192423 100644 --- a/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json @@ -1,5 +1,6 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", @@ -72,6 +73,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,16 +86,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec.json b/src/confcom/samples/aci/conflicting_variables/policy_spec.json index f3fa1b10966..42ff60e29e8 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json index 0f252e6f889..caf677a2672 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", @@ -93,16 +97,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json index af5f104a49c..6880089971b 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json index cd101792a46..43404170b49 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { @@ -78,6 +81,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json index 41cb51a0c1f..0feba5916a1 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { @@ -79,16 +82,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec.json b/src/confcom/samples/aci/container_group_profiles/policy_spec.json index e9e19db5518..e859e163f86 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json index 5de92ea1974..49c843c2028 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -93,16 +97,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json index 294c00082d4..8aeef6ad9c2 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json index 088603e0a32..e1b9f9e5eff 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -78,6 +81,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json index 114fa863305..0a6457199d1 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec.json b/src/confcom/samples/aci/default_variables/policy_spec.json index e9e19db5518..e859e163f86 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec.json +++ b/src/confcom/samples/aci/default_variables/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_debug.json b/src/confcom/samples/aci/default_variables/policy_spec_debug.json index 5de92ea1974..49c843c2028 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -93,16 +97,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json index 294c00082d4..8aeef6ad9c2 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json index 088603e0a32..e1b9f9e5eff 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -78,6 +81,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json index 114fa863305..0a6457199d1 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec.json b/src/confcom/samples/aci/default_variables_override/policy_spec.json index f3fa1b10966..42ff60e29e8 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json b/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json index 0f252e6f889..caf677a2672 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", @@ -93,16 +97,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json b/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json index af5f104a49c..6880089971b 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json index cd101792a46..43404170b49 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { @@ -78,6 +81,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json index 41cb51a0c1f..0feba5916a1 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { @@ -79,16 +82,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec.json b/src/confcom/samples/aci/environment_variables/policy_spec.json index 2ada0e616af..efdf09c8716 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "MY_VAR", @@ -73,6 +75,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -85,16 +88,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_debug.json b/src/confcom/samples/aci/environment_variables/policy_spec_debug.json index e3b01877b20..9b382fedb0d 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "MY_VAR", @@ -78,13 +80,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -99,16 +103,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json index 5899b6a3e69..fd25efc63d7 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "MY_VAR", @@ -73,6 +75,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -85,16 +88,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json index d3e9db77c72..31b63bb2d52 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "MY_VAR", @@ -73,6 +75,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,6 +87,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json index 6aa8c1f1faa..a7b5b63d412 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "MY_VAR", @@ -73,6 +75,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -85,16 +88,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec.json b/src/confcom/samples/aci/minimal/policy_spec.json index e9e19db5518..e859e163f86 100644 --- a/src/confcom/samples/aci/minimal/policy_spec.json +++ b/src/confcom/samples/aci/minimal/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec_debug.json b/src/confcom/samples/aci/minimal/policy_spec_debug.json index 5de92ea1974..49c843c2028 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_debug.json +++ b/src/confcom/samples/aci/minimal/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -93,16 +97,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json b/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json index 294c00082d4..8aeef6ad9c2 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json index 088603e0a32..e1b9f9e5eff 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -78,6 +81,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json index 114fa863305..0a6457199d1 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec.json b/src/confcom/samples/aci/multi_container_groups/policy_spec.json index 5fbd021214f..3a5ed552981 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,24 +82,18 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" }, { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -159,6 +156,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -171,16 +169,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json index 73636eff9c7..329212c944b 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -93,24 +97,18 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" }, { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -178,13 +176,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -199,16 +199,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json index 805e716069f..261f530ba6b 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,24 +82,18 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" }, { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -159,6 +156,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -171,16 +169,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json index cd494a812ed..8963675c8f1 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -78,14 +81,19 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" }, { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -148,6 +156,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -159,6 +168,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json index 57342aa3600..7a1e6deef3b 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,24 +82,19 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" }, { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -159,6 +157,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -171,16 +170,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec.json b/src/confcom/samples/aci/multi_containers/policy_spec.json index 877e898ad5d..d714b4c690d 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -82,6 +85,7 @@ "name": "container2", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -144,6 +148,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -156,16 +161,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_debug.json b/src/confcom/samples/aci/multi_containers/policy_spec_debug.json index 82eb27468b4..65386bd993d 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_debug.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -96,6 +100,7 @@ "name": "container2", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -163,13 +168,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -184,16 +191,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json b/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json index f8931409f45..bd08dc4721b 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -82,6 +85,7 @@ "name": "container2", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -144,6 +148,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -156,16 +161,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json index 4c6084de7a4..d52c5482168 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -82,6 +85,7 @@ "name": "container2", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -144,6 +148,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -155,6 +160,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json index d5dadc66b4c..0f0f77eebf1 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -82,6 +85,7 @@ "name": "container2", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -144,6 +148,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -156,16 +161,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json index 1ce5021de2e..fc290f4a9ba 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,13 +69,15 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ] + ], + "drop": [] } }, "volumeMounts": [ @@ -87,16 +91,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json index ba65d88f134..8fe3692fe06 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -87,7 +91,8 @@ "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ] + ], + "drop": [] } }, "volumeMounts": [ @@ -101,16 +106,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json index 6ff549d70b5..f2fa6095cae 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,13 +69,15 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ] + ], + "drop": [] } }, "volumeMounts": [ @@ -87,16 +91,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json index da524699682..367cac77e47 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,13 +69,15 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ] + ], + "drop": [] } }, "volumeMounts": [ @@ -86,6 +90,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json index 77c33ceb10d..d045a985904 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,13 +69,15 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ] + ], + "drop": [] } }, "volumeMounts": [ @@ -87,16 +91,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json index 6e3308db119..308b9744aa8 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { @@ -91,16 +94,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json index 4a68a1f5fe4..5530814eedb 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -105,16 +109,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json index 60816dc4644..1a83fee80da 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { @@ -91,16 +94,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json index 751f5a9c903..633243ca2e5 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { @@ -90,6 +93,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json index 1509f3f269d..ef2028703e2 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { @@ -91,16 +94,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json index 5152083c85e..fe1bc6433ad 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,9 +69,11 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { + "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -87,16 +91,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json index 4016c4b7bd5..c8c44328829 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,18 +74,21 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { + "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -101,16 +106,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json index e674d085793..45d9d9ad632 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,9 +69,11 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { + "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -87,16 +91,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json index 00176a897f8..7e65411d841 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,9 +69,11 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { + "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -86,6 +90,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json index 6c5d18358de..b6f56fbb822 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,9 +69,11 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { + "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -87,16 +91,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json index 6c5c107d06a..8efc045afe3 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsGroup": 4567 @@ -82,16 +85,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json index a1a4cf20296..70b36dedc97 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -96,16 +100,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json index 5a17856bcca..f3ee246e940 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsGroup": 4567 @@ -82,16 +85,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json index dcbe20d1e5c..5c8bb9628bb 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsGroup": 4567 @@ -81,6 +84,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json index c7fafffd4ac..a0c793e10f3 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsGroup": 4567 @@ -82,16 +85,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json index 43ca0455645..1264ec2fca4 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsUser": 1234 @@ -82,16 +85,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json index 48a560a95b4..598162a899a 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -96,16 +100,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json index 6291f2d79be..9bb5ce4c3f5 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsUser": 1234 @@ -82,16 +85,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json index 44e77cd435e..552a2e2a124 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsUser": 1234 @@ -81,6 +84,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json index 6297d212c0b..989c3450d40 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsUser": 1234 @@ -82,16 +85,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/variables/policy_spec.json b/src/confcom/samples/aci/variables/policy_spec.json index e9e19db5518..e859e163f86 100644 --- a/src/confcom/samples/aci/variables/policy_spec.json +++ b/src/confcom/samples/aci/variables/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/variables/policy_spec_debug.json b/src/confcom/samples/aci/variables/policy_spec_debug.json index 5de92ea1974..49c843c2028 100644 --- a/src/confcom/samples/aci/variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/variables/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -93,16 +97,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json index 294c00082d4..8aeef6ad9c2 100644 --- a/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json index 088603e0a32..e1b9f9e5eff 100644 --- a/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -78,6 +81,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json index 114fa863305..0a6457199d1 100644 --- a/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -79,16 +82,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec.json index 7948b8c6af4..75c6a645753 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,16 +87,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json index 5d5abcc2f18..d61d4c21a2b 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -98,16 +102,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json index 2ff9bd29237..5983347d2ba 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,16 +87,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json index da4371bbb1a..99a270ced0f 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -83,6 +86,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json index 1d1ee2e8156..19c7fcd975f 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,16 +87,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec.json b/src/confcom/samples/aci/volume_mounts/policy_spec.json index 9778b66ca97..7c5fab9a2da 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,16 +87,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json b/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json index 150318ce7e1..f4d3cf7179f 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -72,13 +74,15 @@ "allow_stdio_access": true, "command": [ "/bin/sh" - ] + ], + "signals": [] }, { "allow_stdio_access": true, "command": [ "/bin/bash" - ] + ], + "signals": [] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -98,16 +102,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "debug" } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json b/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json index 6f4b2759dc5..ab7d82918bc 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": false, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": false, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,16 +87,8 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json index ad0a34848aa..4447b8e0835 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -83,6 +86,9 @@ ] } } - ] + ], + "fragments": [], + "include_infrastructure_fragment": false, + "profile": "strict" } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json index 2b1403a9360..090911e30cd 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json @@ -1,10 +1,12 @@ [ { + "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { "allowStdioAccess": true, + "command": [], "environmentVariables": [ { "name": "TERM", @@ -67,6 +69,7 @@ "value": ".+" } ], + "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -84,16 +87,9 @@ } } ], - "fragments": [ - { - "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", - "includes": [ - "containers", - "fragments" - ], - "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "99" - } - ] + "fragments": [], + "include_infrastructure_fragment": true, + "infrastructure_fragment_min_svn": "99", + "profile": "strict" } ] From ea29703b4daa7731b4b806c12bc3c6e6b0224e23 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Fri, 26 Sep 2025 17:13:31 +0000 Subject: [PATCH 05/16] Small fixes in other tests --- .../lib/arm_to_aci_policy_spec.py | 2 +- .../tests/latest/test_confcom_arm.py | 10 +++----- .../tests/latest/test_confcom_fragment.py | 25 ++++++++----------- .../tests/latest/test_confcom_scenario.py | 15 +++++------ 4 files changed, 21 insertions(+), 31 deletions(-) diff --git a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py index f2fcd221593..8ebf8833bf4 100644 --- a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py +++ b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py @@ -218,7 +218,7 @@ def arm_container_group_to_aci_policy_spec( for c in containers + container_group.get("properties", {}).get("initContainers", []) ], profile="debug" if debug_mode else "strict", - include_infrastructure_fragment=include_infrastructure_fragment, + include_infrastructure_fragment=not container_group.get("tags", {}).get("Annotate-zero-sidecar", not include_infrastructure_fragment), infrastructure_fragment_min_svn=infrastructure_fragment_min_svn, allow_stdio_access=allow_stdio_access, ) diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_arm.py b/src/confcom/azext_confcom/tests/latest/test_confcom_arm.py index cd5f0be05f6..4dcd1050bc4 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_arm.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_arm.py @@ -204,9 +204,8 @@ class PolicyGeneratingArm(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() cls.aci_arm_policy = load_policy_from_arm_template_str(cls.custom_arm_json, "")[ 0 @@ -3566,9 +3565,8 @@ class PolicyGeneratingArmWildcardEnvs(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() with patch('builtins.input', return_value='y'): cls.aci_arm_policy = load_policy_from_arm_template_str(cls.custom_arm_json, "")[ diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py b/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py index 2725ede31c0..fd93186c080 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py @@ -115,9 +115,8 @@ class FragmentMountEnforcement(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() def test_fragment_user_container_customized_mounts(self): image = next( @@ -345,9 +344,8 @@ class FragmentGenerating(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() def test_fragment_omit_id(self): @@ -613,9 +611,8 @@ class FragmentSidecarValidation(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() with load_policy_from_json(cls.custom_json2) as aci_policy2: aci_policy2.populate_policy_content_for_all_images() cls.aci_policy2 = aci_policy2 @@ -785,9 +782,8 @@ def setUpClass(cls): if item.returncode != 0: raise Exception("Error creating certificate chain") - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() with load_policy_from_json(cls.custom_json2) as aci_policy2: aci_policy2.populate_policy_content_for_all_images() cls.aci_policy2 = aci_policy2 @@ -935,9 +931,8 @@ class FragmentVirtualNode(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() def test_fragment_vn2_env_vars(self): image = self.aci_policy.get_images()[0] diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py b/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py index c1a7049a318..dd8753353f6 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py @@ -62,9 +62,8 @@ class MountEnforcement(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() def test_user_container_customized_mounts(self): image = next( @@ -261,9 +260,8 @@ class PolicyGenerating(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() def test_injected_sidecar_container_msi(self): image = self.aci_policy.get_images()[0] @@ -461,9 +459,8 @@ class SidecarValidation(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json)[0] + cls.aci_policy.populate_policy_content_for_all_images() with load_policy_from_json(cls.custom_json2) as aci_policy2: aci_policy2.populate_policy_content_for_all_images() cls.aci_policy2 = aci_policy2 From bcee81e913c8525a6acbd63b5096203ab8ed7b81 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Fri, 26 Sep 2025 17:47:42 +0000 Subject: [PATCH 06/16] Fix more tests --- src/confcom/azext_confcom/custom.py | 2 +- .../tests/latest/test_confcom_fragment.py | 27 +- .../tests/latest/test_confcom_image.py | 10 +- .../tests/latest/test_confcom_scenario.py | 244 +++++++++--------- .../tests/latest/test_confcom_virtual_node.py | 2 +- 5 files changed, 139 insertions(+), 146 deletions(-) diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index 358faad1591..4054eb05487 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -314,7 +314,7 @@ def acifragmentgen_confcom( tar_mapping = os_util.load_tar_mapping_from_config_file(input_path) policy = security_policy.load_policy_from_json_file( input_path, debug_mode=debug_mode, disable_stdio=disable_stdio - ) + )[0] # get all of the fragments that are being used in the policy # and associate them with each container group fragment_policy_list = [] diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py b/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py index fd93186c080..070c0cc9c0d 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py @@ -502,13 +502,13 @@ def test_tar_file_fragment(self): out_tar.add(os.path.join(folder, "index.json"), "index.json") out_tar.add(os.path.join(folder, "blobs"), "blobs", recursive=True) - with load_policy_from_json(self.custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images( - tar_mapping=tar_mapping_file - ) + aci_policy = load_policy_from_json(self.custom_json)[0] + aci_policy.populate_policy_content_for_all_images( + tar_mapping=tar_mapping_file + ) - clean_room_fragment_text = aci_policy.generate_fragment("payload", "1", OutputType.RAW) - self.assertIsNotNone(clean_room_fragment_text) + clean_room_fragment_text = aci_policy.generate_fragment("payload", "1", OutputType.RAW) + self.assertIsNotNone(clean_room_fragment_text) except Exception as e: raise AccContainerError("Could not get image from tar file") from e @@ -535,9 +535,8 @@ class FragmentPolicyGeneratingDebugMode(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json, debug_mode=True) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json, debug_mode=True)[0] + cls.aci_policy.populate_policy_content_for_all_images() def test_debug_processes(self): policy = self.aci_policy.get_serialized_output( @@ -613,9 +612,8 @@ class FragmentSidecarValidation(unittest.TestCase): def setUpClass(cls): cls.aci_policy = load_policy_from_json(cls.custom_json)[0] cls.aci_policy.populate_policy_content_for_all_images() - with load_policy_from_json(cls.custom_json2) as aci_policy2: - aci_policy2.populate_policy_content_for_all_images() - cls.aci_policy2 = aci_policy2 + cls.aci_policy2 = load_policy_from_json(cls.custom_json2)[0] + cls.aci_policy2.populate_policy_content_for_all_images() def test_fragment_sidecar(self): is_valid, diff = self.aci_policy.validate_sidecars() @@ -784,9 +782,8 @@ def setUpClass(cls): cls.aci_policy = load_policy_from_json(cls.custom_json)[0] cls.aci_policy.populate_policy_content_for_all_images() - with load_policy_from_json(cls.custom_json2) as aci_policy2: - aci_policy2.populate_policy_content_for_all_images() - cls.aci_policy2 = aci_policy2 + cls.aci_policy2 = load_policy_from_json(cls.custom_json2)[0] + cls.aci_policy2.populate_policy_content_for_all_images() def test_signing(self): filename = "payload.rego" diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_image.py b/src/confcom/azext_confcom/tests/latest/test_confcom_image.py index 9b95e82cc6d..efa48fc468f 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_image.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_image.py @@ -42,9 +42,8 @@ def setUpClass(cls): with load_policy_from_image_name("mcr.microsoft.com/azurelinux/base/python:3.12") as aci_policy: aci_policy.populate_policy_content_for_all_images(individual_image=True) cls.aci_policy = aci_policy - with load_policy_from_json(cls.custom_json) as custom_policy: - custom_policy.populate_policy_content_for_all_images() - cls.custom_policy = custom_policy + cls.custom_policy = load_policy_from_json(cls.custom_json)[0] + cls.custom_policy.populate_policy_content_for_all_images() def test_image_policy(self): # deep diff the output policies from the regular policy.json and the single image @@ -78,9 +77,8 @@ def setUpClass(cls): ) as aci_policy: aci_policy.populate_policy_content_for_all_images(individual_image=True) cls.aci_policy = aci_policy - with load_policy_from_json(cls.custom_json) as custom_policy: - custom_policy.populate_policy_content_for_all_images(individual_image=True) - cls.custom_policy = custom_policy + cls.custom_policy = load_policy_from_json(cls.custom_json)[0] + cls.custom_policy.populate_policy_content_for_all_images(individual_image=True) def test_sidecar_image_policy(self): self.assertEqual(self.aci_policy.get_serialized_output(), self.custom_policy.get_serialized_output()) diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py b/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py index dd8753353f6..91e32e0a9ee 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py @@ -377,9 +377,8 @@ class PolicyGeneratingDebugMode(unittest.TestCase): @classmethod def setUpClass(cls): - with load_policy_from_json(cls.custom_json, debug_mode=True) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - cls.aci_policy = aci_policy + cls.aci_policy = load_policy_from_json(cls.custom_json, debug_mode=True)[0] + cls.aci_policy.populate_policy_content_for_all_images() def test_debug_flags(self): @@ -461,9 +460,8 @@ class SidecarValidation(unittest.TestCase): def setUpClass(cls): cls.aci_policy = load_policy_from_json(cls.custom_json)[0] cls.aci_policy.populate_policy_content_for_all_images() - with load_policy_from_json(cls.custom_json2) as aci_policy2: - aci_policy2.populate_policy_content_for_all_images() - cls.aci_policy2 = aci_policy2 + cls.aci_policy2 = load_policy_from_json(cls.custom_json2)[0] + cls.aci_policy2.populate_policy_content_for_all_images() def test_sidecar(self): is_valid, diff = self.aci_policy.validate_sidecars() @@ -513,19 +511,19 @@ def test_customized_workingdir(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - # pull actual image to local for next step - image = next( - ( - img - for img in aci_policy.get_images() - if isinstance(img, UserContainerImage) - ), - None, - ) - - expected_working_dir = "/customized/absolute/path" - self.assertEqual(image._workingDir, expected_working_dir) + aci_policy = load_policy_from_json(custom_json)[0] + # pull actual image to local for next step + image = next( + ( + img + for img in aci_policy.get_images() + if isinstance(img, UserContainerImage) + ), + None, + ) + + expected_working_dir = "/customized/absolute/path" + self.assertEqual(image._workingDir, expected_working_dir) def test_allow_elevated(self): custom_json = """ @@ -543,19 +541,19 @@ def test_allow_elevated(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - # pull actual image to local for next step - image = next( - ( - img - for img in aci_policy.get_images() - if isinstance(img, UserContainerImage) - ), - None, - ) - - expected_allow_elevated = True - self.assertEqual(image._allow_elevated, expected_allow_elevated) + aci_policy = load_policy_from_json(custom_json)[0] + # pull actual image to local for next step + image = next( + ( + img + for img in aci_policy.get_images() + if isinstance(img, UserContainerImage) + ), + None, + ) + + expected_allow_elevated = True + self.assertEqual(image._allow_elevated, expected_allow_elevated) def test_image_layers_python(self): custom_json = """ @@ -571,21 +569,21 @@ def test_image_layers_python(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - # pull actual image to local for next step - with DockerClient() as client: - image_ref = aci_policy.get_images()[0] - image = client.images.pull(image_ref.containerImage) - aci_policy.populate_policy_content_for_all_images() - layers = aci_policy.get_images()[0]._layers - expected_layers = [ - "679545575069dd4dc31f4d991094d669ca346950c3bc3aa465a9343a7369a8c9", - "ff808293653ce6dc4aa63381a8ceaec73c15618bbc6ccb30a44441d638c07af7", - "1dd5fd89c3a5a58b669d14d9a693aff3f16d3a8ec643c9d7f2d24f25297cfbc7" - ] - self.assertEqual(len(layers), len(expected_layers)) - for i in range(len(expected_layers)): - self.assertEqual(layers[i], expected_layers[i]) + aci_policy = load_policy_from_json(custom_json)[0] + # pull actual image to local for next step + with DockerClient() as client: + image_ref = aci_policy.get_images()[0] + image = client.images.pull(image_ref.containerImage) + aci_policy.populate_policy_content_for_all_images() + layers = aci_policy.get_images()[0]._layers + expected_layers = [ + "679545575069dd4dc31f4d991094d669ca346950c3bc3aa465a9343a7369a8c9", + "ff808293653ce6dc4aa63381a8ceaec73c15618bbc6ccb30a44441d638c07af7", + "1dd5fd89c3a5a58b669d14d9a693aff3f16d3a8ec643c9d7f2d24f25297cfbc7" + ] + self.assertEqual(len(layers), len(expected_layers)) + for i in range(len(expected_layers)): + self.assertEqual(layers[i], expected_layers[i]) def test_docker_pull(self): custom_json = """ @@ -601,16 +599,16 @@ def test_docker_pull(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - with DockerClient() as client: - image_ref = aci_policy.get_images()[0] - image = client.images.pull(image_ref.base, tag=image_ref.tag) - self.assertIsNotNone(image.id) + aci_policy = load_policy_from_json(custom_json)[0] + with DockerClient() as client: + image_ref = aci_policy.get_images()[0] + image = client.images.pull(image_ref.base, tag=image_ref.tag) + self.assertIsNotNone(image.id) - self.assertEqual( - image.tags[0], - "mcr.microsoft.com/azurelinux/distroless/base:3.0", - ) + self.assertEqual( + image.tags[0], + "mcr.microsoft.com/azurelinux/distroless/base:3.0", + ) def test_infrastructure_svn(self): custom_json = """ @@ -626,11 +624,11 @@ def test_infrastructure_svn(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - output = aci_policy.get_serialized_output(OutputType.PRETTY_PRINT) + aci_policy = load_policy_from_json(custom_json)[0] + aci_policy.populate_policy_content_for_all_images() + output = aci_policy.get_serialized_output(OutputType.PRETTY_PRINT) - self.assertTrue('"0.2.3"' in output) + self.assertTrue('"0.2.3"' in output) def test_environment_variables_parsing(self): custom_json = """ @@ -657,7 +655,7 @@ def test_environment_variables_parsing(self): ] } """ - containers = load_policy_from_json(custom_json).get_images() + containers = load_policy_from_json(custom_json)[0].get_images() self.assertEqual(len(containers), 1) envs = containers[0]._environmentRules self.assertIsNotNone(envs) @@ -704,15 +702,15 @@ def test_stdio_access_default(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() - self.assertTrue( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False - ) - )[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] - ) + aci_policy = load_policy_from_json(custom_json)[0] + aci_policy.populate_policy_content_for_all_images() + self.assertTrue( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False + ) + )[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] + ) def test_stdio_access_updated(self): custom_json = """ @@ -729,16 +727,16 @@ def test_stdio_access_updated(self): ] } """ - with load_policy_from_json(custom_json, disable_stdio=True) as aci_policy: - aci_policy.populate_policy_content_for_all_images() + aci_policy = load_policy_from_json(custom_json, disable_stdio=True)[0] + aci_policy.populate_policy_content_for_all_images() - self.assertFalse( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False - ) - )[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] - ) + self.assertFalse( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False + ) + )[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] + ) def test_omit_id(self): image_name = "mcr.microsoft.com/azurelinux/base/python:3.12" @@ -756,24 +754,24 @@ def test_omit_id(self): ] }} """ - with load_policy_from_json(custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() + aci_policy = load_policy_from_json(custom_json)[0] + aci_policy.populate_policy_content_for_all_images() - self.assertIsNone( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True - ) - )[0].get(config.POLICY_FIELD_CONTAINERS_ID) - ) + self.assertIsNone( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True + ) + )[0].get(config.POLICY_FIELD_CONTAINERS_ID) + ) - self.assertEqual( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False, omit_id=False - ) - )[0].get(config.POLICY_FIELD_CONTAINERS_ID), image_name - ) + self.assertEqual( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False, omit_id=False + ) + )[0].get(config.POLICY_FIELD_CONTAINERS_ID), image_name + ) class CustomJsonParsingIncorrect(unittest.TestCase): @@ -793,10 +791,10 @@ def test_get_layers_from_not_exists_image(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - with self.assertRaises(SystemExit) as exc_info: - aci_policy.populate_policy_content_for_all_images() - self.assertEqual(exc_info.exception.code, 1) + aci_policy = load_policy_from_json(custom_json)[0] + with self.assertRaises(SystemExit) as exc_info: + aci_policy.populate_policy_content_for_all_images() + self.assertEqual(exc_info.exception.code, 1) def test_incorrect_allow_elevated_data_type(self): custom_json = """ @@ -816,7 +814,7 @@ def test_incorrect_allow_elevated_data_type(self): """ # allow_elevated can only be a boolean with self.assertRaises(SystemExit) as exc_info: - load_policy_from_json(custom_json) + load_policy_from_json(custom_json)[0] self.assertEqual(exc_info.exception.code, 1) def test_incorrect_workingdir_path(self): @@ -836,7 +834,7 @@ def test_incorrect_workingdir_path(self): """ # workingDir can only be absolute path string with self.assertRaises(SystemExit) as exc_info: - load_policy_from_json(custom_json) + load_policy_from_json(custom_json)[0] self.assertEqual(exc_info.exception.code, 1) def test_incorrect_workingdir_data_type(self): @@ -856,7 +854,7 @@ def test_incorrect_workingdir_data_type(self): """ # workingDir can only be single string with self.assertRaises(SystemExit) as exc_info: - load_policy_from_json(custom_json) + load_policy_from_json(custom_json)[0] self.assertEqual(exc_info.exception.code, 1) def test_incorrect_command_data_type(self): @@ -875,7 +873,7 @@ def test_incorrect_command_data_type(self): """ # command can only be list of strings with self.assertRaises(SystemExit) as exc_info: - load_policy_from_json(custom_json) + load_policy_from_json(custom_json)[0] self.assertEqual(exc_info.exception.code, 1) def test_json_missing_containers(self): @@ -885,7 +883,7 @@ def test_json_missing_containers(self): } """ with self.assertRaises(SystemExit) as exc_info: - load_policy_from_json(custom_json) + load_policy_from_json(custom_json)[0] self.assertEqual(exc_info.exception.code, 1) def test_json_missing_containerImage(self): @@ -908,7 +906,7 @@ def test_json_missing_containerImage(self): } """ with self.assertRaises(SystemExit) as exc_info: - load_policy_from_json(custom_json) + load_policy_from_json(custom_json)[0] self.assertEqual(exc_info.exception.code, 1) def test_json_missing_environmentVariables(self): @@ -924,16 +922,16 @@ def test_json_missing_environmentVariables(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() + aci_policy = load_policy_from_json(custom_json)[0] + aci_policy.populate_policy_content_for_all_images() - self.assertIsNotNone( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True - ) - )[0].get(config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS) - ) + self.assertIsNotNone( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True + ) + )[0].get(config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS) + ) def test_json_missing_command(self): @@ -955,15 +953,15 @@ def test_json_missing_command(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - aci_policy.populate_policy_content_for_all_images() + aci_policy = load_policy_from_json(custom_json)[0] + aci_policy.populate_policy_content_for_all_images() - self.assertIsNotNone( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True - ) - )[0].get(config.POLICY_FIELD_CONTAINERS_ELEMENTS_COMMANDS) - ) + self.assertIsNotNone( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True + ) + )[0].get(config.POLICY_FIELD_CONTAINERS_ELEMENTS_COMMANDS) + ) diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_virtual_node.py b/src/confcom/azext_confcom/tests/latest/test_confcom_virtual_node.py index c6e8ad4a23a..b506ca118bf 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_virtual_node.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_virtual_node.py @@ -365,7 +365,7 @@ def setUpClass(cls): raise Exception("Error creating certificate chain") def test_compare_policy_sources(self): - custom_policy = load_policy_from_json(self.custom_json) + custom_policy = load_policy_from_json(self.custom_json)[0] custom_policy.populate_policy_content_for_all_images() virtual_node_policy = load_policy_from_virtual_node_yaml_str(self.custom_yaml)[0] virtual_node_policy.populate_policy_content_for_all_images() From df10093937dd93a5f0bff8c76ae19658f286d0e6 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Fri, 26 Sep 2025 18:19:44 +0000 Subject: [PATCH 07/16] Minimise diff in older tests --- .../tests/latest/test_confcom_arm.py | 5 +- .../tests/latest/test_confcom_fragment.py | 52 ++-- .../tests/latest/test_confcom_image.py | 10 +- .../tests/latest/test_confcom_scenario.py | 245 +++++++++--------- 4 files changed, 164 insertions(+), 148 deletions(-) diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_arm.py b/src/confcom/azext_confcom/tests/latest/test_confcom_arm.py index 4dcd1050bc4..0fa719c4ab6 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_arm.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_arm.py @@ -3565,8 +3565,9 @@ class PolicyGeneratingArmWildcardEnvs(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json)[0] - cls.aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy with patch('builtins.input', return_value='y'): cls.aci_arm_policy = load_policy_from_arm_template_str(cls.custom_arm_json, "")[ diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py b/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py index 070c0cc9c0d..39e8233be24 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py @@ -115,8 +115,9 @@ class FragmentMountEnforcement(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json)[0] - cls.aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy def test_fragment_user_container_customized_mounts(self): image = next( @@ -344,8 +345,9 @@ class FragmentGenerating(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json)[0] - cls.aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy def test_fragment_omit_id(self): @@ -502,13 +504,13 @@ def test_tar_file_fragment(self): out_tar.add(os.path.join(folder, "index.json"), "index.json") out_tar.add(os.path.join(folder, "blobs"), "blobs", recursive=True) - aci_policy = load_policy_from_json(self.custom_json)[0] - aci_policy.populate_policy_content_for_all_images( - tar_mapping=tar_mapping_file - ) + with load_policy_from_json(self.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images( + tar_mapping=tar_mapping_file + ) - clean_room_fragment_text = aci_policy.generate_fragment("payload", "1", OutputType.RAW) - self.assertIsNotNone(clean_room_fragment_text) + clean_room_fragment_text = aci_policy.generate_fragment("payload", "1", OutputType.RAW) + self.assertIsNotNone(clean_room_fragment_text) except Exception as e: raise AccContainerError("Could not get image from tar file") from e @@ -535,8 +537,9 @@ class FragmentPolicyGeneratingDebugMode(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json, debug_mode=True)[0] - cls.aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json, debug_mode=True)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy def test_debug_processes(self): policy = self.aci_policy.get_serialized_output( @@ -610,10 +613,12 @@ class FragmentSidecarValidation(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json)[0] - cls.aci_policy.populate_policy_content_for_all_images() - cls.aci_policy2 = load_policy_from_json(cls.custom_json2)[0] - cls.aci_policy2.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy + with load_policy_from_json(cls.custom_json2)[0] as aci_policy2: + aci_policy2.populate_policy_content_for_all_images() + cls.aci_policy2 = aci_policy2 def test_fragment_sidecar(self): is_valid, diff = self.aci_policy.validate_sidecars() @@ -780,10 +785,12 @@ def setUpClass(cls): if item.returncode != 0: raise Exception("Error creating certificate chain") - cls.aci_policy = load_policy_from_json(cls.custom_json)[0] - cls.aci_policy.populate_policy_content_for_all_images() - cls.aci_policy2 = load_policy_from_json(cls.custom_json2)[0] - cls.aci_policy2.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy + with load_policy_from_json(cls.custom_json2)[0] as aci_policy2: + aci_policy2.populate_policy_content_for_all_images() + cls.aci_policy2 = aci_policy2 def test_signing(self): filename = "payload.rego" @@ -928,8 +935,9 @@ class FragmentVirtualNode(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json)[0] - cls.aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy def test_fragment_vn2_env_vars(self): image = self.aci_policy.get_images()[0] diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_image.py b/src/confcom/azext_confcom/tests/latest/test_confcom_image.py index efa48fc468f..68afd3edbcf 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_image.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_image.py @@ -42,8 +42,9 @@ def setUpClass(cls): with load_policy_from_image_name("mcr.microsoft.com/azurelinux/base/python:3.12") as aci_policy: aci_policy.populate_policy_content_for_all_images(individual_image=True) cls.aci_policy = aci_policy - cls.custom_policy = load_policy_from_json(cls.custom_json)[0] - cls.custom_policy.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as custom_policy: + custom_policy.populate_policy_content_for_all_images() + cls.custom_policy = custom_policy def test_image_policy(self): # deep diff the output policies from the regular policy.json and the single image @@ -77,8 +78,9 @@ def setUpClass(cls): ) as aci_policy: aci_policy.populate_policy_content_for_all_images(individual_image=True) cls.aci_policy = aci_policy - cls.custom_policy = load_policy_from_json(cls.custom_json)[0] - cls.custom_policy.populate_policy_content_for_all_images(individual_image=True) + with load_policy_from_json(cls.custom_json)[0] as custom_policy: + custom_policy.populate_policy_content_for_all_images(individual_image=True) + cls.custom_policy = custom_policy def test_sidecar_image_policy(self): self.assertEqual(self.aci_policy.get_serialized_output(), self.custom_policy.get_serialized_output()) diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py b/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py index 91e32e0a9ee..0401748a603 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py @@ -62,8 +62,9 @@ class MountEnforcement(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json)[0] - cls.aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy def test_user_container_customized_mounts(self): image = next( @@ -260,8 +261,9 @@ class PolicyGenerating(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json)[0] - cls.aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy def test_injected_sidecar_container_msi(self): image = self.aci_policy.get_images()[0] @@ -377,8 +379,9 @@ class PolicyGeneratingDebugMode(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json, debug_mode=True)[0] - cls.aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json, debug_mode=True)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy def test_debug_flags(self): @@ -458,10 +461,12 @@ class SidecarValidation(unittest.TestCase): @classmethod def setUpClass(cls): - cls.aci_policy = load_policy_from_json(cls.custom_json)[0] - cls.aci_policy.populate_policy_content_for_all_images() - cls.aci_policy2 = load_policy_from_json(cls.custom_json2)[0] - cls.aci_policy2.populate_policy_content_for_all_images() + with load_policy_from_json(cls.custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + cls.aci_policy = aci_policy + with load_policy_from_json(cls.custom_json2)[0] as aci_policy2: + aci_policy2.populate_policy_content_for_all_images() + cls.aci_policy2 = aci_policy2 def test_sidecar(self): is_valid, diff = self.aci_policy.validate_sidecars() @@ -511,19 +516,19 @@ def test_customized_workingdir(self): ] } """ - aci_policy = load_policy_from_json(custom_json)[0] - # pull actual image to local for next step - image = next( - ( - img - for img in aci_policy.get_images() - if isinstance(img, UserContainerImage) - ), - None, - ) - - expected_working_dir = "/customized/absolute/path" - self.assertEqual(image._workingDir, expected_working_dir) + with load_policy_from_json(custom_json)[0] as aci_policy: + # pull actual image to local for next step + image = next( + ( + img + for img in aci_policy.get_images() + if isinstance(img, UserContainerImage) + ), + None, + ) + + expected_working_dir = "/customized/absolute/path" + self.assertEqual(image._workingDir, expected_working_dir) def test_allow_elevated(self): custom_json = """ @@ -541,19 +546,19 @@ def test_allow_elevated(self): ] } """ - aci_policy = load_policy_from_json(custom_json)[0] - # pull actual image to local for next step - image = next( - ( - img - for img in aci_policy.get_images() - if isinstance(img, UserContainerImage) - ), - None, - ) - - expected_allow_elevated = True - self.assertEqual(image._allow_elevated, expected_allow_elevated) + with load_policy_from_json(custom_json)[0] as aci_policy: + # pull actual image to local for next step + image = next( + ( + img + for img in aci_policy.get_images() + if isinstance(img, UserContainerImage) + ), + None, + ) + + expected_allow_elevated = True + self.assertEqual(image._allow_elevated, expected_allow_elevated) def test_image_layers_python(self): custom_json = """ @@ -569,21 +574,21 @@ def test_image_layers_python(self): ] } """ - aci_policy = load_policy_from_json(custom_json)[0] - # pull actual image to local for next step - with DockerClient() as client: - image_ref = aci_policy.get_images()[0] - image = client.images.pull(image_ref.containerImage) - aci_policy.populate_policy_content_for_all_images() - layers = aci_policy.get_images()[0]._layers - expected_layers = [ - "679545575069dd4dc31f4d991094d669ca346950c3bc3aa465a9343a7369a8c9", - "ff808293653ce6dc4aa63381a8ceaec73c15618bbc6ccb30a44441d638c07af7", - "1dd5fd89c3a5a58b669d14d9a693aff3f16d3a8ec643c9d7f2d24f25297cfbc7" - ] - self.assertEqual(len(layers), len(expected_layers)) - for i in range(len(expected_layers)): - self.assertEqual(layers[i], expected_layers[i]) + with load_policy_from_json(custom_json)[0] as aci_policy: + # pull actual image to local for next step + with DockerClient() as client: + image_ref = aci_policy.get_images()[0] + image = client.images.pull(image_ref.containerImage) + aci_policy.populate_policy_content_for_all_images() + layers = aci_policy.get_images()[0]._layers + expected_layers = [ + "679545575069dd4dc31f4d991094d669ca346950c3bc3aa465a9343a7369a8c9", + "ff808293653ce6dc4aa63381a8ceaec73c15618bbc6ccb30a44441d638c07af7", + "1dd5fd89c3a5a58b669d14d9a693aff3f16d3a8ec643c9d7f2d24f25297cfbc7" + ] + self.assertEqual(len(layers), len(expected_layers)) + for i in range(len(expected_layers)): + self.assertEqual(layers[i], expected_layers[i]) def test_docker_pull(self): custom_json = """ @@ -599,16 +604,16 @@ def test_docker_pull(self): ] } """ - aci_policy = load_policy_from_json(custom_json)[0] - with DockerClient() as client: - image_ref = aci_policy.get_images()[0] - image = client.images.pull(image_ref.base, tag=image_ref.tag) - self.assertIsNotNone(image.id) + with load_policy_from_json(custom_json)[0] as aci_policy: + with DockerClient() as client: + image_ref = aci_policy.get_images()[0] + image = client.images.pull(image_ref.base, tag=image_ref.tag) + self.assertIsNotNone(image.id) - self.assertEqual( - image.tags[0], - "mcr.microsoft.com/azurelinux/distroless/base:3.0", - ) + self.assertEqual( + image.tags[0], + "mcr.microsoft.com/azurelinux/distroless/base:3.0", + ) def test_infrastructure_svn(self): custom_json = """ @@ -624,11 +629,11 @@ def test_infrastructure_svn(self): ] } """ - aci_policy = load_policy_from_json(custom_json)[0] - aci_policy.populate_policy_content_for_all_images() - output = aci_policy.get_serialized_output(OutputType.PRETTY_PRINT) + with load_policy_from_json(custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + output = aci_policy.get_serialized_output(OutputType.PRETTY_PRINT) - self.assertTrue('"0.2.3"' in output) + self.assertTrue('"0.2.3"' in output) def test_environment_variables_parsing(self): custom_json = """ @@ -702,15 +707,15 @@ def test_stdio_access_default(self): ] } """ - aci_policy = load_policy_from_json(custom_json)[0] - aci_policy.populate_policy_content_for_all_images() - self.assertTrue( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False - ) - )[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] - ) + with load_policy_from_json(custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() + self.assertTrue( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False + ) + )[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] + ) def test_stdio_access_updated(self): custom_json = """ @@ -727,16 +732,16 @@ def test_stdio_access_updated(self): ] } """ - aci_policy = load_policy_from_json(custom_json, disable_stdio=True)[0] - aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(custom_json, disable_stdio=True)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() - self.assertFalse( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False - ) - )[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] - ) + self.assertFalse( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False + ) + )[0][config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] + ) def test_omit_id(self): image_name = "mcr.microsoft.com/azurelinux/base/python:3.12" @@ -754,24 +759,24 @@ def test_omit_id(self): ] }} """ - aci_policy = load_policy_from_json(custom_json)[0] - aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() - self.assertIsNone( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True - ) - )[0].get(config.POLICY_FIELD_CONTAINERS_ID) - ) + self.assertIsNone( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True + ) + )[0].get(config.POLICY_FIELD_CONTAINERS_ID) + ) - self.assertEqual( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False, omit_id=False - ) - )[0].get(config.POLICY_FIELD_CONTAINERS_ID), image_name - ) + self.assertEqual( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False, omit_id=False + ) + )[0].get(config.POLICY_FIELD_CONTAINERS_ID), image_name + ) class CustomJsonParsingIncorrect(unittest.TestCase): @@ -791,10 +796,10 @@ def test_get_layers_from_not_exists_image(self): ] } """ - aci_policy = load_policy_from_json(custom_json)[0] - with self.assertRaises(SystemExit) as exc_info: - aci_policy.populate_policy_content_for_all_images() - self.assertEqual(exc_info.exception.code, 1) + with load_policy_from_json(custom_json)[0] as aci_policy: + with self.assertRaises(SystemExit) as exc_info: + aci_policy.populate_policy_content_for_all_images() + self.assertEqual(exc_info.exception.code, 1) def test_incorrect_allow_elevated_data_type(self): custom_json = """ @@ -922,16 +927,16 @@ def test_json_missing_environmentVariables(self): ] } """ - aci_policy = load_policy_from_json(custom_json)[0] - aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() - self.assertIsNotNone( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True - ) - )[0].get(config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS) - ) + self.assertIsNotNone( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True + ) + )[0].get(config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS) + ) def test_json_missing_command(self): @@ -953,15 +958,15 @@ def test_json_missing_command(self): ] } """ - aci_policy = load_policy_from_json(custom_json)[0] - aci_policy.populate_policy_content_for_all_images() + with load_policy_from_json(custom_json)[0] as aci_policy: + aci_policy.populate_policy_content_for_all_images() - self.assertIsNotNone( - json.loads( - aci_policy.get_serialized_output( - output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True - ) - )[0].get(config.POLICY_FIELD_CONTAINERS_ELEMENTS_COMMANDS) - ) + self.assertIsNotNone( + json.loads( + aci_policy.get_serialized_output( + output_type=OutputType.RAW, rego_boilerplate=False, omit_id=True + ) + )[0].get(config.POLICY_FIELD_CONTAINERS_ELEMENTS_COMMANDS) + ) From 1ca692524329be6f285cc9a37de717808f0097b8 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Sat, 4 Oct 2025 18:05:48 +0000 Subject: [PATCH 08/16] Always have a full spec, but allow printing a minimal --- src/confcom/azext_confcom/_params.py | 7 ++ .../azext_confcom/command/parse_aci_arm.py | 46 +++++++++--- src/confcom/azext_confcom/custom.py | 2 + .../azext_confcom/lib/aci_infrastructure.py | 34 +++++++++ .../azext_confcom/lib/aci_policy_spec.py | 4 +- .../lib/arm_to_aci_policy_spec.py | 16 +++- src/confcom/azext_confcom/security_policy.py | 2 +- .../tests/latest/test_confcom_acipolicygen.py | 8 +- .../latest/test_confcom_parse_aci_arm.py | 2 + .../samples/aci/command/policy_spec.json | 30 +++----- .../aci/command/policy_spec_debug.json | 36 ++++----- .../command/policy_spec_disable_stdio.json | 28 +++---- .../policy_spec_exclude_default_fragment.json | 20 +---- .../policy_spec_infrastructure_svn.json | 31 +++----- .../aci/command/policy_spec_minimal.json | 17 +++++ .../conflicting_variables/policy_spec.json | 31 +++----- .../policy_spec_debug.json | 37 ++++------ .../policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../policy_spec_minimal.json | 12 +++ .../container_group_profiles/policy_spec.json | 31 +++----- .../policy_spec_debug.json | 37 ++++------ .../policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../policy_spec_minimal.json | 12 +++ .../aci/default_variables/policy_spec.json | 31 +++----- .../default_variables/policy_spec_debug.json | 37 ++++------ .../policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../policy_spec_minimal.json | 12 +++ .../policy_spec.json | 31 +++----- .../policy_spec_debug.json | 37 ++++------ .../policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../policy_spec_minimal.json | 12 +++ .../environment_variables/policy_spec.json | 32 +++----- .../policy_spec_debug.json | 38 ++++------ .../policy_spec_disable_stdio.json | 30 +++----- .../policy_spec_exclude_default_fragment.json | 22 +----- .../policy_spec_infrastructure_svn.json | 33 +++------ .../policy_spec_minimal.json | 19 +++++ .../samples/aci/minimal/policy_spec.json | 31 +++----- .../aci/minimal/policy_spec_debug.json | 37 ++++------ .../minimal/policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../aci/minimal/policy_spec_minimal.json | 12 +++ .../multi_container_groups/policy_spec.json | 62 ++++++---------- .../policy_spec_debug.json | 74 +++++++------------ .../policy_spec_disable_stdio.json | 58 ++++++--------- .../policy_spec_exclude_default_fragment.json | 42 +---------- .../policy_spec_infrastructure_svn.json | 64 ++++++---------- .../policy_spec_minimal.json | 22 ++++++ .../aci/multi_containers/policy_spec.json | 47 ++++-------- .../multi_containers/policy_spec_debug.json | 60 +++++---------- .../policy_spec_disable_stdio.json | 44 ++++------- .../policy_spec_exclude_default_fragment.json | 37 +--------- .../policy_spec_infrastructure_svn.json | 48 ++++-------- .../multi_containers/policy_spec_minimal.json | 18 +++++ .../policy_spec.json | 34 ++++----- .../policy_spec_debug.json | 40 ++++------ .../policy_spec_disable_stdio.json | 32 ++++---- .../policy_spec_exclude_default_fragment.json | 24 +----- .../policy_spec_infrastructure_svn.json | 35 ++++----- .../policy_spec_minimal.json | 20 +++++ .../policy_spec.json | 31 +++----- .../policy_spec_debug.json | 37 ++++------ .../policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../policy_spec_minimal.json | 24 ++++++ .../policy_spec.json | 32 +++----- .../policy_spec_debug.json | 38 ++++------ .../policy_spec_disable_stdio.json | 30 +++----- .../policy_spec_exclude_default_fragment.json | 22 +----- .../policy_spec_infrastructure_svn.json | 33 +++------ .../policy_spec_minimal.json | 20 +++++ .../policy_spec.json | 31 +++----- .../policy_spec_debug.json | 37 ++++------ .../policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../policy_spec_minimal.json | 15 ++++ .../policy_spec.json | 31 +++----- .../policy_spec_debug.json | 37 ++++------ .../policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../policy_spec_minimal.json | 15 ++++ .../samples/aci/variables/policy_spec.json | 31 +++----- .../aci/variables/policy_spec_debug.json | 37 ++++------ .../variables/policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../aci/variables/policy_spec_minimal.json | 12 +++ .../aci/volume_mount_secret/policy_spec.json | 31 +++----- .../policy_spec_debug.json | 37 ++++------ .../policy_spec_disable_stdio.json | 29 +++----- .../policy_spec_exclude_default_fragment.json | 21 +----- .../policy_spec_infrastructure_svn.json | 32 +++----- .../policy_spec_minimal.json | 19 +++++ .../aci/volume_mounts/policy_spec.json | 34 ++++----- .../aci/volume_mounts/policy_spec_debug.json | 40 ++++------ .../policy_spec_disable_stdio.json | 32 ++++---- .../policy_spec_exclude_default_fragment.json | 24 +----- .../policy_spec_infrastructure_svn.json | 35 ++++----- .../volume_mounts/policy_spec_minimal.json | 18 +++++ 111 files changed, 1338 insertions(+), 1883 deletions(-) create mode 100644 src/confcom/azext_confcom/lib/aci_infrastructure.py create mode 100644 src/confcom/samples/aci/command/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/conflicting_variables/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/container_group_profiles/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/default_variables/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/default_variables_override/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/environment_variables/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/minimal/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/multi_container_groups/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/multi_containers/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/security_context_run_as_group/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/security_context_run_as_user/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/variables/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/volume_mount_secret/policy_spec_minimal.json create mode 100644 src/confcom/samples/aci/volume_mounts/policy_spec_minimal.json diff --git a/src/confcom/azext_confcom/_params.py b/src/confcom/azext_confcom/_params.py index 1d66c8e9451..3a35df45ec2 100644 --- a/src/confcom/azext_confcom/_params.py +++ b/src/confcom/azext_confcom/_params.py @@ -93,6 +93,13 @@ def load_arguments(self, _): required=False, help="Approving wildcards by default will get rid of the prompts during the wildcard environment variable use case and auto-approve the use of wildcards", ) + c.argument( + "policy_format", + options_list=("--format",), + default="explicit", + required=False, + help="The format for the policy output, explicit includes all objects which can be implicitly added, minimal includes only the essential fields", + ) with self.argument_context("confcom acipolicygen") as c: c.argument( diff --git a/src/confcom/azext_confcom/command/parse_aci_arm.py b/src/confcom/azext_confcom/command/parse_aci_arm.py index 18e5503cdfe..0fd5d5317b5 100644 --- a/src/confcom/azext_confcom/command/parse_aci_arm.py +++ b/src/confcom/azext_confcom/command/parse_aci_arm.py @@ -1,13 +1,35 @@ -from dataclasses import asdict +from dataclasses import asdict, fields, is_dataclass +import inspect +import sys from typing import Optional -from azext_confcom import os_util, config -from azext_confcom.lib.arm_to_aci_policy_spec import AciFragmentSpec, arm_to_aci_policy_spec +from azext_confcom import os_util +from azext_confcom.lib.aci_policy_spec import omit_defaults_dict_factory, omit_implicit_features +from azext_confcom.lib.arm_to_aci_policy_spec import arm_to_aci_policy_spec -def _omit_none_dict_factory(items): - """Dict factory for dataclasses.asdict that drops None values.""" - return {key: value for key, value in items if (value is not None)} +def omit_defaults_dict_factory(fields_dict) -> dict: + + result = {} + + policy_spec_classes = [ + cls + for _, cls in inspect.getmembers(sys.modules[__name__], inspect.isclass) + if is_dataclass(cls) and cls.__module__ == sys.modules[__name__].__name__ + ] + + for potential_class in policy_spec_classes: + try: + instance = potential_class(**dict(fields_dict)) + for field in fields(instance): + value = getattr(instance, field.name) + if value not in (None, field.default, []): + result[field.name] = value + break + except TypeError: + continue + + return result def parse_aci_arm( @@ -18,6 +40,7 @@ def parse_aci_arm( infrastructure_svn: Optional[str], disable_stdio: bool, approve_wildcards: bool, + policy_format: str, ) -> list[dict[str, str]]: with open(arm_template_path, 'r') as f: @@ -38,7 +61,10 @@ def parse_aci_arm( approve_wildcards=approve_wildcards, )) - return [ - asdict(spec, dict_factory=_omit_none_dict_factory) - for spec in aci_policy_specs - ] \ No newline at end of file + specs = [] + for spec in aci_policy_specs: + if policy_format == "minimal": + spec = omit_implicit_features(spec) + specs.append(asdict(spec, dict_factory=omit_defaults_dict_factory)) + + return specs \ No newline at end of file diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index 4054eb05487..f9814367a1b 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -501,6 +501,7 @@ def parse_aci_arm( infrastructure_svn: Optional[str], disable_stdio: bool, approve_wildcards: bool, + policy_format: str, ) -> str: return _parse_aci_arm( arm_template_path, @@ -510,4 +511,5 @@ def parse_aci_arm( infrastructure_svn, disable_stdio, approve_wildcards, + policy_format, ) diff --git a/src/confcom/azext_confcom/lib/aci_infrastructure.py b/src/confcom/azext_confcom/lib/aci_infrastructure.py new file mode 100644 index 00000000000..2b34819c74a --- /dev/null +++ b/src/confcom/azext_confcom/lib/aci_infrastructure.py @@ -0,0 +1,34 @@ + + + +from dataclasses import is_dataclass, replace +from azext_confcom import config +from azext_confcom.lib.aci_policy_spec import AciContainerPropertyEnvVariable, AciContainerPropertyVolumeMounts, AciFragmentSpec + + +INFRASTRUCTURE_FRAGMENTS = [AciFragmentSpec(**frag) for frag in config.DEFAULT_REGO_FRAGMENTS] +OPENGCS_ENV_RULES = [AciContainerPropertyEnvVariable(**env_var) for env_var in config.OPENGCS_ENV_RULES] +FABRIC_ENV_RULES = [AciContainerPropertyEnvVariable(**env_var) for env_var in config.FABRIC_ENV_RULES] +MANAGED_IDENTITY_ENV_RULES = [AciContainerPropertyEnvVariable(**env_var) for env_var in config.MANAGED_IDENTITY_ENV_RULES] +ENABLE_RESTART_ENV_RULE = [AciContainerPropertyEnvVariable(**env_var) for env_var in config.ENABLE_RESTART_ENV_RULE] +DEFAULT_MOUNTS_USER = [AciContainerPropertyVolumeMounts(**mount) for mount in config.DEFAULT_MOUNTS_USER] + + +implicit_features = [ + *INFRASTRUCTURE_FRAGMENTS, + *OPENGCS_ENV_RULES, + *FABRIC_ENV_RULES, + *MANAGED_IDENTITY_ENV_RULES, + *ENABLE_RESTART_ENV_RULE, + *DEFAULT_MOUNTS_USER, +] + + +def omit_implicit_features(obj): + if obj is None: + return None + if is_dataclass(obj): + return replace(obj, **{f.name: omit_implicit_features(getattr(obj, f.name)) for f in fields(obj)}) + if isinstance(obj, list): + return [omit_implicit_features(x) for x in obj if x not in implicit_features] + return obj \ No newline at end of file diff --git a/src/confcom/azext_confcom/lib/aci_policy_spec.py b/src/confcom/azext_confcom/lib/aci_policy_spec.py index 41ca55c0051..64a976af9f3 100644 --- a/src/confcom/azext_confcom/lib/aci_policy_spec.py +++ b/src/confcom/azext_confcom/lib/aci_policy_spec.py @@ -7,6 +7,8 @@ from typing import Optional from typing_extensions import Literal +from azext_confcom import config + AciProfile = Literal["strict", "debug"] @@ -53,7 +55,7 @@ class AciContainerPropertySecurityContext: @dataclass -class AciContainerProperties(): +class AciContainerProperties: image: str allowStdioAccess: bool = True environmentVariables: Optional[list[AciContainerPropertyEnvVariable]] = None diff --git a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py index 8ebf8833bf4..7e60fced5e7 100644 --- a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py +++ b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py @@ -3,7 +3,8 @@ # Licensed under the MIT License. See License.txt in the project root for license information. # -------------------------------------------------------------------------------------------- -from typing import Iterator +import copy +from typing import Iterator, Optional import json import re from azext_confcom import config @@ -202,9 +203,21 @@ def arm_container_group_to_aci_policy_spec( containers = container_group.get("properties", {})["containers"] assert containers + def replace_min_svn(frag): + new_frag = copy.deepcopy(frag) + min_svn = new_frag.pop("minimum_svn") + return { + **new_frag, + "minimum_svn": infrastructure_fragment_min_svn or min_svn, + } + return AciPolicySpec( fragments=[ *arm_container_group_to_aci_policy_spec_fragments(container_group), + *([ + AciFragmentSpec(**replace_min_svn(frag)) + for frag in config.DEFAULT_REGO_FRAGMENTS + ] if include_infrastructure_fragment else []), ], containers=[ arm_container_to_aci_policy_spec_container( @@ -219,7 +232,6 @@ def arm_container_group_to_aci_policy_spec( ], profile="debug" if debug_mode else "strict", include_infrastructure_fragment=not container_group.get("tags", {}).get("Annotate-zero-sidecar", not include_infrastructure_fragment), - infrastructure_fragment_min_svn=infrastructure_fragment_min_svn, allow_stdio_access=allow_stdio_access, ) diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index 87255f495e6..ccb2c1707d9 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -873,7 +873,7 @@ def load_policy_from_json( if policy_spec_debug_mode: for exec_process in config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES, []): - if exec_process not in exec_processes: + if exec_process["command"] not in [e["command"] for e in exec_processes]: exec_processes.append(exec_process) output_containers.append( diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py b/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py index 19d38a3a8ae..0d8f1f092e3 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen.py @@ -82,7 +82,13 @@ def test_acipolicygen_arm(sample_directory, generated_policy_path): @pytest.mark.parametrize( "policy_spec_path", - [str(path.relative_to(SAMPLES_ROOT)) for path in Path(SAMPLES_ROOT).rglob("policy_spec*")] + [ + str(path.relative_to(SAMPLES_ROOT)) + for path in Path(SAMPLES_ROOT).rglob("policy_spec*") + if path.parts[-1] not in { + "policy_spec_minimal.json", # This is equivalent to policy_spec.json + } + ] ) def test_acipolicygen_spec(policy_spec_path): diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_parse_aci_arm.py b/src/confcom/azext_confcom/tests/latest/test_confcom_parse_aci_arm.py index a93b84fc145..4df7e2f76ba 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_parse_aci_arm.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_parse_aci_arm.py @@ -22,6 +22,7 @@ "policy_spec_exclude_default_fragment.json": {"exclude_default_fragments": True}, "policy_spec_infrastructure_svn.json": {"infrastructure_svn": "99"}, "policy_spec_disable_stdio.json": {"disable_stdio": True}, + "policy_spec_minimal.json": {"policy_format": "minimal"}, } @@ -56,6 +57,7 @@ def test_parse_aci_arm(sample_directory, generated_policy_spec_path): infrastructure_svn=flags.get("infrastructure_svn", None), disable_stdio=flags.get("disable_stdio", False), approve_wildcards=False, + policy_format=flags.get("policy_format", "full") ) assert DeepDiff(actual_policy_spec, expected_policy_spec, ignore_order=True) == {}, ( diff --git a/src/confcom/samples/aci/command/policy_spec.json b/src/confcom/samples/aci/command/policy_spec.json index 2f24ef2aa63..8c0b7ae6aa5 100644 --- a/src/confcom/samples/aci/command/policy_spec.json +++ b/src/confcom/samples/aci/command/policy_spec.json @@ -1,11 +1,9 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, "command": [ "/bin/sh", "-c", @@ -14,80 +12,76 @@ "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/command/policy_spec_debug.json b/src/confcom/samples/aci/command/policy_spec_debug.json index b9d04762ba7..d4f6028eb5c 100644 --- a/src/confcom/samples/aci/command/policy_spec_debug.json +++ b/src/confcom/samples/aci/command/policy_spec_debug.json @@ -1,11 +1,9 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, "command": [ "/bin/sh", "-c", @@ -14,79 +12,65 @@ "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -94,15 +78,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/command/policy_spec_disable_stdio.json b/src/confcom/samples/aci/command/policy_spec_disable_stdio.json index b24a4f36f89..02d0dcff751 100644 --- a/src/confcom/samples/aci/command/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/command/policy_spec_disable_stdio.json @@ -14,80 +14,76 @@ "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json index 1f4ce0f8326..88f17fb558e 100644 --- a/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/command/policy_spec_exclude_default_fragment.json @@ -1,11 +1,9 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, "command": [ "/bin/sh", "-c", @@ -14,80 +12,66 @@ "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json index 55f5c192423..120ce8cb9e4 100644 --- a/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/command/policy_spec_infrastructure_svn.json @@ -1,11 +1,9 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, "command": [ "/bin/sh", "-c", @@ -14,81 +12,76 @@ "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/command/policy_spec_minimal.json b/src/confcom/samples/aci/command/policy_spec_minimal.json new file mode 100644 index 00000000000..12bf6923052 --- /dev/null +++ b/src/confcom/samples/aci/command/policy_spec_minimal.json @@ -0,0 +1,17 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "command": [ + "/bin/sh", + "-c", + "while true; do echo hello; sleep 10; done" + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec.json b/src/confcom/samples/aci/conflicting_variables/policy_spec.json index 42ff60e29e8..372caaa5101 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec.json @@ -1,89 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json index caf677a2672..bcc26108ddf 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", @@ -90,15 +73,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json index 6880089971b..112d3ab7e2c 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json @@ -6,84 +6,79 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json index 43404170b49..f070f35079f 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_exclude_default_fragment.json @@ -1,89 +1,72 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json index 0feba5916a1..9cb382ff7c6 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_infrastructure_svn.json @@ -1,90 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_minimal.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_minimal.json new file mode 100644 index 00000000000..886b4427aa5 --- /dev/null +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_minimal.json @@ -0,0 +1,12 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec.json b/src/confcom/samples/aci/container_group_profiles/policy_spec.json index e859e163f86..b576e7a43b2 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec.json @@ -1,89 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json index 49c843c2028..708187e9b14 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -90,15 +73,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json index 8aeef6ad9c2..382c4c29524 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json @@ -6,84 +6,79 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json index e1b9f9e5eff..915cf0c11e8 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_exclude_default_fragment.json @@ -1,89 +1,72 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json index 0a6457199d1..2ee88ee01f5 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_infrastructure_svn.json @@ -1,90 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_minimal.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_minimal.json new file mode 100644 index 00000000000..b33f471ee00 --- /dev/null +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_minimal.json @@ -0,0 +1,12 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables/policy_spec.json b/src/confcom/samples/aci/default_variables/policy_spec.json index e859e163f86..b576e7a43b2 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec.json +++ b/src/confcom/samples/aci/default_variables/policy_spec.json @@ -1,89 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_debug.json b/src/confcom/samples/aci/default_variables/policy_spec_debug.json index 49c843c2028..708187e9b14 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -90,15 +73,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json index 8aeef6ad9c2..382c4c29524 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json @@ -6,84 +6,79 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json index e1b9f9e5eff..915cf0c11e8 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_exclude_default_fragment.json @@ -1,89 +1,72 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json index 0a6457199d1..2ee88ee01f5 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_infrastructure_svn.json @@ -1,90 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/default_variables/policy_spec_minimal.json b/src/confcom/samples/aci/default_variables/policy_spec_minimal.json new file mode 100644 index 00000000000..b33f471ee00 --- /dev/null +++ b/src/confcom/samples/aci/default_variables/policy_spec_minimal.json @@ -0,0 +1,12 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec.json b/src/confcom/samples/aci/default_variables_override/policy_spec.json index 42ff60e29e8..372caaa5101 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec.json @@ -1,89 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json b/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json index caf677a2672..bcc26108ddf 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", @@ -90,15 +73,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json b/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json index 6880089971b..112d3ab7e2c 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json @@ -6,84 +6,79 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json index 43404170b49..f070f35079f 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_exclude_default_fragment.json @@ -1,89 +1,72 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json index 0feba5916a1..9cb382ff7c6 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_infrastructure_svn.json @@ -1,90 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_minimal.json b/src/confcom/samples/aci/default_variables_override/policy_spec_minimal.json new file mode 100644 index 00000000000..886b4427aa5 --- /dev/null +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_minimal.json @@ -0,0 +1,12 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/acc/samples/aci/helloworld@sha256:86da7a2c5e55b72bf6bc7cf465b860e49c075395d854877124de63a9342ac777" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec.json b/src/confcom/samples/aci/environment_variables/policy_spec.json index efdf09c8716..60fe9fc5397 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec.json @@ -1,95 +1,87 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "MY_VAR", - "required": false, "strategy": "string", "value": "MY_VAL" }, { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_debug.json b/src/confcom/samples/aci/environment_variables/policy_spec_debug.json index 9b382fedb0d..cca55e30157 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_debug.json @@ -1,94 +1,76 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "MY_VAR", - "required": false, "strategy": "string", "value": "MY_VAL" }, { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -96,15 +78,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json index fd25efc63d7..682b93fc23d 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json @@ -6,90 +6,84 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "MY_VAR", - "required": false, "strategy": "string", "value": "MY_VAL" }, { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json index 31b63bb2d52..c86b87fb0a6 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_exclude_default_fragment.json @@ -1,95 +1,77 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "MY_VAR", - "required": false, "strategy": "string", "value": "MY_VAL" }, { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json index a7b5b63d412..59ab9767fac 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_infrastructure_svn.json @@ -1,96 +1,87 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "MY_VAR", - "required": false, "strategy": "string", "value": "MY_VAL" }, { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_minimal.json b/src/confcom/samples/aci/environment_variables/policy_spec_minimal.json new file mode 100644 index 00000000000..5c933602dba --- /dev/null +++ b/src/confcom/samples/aci/environment_variables/policy_spec_minimal.json @@ -0,0 +1,19 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "environmentVariables": [ + { + "name": "MY_VAR", + "strategy": "string", + "value": "MY_VAL" + } + ], + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/minimal/policy_spec.json b/src/confcom/samples/aci/minimal/policy_spec.json index e859e163f86..b576e7a43b2 100644 --- a/src/confcom/samples/aci/minimal/policy_spec.json +++ b/src/confcom/samples/aci/minimal/policy_spec.json @@ -1,89 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec_debug.json b/src/confcom/samples/aci/minimal/policy_spec_debug.json index 49c843c2028..708187e9b14 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_debug.json +++ b/src/confcom/samples/aci/minimal/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -90,15 +73,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json b/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json index 8aeef6ad9c2..382c4c29524 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json @@ -6,84 +6,79 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json index e1b9f9e5eff..915cf0c11e8 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/minimal/policy_spec_exclude_default_fragment.json @@ -1,89 +1,72 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json index 0a6457199d1..2ee88ee01f5 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/minimal/policy_spec_infrastructure_svn.json @@ -1,90 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/minimal/policy_spec_minimal.json b/src/confcom/samples/aci/minimal/policy_spec_minimal.json new file mode 100644 index 00000000000..b33f471ee00 --- /dev/null +++ b/src/confcom/samples/aci/minimal/policy_spec_minimal.json @@ -0,0 +1,12 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec.json b/src/confcom/samples/aci/multi_container_groups/policy_spec.json index 3a5ed552981..18bcab564e1 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec.json @@ -1,176 +1,162 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] }, { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json index 329212c944b..e8557622035 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -90,101 +73,92 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" }, { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -192,15 +166,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json index 261f530ba6b..6b6509cc7df 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json @@ -6,85 +6,80 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] }, { "allow_stdio_access": false, @@ -93,84 +88,79 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json index 8963675c8f1..a6378b34ed5 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_exclude_default_fragment.json @@ -1,176 +1,142 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false }, { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json index 7a1e6deef3b..2d0b5dd4ecd 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_infrastructure_svn.json @@ -1,178 +1,162 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] }, { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_minimal.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_minimal.json new file mode 100644 index 00000000000..31510b1739c --- /dev/null +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_minimal.json @@ -0,0 +1,22 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + } + ] + }, + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec.json b/src/confcom/samples/aci/multi_containers/policy_spec.json index d714b4c690d..3a604d10df0 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec.json @@ -1,82 +1,67 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } @@ -84,85 +69,79 @@ { "name": "container2", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_debug.json b/src/confcom/samples/aci/multi_containers/policy_spec_debug.json index 65386bd993d..d33047dfd88 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_debug.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -90,8 +73,7 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } @@ -99,84 +81,68 @@ { "name": "container2", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -184,15 +150,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json b/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json index bd08dc4721b..851ed3a9e22 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json @@ -6,77 +6,64 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } @@ -85,84 +72,79 @@ "name": "container2", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json index d52c5482168..466d736bcae 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_exclude_default_fragment.json @@ -1,82 +1,67 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } @@ -84,85 +69,69 @@ { "name": "container2", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json index 0f0f77eebf1..aece51ebe86 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_infrastructure_svn.json @@ -1,82 +1,67 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } @@ -84,86 +69,79 @@ { "name": "container2", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_minimal.json b/src/confcom/samples/aci/multi_containers/policy_spec_minimal.json new file mode 100644 index 00000000000..ce9b6e397bc --- /dev/null +++ b/src/confcom/samples/aci/multi_containers/policy_spec_minimal.json @@ -0,0 +1,18 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + }, + { + "name": "container2", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json index fc290f4a9ba..eebb5b7a485 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json @@ -1,98 +1,90 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ], - "drop": [] + ] } }, "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json index 8fe3692fe06..653e30f2e5c 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -91,23 +74,30 @@ "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ], - "drop": [] + ] } }, "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json index f2fa6095cae..cea650612b4 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json @@ -6,93 +6,87 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ], - "drop": [] + ] } }, "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json index 367cac77e47..b416b9f4a1d 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_exclude_default_fragment.json @@ -1,98 +1,80 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ], - "drop": [] + ] } }, "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json index d045a985904..24b63b13d16 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_infrastructure_svn.json @@ -1,99 +1,90 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { "add": [ "CAP_SYS_TIME", "CAP_DAC_READ_SEARCH" - ], - "drop": [] + ] } }, "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_minimal.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_minimal.json new file mode 100644 index 00000000000..d7c7ac84f70 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_minimal.json @@ -0,0 +1,20 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ] + } + } + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json index 308b9744aa8..2c464ab0873 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { @@ -87,15 +73,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json index 5530814eedb..e1302bd5f73 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -102,15 +85,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json index 1a83fee80da..06605bc4ab1 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json @@ -6,70 +6,58 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { @@ -87,15 +75,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json index 633243ca2e5..d48a957be49 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_exclude_default_fragment.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { @@ -87,15 +73,12 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json index ef2028703e2..1e28a8dd6e2 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_infrastructure_svn.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { @@ -87,16 +73,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_minimal.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_minimal.json new file mode 100644 index 00000000000..8c235a6cfa2 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_minimal.json @@ -0,0 +1,24 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "add": [ + "CAP_SYS_TIME", + "CAP_DAC_READ_SEARCH" + ], + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + } + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json index fe1bc6433ad..b2cedd9dc1e 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json @@ -1,79 +1,64 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { - "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -84,15 +69,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json index c8c44328829..fbf8a4c5c83 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json @@ -1,94 +1,76 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { - "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -99,15 +81,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json index 45d9d9ad632..907e7d8edf4 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json @@ -6,74 +6,61 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { - "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -84,15 +71,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json index 7e65411d841..b3e84be61e3 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_exclude_default_fragment.json @@ -1,79 +1,64 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { - "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -84,15 +69,12 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json index b6f56fbb822..e13e599b0a2 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_infrastructure_svn.json @@ -1,79 +1,64 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "capabilities": { - "add": [], "drop": [ "CAP_CHOWN", "CAP_KILL" @@ -84,16 +69,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_minimal.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_minimal.json new file mode 100644 index 00000000000..dc5e2afdac6 --- /dev/null +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_minimal.json @@ -0,0 +1,20 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "capabilities": { + "drop": [ + "CAP_CHOWN", + "CAP_KILL" + ] + } + } + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json index 8efc045afe3..42d9e19695e 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsGroup": 4567 @@ -78,15 +64,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json index 70b36dedc97..24a176fec70 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -93,15 +76,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json index f3ee246e940..9ee6238af78 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json @@ -6,70 +6,58 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsGroup": 4567 @@ -78,15 +66,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json index 5c8bb9628bb..78d19674d0e 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_exclude_default_fragment.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsGroup": 4567 @@ -78,15 +64,12 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json index a0c793e10f3..2a63d137455 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_infrastructure_svn.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsGroup": 4567 @@ -78,16 +64,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_minimal.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_minimal.json new file mode 100644 index 00000000000..943e9ef258a --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_minimal.json @@ -0,0 +1,15 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsGroup": 4567 + } + } + } + ] + } +] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json index 1264ec2fca4..6dfc8ff6f29 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsUser": 1234 @@ -78,15 +64,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json index 598162a899a..3d502999116 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -93,15 +76,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json index 9bb5ce4c3f5..591641ef419 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json @@ -6,70 +6,58 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsUser": 1234 @@ -78,15 +66,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json index 552a2e2a124..20170066f79 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_exclude_default_fragment.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsUser": 1234 @@ -78,15 +64,12 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json index 989c3450d40..e76c884cfad 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_infrastructure_svn.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "securityContext": { "runAsUser": 1234 @@ -78,16 +64,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_minimal.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_minimal.json new file mode 100644 index 00000000000..9e7af93fa50 --- /dev/null +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_minimal.json @@ -0,0 +1,15 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "securityContext": { + "runAsUser": 1234 + } + } + } + ] + } +] diff --git a/src/confcom/samples/aci/variables/policy_spec.json b/src/confcom/samples/aci/variables/policy_spec.json index e859e163f86..b576e7a43b2 100644 --- a/src/confcom/samples/aci/variables/policy_spec.json +++ b/src/confcom/samples/aci/variables/policy_spec.json @@ -1,89 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/variables/policy_spec_debug.json b/src/confcom/samples/aci/variables/policy_spec_debug.json index 49c843c2028..708187e9b14 100644 --- a/src/confcom/samples/aci/variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/variables/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -90,15 +73,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json index 8aeef6ad9c2..382c4c29524 100644 --- a/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json @@ -6,84 +6,79 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json index e1b9f9e5eff..915cf0c11e8 100644 --- a/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/variables/policy_spec_exclude_default_fragment.json @@ -1,89 +1,72 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json index 0a6457199d1..2ee88ee01f5 100644 --- a/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/variables/policy_spec_infrastructure_svn.json @@ -1,90 +1,82 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/variables/policy_spec_minimal.json b/src/confcom/samples/aci/variables/policy_spec_minimal.json new file mode 100644 index 00000000000..b33f471ee00 --- /dev/null +++ b/src/confcom/samples/aci/variables/policy_spec_minimal.json @@ -0,0 +1,12 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" + } + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec.json index 75c6a645753..09a84cd5560 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -80,15 +66,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json index d61d4c21a2b..8ee1ba9710a 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json @@ -1,88 +1,71 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", @@ -95,15 +78,23 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json index 5983347d2ba..67f0260435e 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json @@ -6,70 +6,58 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -80,15 +68,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json index 99a270ced0f..024d1288f31 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_exclude_default_fragment.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -80,15 +66,12 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json index 19c7fcd975f..7fef4df7f91 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_infrastructure_svn.json @@ -1,75 +1,61 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { @@ -80,16 +66,22 @@ { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_minimal.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_minimal.json new file mode 100644 index 00000000000..ddcc2f72f95 --- /dev/null +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_minimal.json @@ -0,0 +1,19 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/secret", + "mountType": "secret", + "readonly": true + } + ] + } + } + ] + } +] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec.json b/src/confcom/samples/aci/volume_mounts/policy_spec.json index 7c5fab9a2da..bdb584e058a 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec.json @@ -1,94 +1,86 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/aci/logs", - "mountType": "azureFile", - "readonly": false + "mountType": "azureFile" }, { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json b/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json index f4d3cf7179f..3f1d501ebe5 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json @@ -1,109 +1,99 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], "execProcesses": [ { - "allow_stdio_access": true, "command": [ "/bin/sh" - ], - "signals": [] + ] }, { - "allow_stdio_access": true, "command": [ "/bin/bash" - ], - "signals": [] + ] } ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/aci/logs", - "mountType": "azureFile", - "readonly": false + "mountType": "azureFile" }, { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ], "profile": "debug" } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json b/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json index ab7d82918bc..8d27c3bb498 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json @@ -6,89 +6,83 @@ "name": "container1", "properties": { "allowStdioAccess": false, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/aci/logs", - "mountType": "azureFile", - "readonly": false + "mountType": "azureFile" }, { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "1" + } + ] } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json b/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json index 4447b8e0835..bc8857be7ee 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_exclude_default_fragment.json @@ -1,94 +1,76 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/aci/logs", - "mountType": "azureFile", - "readonly": false + "mountType": "azureFile" }, { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": false, - "profile": "strict" + "include_infrastructure_fragment": false } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json b/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json index 090911e30cd..f70bd042c58 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_infrastructure_svn.json @@ -1,95 +1,86 @@ [ { - "allow_stdio_access": true, "containers": [ { "name": "container1", "properties": { - "allowStdioAccess": true, - "command": [], "environmentVariables": [ { "name": "TERM", - "required": false, "strategy": "string", "value": "xterm" }, { "name": "(?i)(FABRIC)_.+", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HOSTNAME", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "T(E)?MP", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "FabricPackageFileName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "HostedServiceName", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_API_VERSION", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_HEADER", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "IDENTITY_SERVER_THUMBPRINT", - "required": false, "strategy": "re2", "value": ".+" }, { "name": "azurecontainerinstance_restarted_by", - "required": false, "strategy": "re2", "value": ".+" } ], - "execProcesses": [], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", "volumeMounts": [ { "mountPath": "/aci/logs", - "mountType": "azureFile", - "readonly": false + "mountType": "azureFile" }, { "mountPath": "/etc/resolv.conf", "mountType": "resolvconf", - "name": "dns_resolve", - "readonly": false + "name": "dns_resolve" } ] } } ], - "fragments": [], - "include_infrastructure_fragment": true, - "infrastructure_fragment_min_svn": "99", - "profile": "strict" + "fragments": [ + { + "feed": "mcr.microsoft.com/aci/aci-cc-infra-fragment", + "includes": [ + "containers", + "fragments" + ], + "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", + "minimum_svn": "99" + } + ] } ] diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_minimal.json b/src/confcom/samples/aci/volume_mounts/policy_spec_minimal.json new file mode 100644 index 00000000000..7fabfe42526 --- /dev/null +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_minimal.json @@ -0,0 +1,18 @@ +[ + { + "containers": [ + { + "name": "container1", + "properties": { + "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2", + "volumeMounts": [ + { + "mountPath": "/aci/logs", + "mountType": "azureFile" + } + ] + } + } + ] + } +] From 5ba53a17222096d0bba5a55be1176a6bb8397b02 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Sat, 4 Oct 2025 18:07:03 +0000 Subject: [PATCH 09/16] Fix imports --- src/confcom/azext_confcom/command/parse_aci_arm.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confcom/azext_confcom/command/parse_aci_arm.py b/src/confcom/azext_confcom/command/parse_aci_arm.py index 0fd5d5317b5..3e7fa745a1d 100644 --- a/src/confcom/azext_confcom/command/parse_aci_arm.py +++ b/src/confcom/azext_confcom/command/parse_aci_arm.py @@ -4,7 +4,7 @@ import sys from typing import Optional from azext_confcom import os_util -from azext_confcom.lib.aci_policy_spec import omit_defaults_dict_factory, omit_implicit_features +from azext_confcom.lib.aci_infrastructure import omit_implicit_features from azext_confcom.lib.arm_to_aci_policy_spec import arm_to_aci_policy_spec From b01f157a3b665995aeb89c03eaaee85e948e439a Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Sat, 4 Oct 2025 18:12:30 +0000 Subject: [PATCH 10/16] Misc fixes --- src/confcom/azext_confcom/command/parse_aci_arm.py | 11 ++++------- src/confcom/azext_confcom/lib/aci_infrastructure.py | 2 +- src/confcom/azext_confcom/lib/aci_policy_spec.py | 6 ++++++ 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/confcom/azext_confcom/command/parse_aci_arm.py b/src/confcom/azext_confcom/command/parse_aci_arm.py index 3e7fa745a1d..029b89f25da 100644 --- a/src/confcom/azext_confcom/command/parse_aci_arm.py +++ b/src/confcom/azext_confcom/command/parse_aci_arm.py @@ -5,6 +5,7 @@ from typing import Optional from azext_confcom import os_util from azext_confcom.lib.aci_infrastructure import omit_implicit_features +from azext_confcom.lib.aci_policy_spec import POLICY_SPEC_CLASSES from azext_confcom.lib.arm_to_aci_policy_spec import arm_to_aci_policy_spec @@ -12,13 +13,7 @@ def omit_defaults_dict_factory(fields_dict) -> dict: result = {} - policy_spec_classes = [ - cls - for _, cls in inspect.getmembers(sys.modules[__name__], inspect.isclass) - if is_dataclass(cls) and cls.__module__ == sys.modules[__name__].__name__ - ] - - for potential_class in policy_spec_classes: + for potential_class in POLICY_SPEC_CLASSES: try: instance = potential_class(**dict(fields_dict)) for field in fields(instance): @@ -63,8 +58,10 @@ def parse_aci_arm( specs = [] for spec in aci_policy_specs: + print(f"{spec=}") if policy_format == "minimal": spec = omit_implicit_features(spec) + print(f"{spec=}") specs.append(asdict(spec, dict_factory=omit_defaults_dict_factory)) return specs \ No newline at end of file diff --git a/src/confcom/azext_confcom/lib/aci_infrastructure.py b/src/confcom/azext_confcom/lib/aci_infrastructure.py index 2b34819c74a..c2414f2a8db 100644 --- a/src/confcom/azext_confcom/lib/aci_infrastructure.py +++ b/src/confcom/azext_confcom/lib/aci_infrastructure.py @@ -1,7 +1,7 @@ -from dataclasses import is_dataclass, replace +from dataclasses import fields, is_dataclass, replace from azext_confcom import config from azext_confcom.lib.aci_policy_spec import AciContainerPropertyEnvVariable, AciContainerPropertyVolumeMounts, AciFragmentSpec diff --git a/src/confcom/azext_confcom/lib/aci_policy_spec.py b/src/confcom/azext_confcom/lib/aci_policy_spec.py index 64a976af9f3..0bb1a3dee59 100644 --- a/src/confcom/azext_confcom/lib/aci_policy_spec.py +++ b/src/confcom/azext_confcom/lib/aci_policy_spec.py @@ -92,3 +92,9 @@ class AciPolicySpec: infrastructure_fragment_min_svn: Optional[str] = None allow_stdio_access: bool = True + +POLICY_SPEC_CLASSES = [ + cls + for _, cls in inspect.getmembers(sys.modules[__name__], inspect.isclass) + if is_dataclass(cls) and cls.__module__ == sys.modules[__name__].__name__ +] \ No newline at end of file From 10c4162aafa3babe8ee354fd711be82d4e0f2562 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 6 Oct 2025 12:16:22 +0000 Subject: [PATCH 11/16] Misc cleanup --- src/confcom/azext_confcom/command/parse_aci_arm.py | 4 +--- src/confcom/azext_confcom/lib/aci_policy_spec.py | 8 ++++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/src/confcom/azext_confcom/command/parse_aci_arm.py b/src/confcom/azext_confcom/command/parse_aci_arm.py index 029b89f25da..b10ebaeb8a6 100644 --- a/src/confcom/azext_confcom/command/parse_aci_arm.py +++ b/src/confcom/azext_confcom/command/parse_aci_arm.py @@ -1,7 +1,5 @@ -from dataclasses import asdict, fields, is_dataclass -import inspect -import sys +from dataclasses import asdict, fields from typing import Optional from azext_confcom import os_util from azext_confcom.lib.aci_infrastructure import omit_implicit_features diff --git a/src/confcom/azext_confcom/lib/aci_policy_spec.py b/src/confcom/azext_confcom/lib/aci_policy_spec.py index 0bb1a3dee59..51d1c54b80a 100644 --- a/src/confcom/azext_confcom/lib/aci_policy_spec.py +++ b/src/confcom/azext_confcom/lib/aci_policy_spec.py @@ -3,12 +3,12 @@ # Licensed under the MIT License. See License.txt in the project root for license information. # -------------------------------------------------------------------------------------------- -from dataclasses import dataclass +from dataclasses import dataclass, is_dataclass +import inspect +import sys from typing import Optional from typing_extensions import Literal -from azext_confcom import config - AciProfile = Literal["strict", "debug"] @@ -97,4 +97,4 @@ class AciPolicySpec: cls for _, cls in inspect.getmembers(sys.modules[__name__], inspect.isclass) if is_dataclass(cls) and cls.__module__ == sys.modules[__name__].__name__ -] \ No newline at end of file +] From 597857fdec35dab9ba38fbc65cf39db46e597de7 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 6 Oct 2025 13:21:33 +0000 Subject: [PATCH 12/16] Change base branch --- .../azext_confcom/command/parse_aci_arm.py | 2 - .../lib/arm_to_aci_policy_spec.py | 4 ++ src/confcom/azext_confcom/security_policy.py | 4 +- .../samples/aci/command/policy_spec.json | 2 +- .../aci/command/policy_spec_debug.json | 2 +- .../command/policy_spec_disable_stdio.json | 2 +- .../conflicting_variables/policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../container_group_profiles/policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../aci/default_variables/policy_spec.json | 2 +- .../default_variables/policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../environment_variables/arm_template.json | 2 +- .../aci/environment_variables/policy.rego | 2 +- .../environment_variables/policy_debug.rego | 2 +- .../policy_disable_stdio.rego | 2 +- .../policy_exclude_default_fragment.rego | 2 +- .../policy_infrastructure_svn.rego | 2 +- .../environment_variables/policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../samples/aci/minimal/policy_spec.json | 2 +- .../aci/minimal/policy_spec_debug.json | 2 +- .../minimal/policy_spec_disable_stdio.json | 2 +- .../multi_container_groups/policy_spec.json | 4 +- .../policy_spec_debug.json | 4 +- .../policy_spec_disable_stdio.json | 4 +- .../policy_spec_minimal.json | 52 +++++++++++++++++++ .../aci/multi_containers/policy_spec.json | 2 +- .../multi_containers/policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../multi_containers/policy_spec_minimal.json | 52 +++++++++++++++++++ .../policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../samples/aci/variables/policy_spec.json | 2 +- .../aci/variables/policy_spec_debug.json | 2 +- .../variables/policy_spec_disable_stdio.json | 2 +- .../aci/volume_mount_secret/policy_spec.json | 2 +- .../policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- .../aci/volume_mounts/policy_spec.json | 2 +- .../aci/volume_mounts/policy_spec_debug.json | 2 +- .../policy_spec_disable_stdio.json | 2 +- 62 files changed, 170 insertions(+), 64 deletions(-) diff --git a/src/confcom/azext_confcom/command/parse_aci_arm.py b/src/confcom/azext_confcom/command/parse_aci_arm.py index b10ebaeb8a6..ba9ec1dde5f 100644 --- a/src/confcom/azext_confcom/command/parse_aci_arm.py +++ b/src/confcom/azext_confcom/command/parse_aci_arm.py @@ -56,10 +56,8 @@ def parse_aci_arm( specs = [] for spec in aci_policy_specs: - print(f"{spec=}") if policy_format == "minimal": spec = omit_implicit_features(spec) - print(f"{spec=}") specs.append(asdict(spec, dict_factory=omit_defaults_dict_factory)) return specs \ No newline at end of file diff --git a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py index 7e60fced5e7..feb547b60a3 100644 --- a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py +++ b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py @@ -81,6 +81,10 @@ def arm_container_env_to_aci_policy_spec_env( for env_var in [ *process_env_vars_from_template(parameters, {}, container_properties, approve_wildcards), + *config.OPENGCS_ENV_RULES, + *config.FABRIC_ENV_RULES, + *config.MANAGED_IDENTITY_ENV_RULES, + *config.ENABLE_RESTART_ENV_RULE, ]: yield AciContainerPropertyEnvVariable( # At time of writing, we only get env vars from process_env_vars_from_template diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index ccb2c1707d9..49643236c44 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -497,12 +497,12 @@ def populate_policy_content_for_all_images( for env_var in image.get_environment_rules() ] - for env in envs: + for idx, env in enumerate(envs): name, value = env.split("=", 1) # when user set environment variables conflict with the ones read from image, always # keep user set environment variables if name not in env_names: - image.get_environment_rules().append( + image.get_environment_rules().insert(idx, { config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE: f"{name}={value}", config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_STRATEGY: "string", diff --git a/src/confcom/samples/aci/command/policy_spec.json b/src/confcom/samples/aci/command/policy_spec.json index 8c0b7ae6aa5..1e0f6294baa 100644 --- a/src/confcom/samples/aci/command/policy_spec.json +++ b/src/confcom/samples/aci/command/policy_spec.json @@ -80,7 +80,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/command/policy_spec_debug.json b/src/confcom/samples/aci/command/policy_spec_debug.json index d4f6028eb5c..eca5b5a876f 100644 --- a/src/confcom/samples/aci/command/policy_spec_debug.json +++ b/src/confcom/samples/aci/command/policy_spec_debug.json @@ -92,7 +92,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/command/policy_spec_disable_stdio.json b/src/confcom/samples/aci/command/policy_spec_disable_stdio.json index 02d0dcff751..ce4ebf65d3f 100644 --- a/src/confcom/samples/aci/command/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/command/policy_spec_disable_stdio.json @@ -82,7 +82,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec.json b/src/confcom/samples/aci/conflicting_variables/policy_spec.json index 372caaa5101..e51f68f5784 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec.json @@ -75,7 +75,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json index bcc26108ddf..cc607874799 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_debug.json @@ -87,7 +87,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json index 112d3ab7e2c..c7a5573a01f 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/conflicting_variables/policy_spec_disable_stdio.json @@ -77,7 +77,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec.json b/src/confcom/samples/aci/container_group_profiles/policy_spec.json index b576e7a43b2..55193e921aa 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec.json @@ -75,7 +75,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json index 708187e9b14..cb0dc3d9d8d 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_debug.json @@ -87,7 +87,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json b/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json index 382c4c29524..499435d5cac 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/container_group_profiles/policy_spec_disable_stdio.json @@ -77,7 +77,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/default_variables/policy_spec.json b/src/confcom/samples/aci/default_variables/policy_spec.json index b576e7a43b2..55193e921aa 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec.json +++ b/src/confcom/samples/aci/default_variables/policy_spec.json @@ -75,7 +75,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/default_variables/policy_spec_debug.json b/src/confcom/samples/aci/default_variables/policy_spec_debug.json index 708187e9b14..cb0dc3d9d8d 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_debug.json @@ -87,7 +87,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json index 382c4c29524..499435d5cac 100644 --- a/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/default_variables/policy_spec_disable_stdio.json @@ -77,7 +77,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec.json b/src/confcom/samples/aci/default_variables_override/policy_spec.json index 372caaa5101..e51f68f5784 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec.json @@ -75,7 +75,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json b/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json index bcc26108ddf..cc607874799 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_debug.json @@ -87,7 +87,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json b/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json index 112d3ab7e2c..c7a5573a01f 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/default_variables_override/policy_spec_disable_stdio.json @@ -77,7 +77,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/environment_variables/arm_template.json b/src/confcom/samples/aci/environment_variables/arm_template.json index 6a84bf44335..82f93c55b5a 100644 --- a/src/confcom/samples/aci/environment_variables/arm_template.json +++ b/src/confcom/samples/aci/environment_variables/arm_template.json @@ -11,7 +11,7 @@ "osType": "Linux", "restartPolicy": "OnFailure", "confidentialComputeProperties": { - "ccePolicy": "" + "ccePolicy": "cGFja2FnZSBwb2xpY3kKCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKaW1wb3J0IGZ1dHVyZS5rZXl3b3Jkcy5pbgoKYXBpX3ZlcnNpb24gOj0gIjAuMTAuMCIKZnJhbWV3b3JrX3ZlcnNpb24gOj0gIjAuMi4zIgoKZnJhZ21lbnRzIDo9IFsKICB7CiAgICAiZmVlZCI6ICJtY3IubWljcm9zb2Z0LmNvbS9hY2kvYWNpLWNjLWluZnJhLWZyYWdtZW50IiwKICAgICJpbmNsdWRlcyI6IFsKICAgICAgImNvbnRhaW5lcnMiLAogICAgICAiZnJhZ21lbnRzIgogICAgXSwKICAgICJpc3N1ZXIiOiAiZGlkOng1MDk6MDpzaGEyNTY6SV9faXVMMjVvWEVWRmRUUF9hQkx4X2VUMVJQSGJDUV9FQ0JRZllacHQ5czo6ZWt1OjEuMy42LjEuNC4xLjMxMS43Ni41OS4xLjMiLAogICAgIm1pbmltdW1fc3ZuIjogIjQiCiAgfQpdCgpjb250YWluZXJzIDo9IFt7ImFsbG93X2VsZXZhdGVkIjpmYWxzZSwiYWxsb3dfc3RkaW9fYWNjZXNzIjp0cnVlLCJjYXBhYmlsaXRpZXMiOnsiYW1iaWVudCI6W10sImJvdW5kaW5nIjpbIkNBUF9BVURJVF9XUklURSIsIkNBUF9DSE9XTiIsIkNBUF9EQUNfT1ZFUlJJREUiLCJDQVBfRk9XTkVSIiwiQ0FQX0ZTRVRJRCIsIkNBUF9LSUxMIiwiQ0FQX01LTk9EIiwiQ0FQX05FVF9CSU5EX1NFUlZJQ0UiLCJDQVBfTkVUX1JBVyIsIkNBUF9TRVRGQ0FQIiwiQ0FQX1NFVEdJRCIsIkNBUF9TRVRQQ0FQIiwiQ0FQX1NFVFVJRCIsIkNBUF9TWVNfQ0hST09UIl0sImVmZmVjdGl2ZSI6WyJDQVBfQVVESVRfV1JJVEUiLCJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZPV05FUiIsIkNBUF9GU0VUSUQiLCJDQVBfS0lMTCIsIkNBUF9NS05PRCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX05FVF9SQVciLCJDQVBfU0VURkNBUCIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUUENBUCIsIkNBUF9TRVRVSUQiLCJDQVBfU1lTX0NIUk9PVCJdLCJpbmhlcml0YWJsZSI6W10sInBlcm1pdHRlZCI6WyJDQVBfQVVESVRfV1JJVEUiLCJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZPV05FUiIsIkNBUF9GU0VUSUQiLCJDQVBfS0lMTCIsIkNBUF9NS05PRCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX05FVF9SQVciLCJDQVBfU0VURkNBUCIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUUENBUCIsIkNBUF9TRVRVSUQiLCJDQVBfU1lTX0NIUk9PVCJdfSwiY29tbWFuZCI6bnVsbCwiZW52X3J1bGVzIjpbeyJwYXR0ZXJuIjoiTVlfVkFSPU1ZX1ZBTCIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJzdHJpbmcifSx7InBhdHRlcm4iOiJURVJNPXh0ZXJtIiwicmVxdWlyZWQiOmZhbHNlLCJzdHJhdGVneSI6InN0cmluZyJ9LHsicGF0dGVybiI6Iig/aSkoRkFCUklDKV8uKz0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJIT1NUTkFNRT0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJUKEUpP01QPS4rIiwicmVxdWlyZWQiOmZhbHNlLCJzdHJhdGVneSI6InJlMiJ9LHsicGF0dGVybiI6IkZhYnJpY1BhY2thZ2VGaWxlTmFtZT0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJIb3N0ZWRTZXJ2aWNlTmFtZT0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJJREVOVElUWV9BUElfVkVSU0lPTj0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJJREVOVElUWV9IRUFERVI9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiSURFTlRJVFlfU0VSVkVSX1RIVU1CUFJJTlQ9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiYXp1cmVjb250YWluZXJpbnN0YW5jZV9yZXN0YXJ0ZWRfYnk9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5Ijoic3RyaW5nIn1dLCJleGVjX3Byb2Nlc3NlcyI6W10sImlkIjoibWNyLm1pY3Jvc29mdC5jb20vYXp1cmVsaW51eC9kaXN0cm9sZXNzL2Jhc2VAc2hhMjU2OjFlNzdkOTdlMWUzOWYyMmVkOWM1MmY0OWIzNTA4YjRjMTA0NGNlYzIzNzQzZGY5MDk4YWM0NGUwMjVmNjU0ZjIiLCJsYXllcnMiOlsiMjQzZTFiM2NlMDgwOTNmMmYwZDljZDZhOWVhZmRlODczN2Y2NGZlYzEwNWVkNTljMzQ2ZDMwOWZiZTc2MGI1OCJdLCJtb3VudHMiOlt7ImRlc3RpbmF0aW9uIjoiL2V0Yy9yZXNvbHYuY29uZiIsIm9wdGlvbnMiOlsicmJpbmQiLCJyc2hhcmVkIiwicnciXSwic291cmNlIjoic2FuZGJveDovLy90bXAvYXRsYXMvcmVzb2x2Y29uZi8uKyIsInR5cGUiOiJiaW5kIn1dLCJuYW1lIjoiY29udGFpbmVyMSIsIm5vX25ld19wcml2aWxlZ2VzIjpmYWxzZSwic2VjY29tcF9wcm9maWxlX3NoYTI1NiI6IiIsInNpZ25hbHMiOltdLCJ1c2VyIjp7Imdyb3VwX2lkbmFtZXMiOlt7InBhdHRlcm4iOiIiLCJzdHJhdGVneSI6ImFueSJ9XSwidW1hc2siOiIwMDIyIiwidXNlcl9pZG5hbWUiOnsicGF0dGVybiI6IiIsInN0cmF0ZWd5IjoiYW55In19LCJ3b3JraW5nX2RpciI6Ii8ifSx7ImFsbG93X2VsZXZhdGVkIjpmYWxzZSwiYWxsb3dfc3RkaW9fYWNjZXNzIjp0cnVlLCJjYXBhYmlsaXRpZXMiOnsiYW1iaWVudCI6W10sImJvdW5kaW5nIjpbIkNBUF9DSE9XTiIsIkNBUF9EQUNfT1ZFUlJJREUiLCJDQVBfRlNFVElEIiwiQ0FQX0ZPV05FUiIsIkNBUF9NS05PRCIsIkNBUF9ORVRfUkFXIiwiQ0FQX1NFVEdJRCIsIkNBUF9TRVRVSUQiLCJDQVBfU0VURkNBUCIsIkNBUF9TRVRQQ0FQIiwiQ0FQX05FVF9CSU5EX1NFUlZJQ0UiLCJDQVBfU1lTX0NIUk9PVCIsIkNBUF9LSUxMIiwiQ0FQX0FVRElUX1dSSVRFIl0sImVmZmVjdGl2ZSI6WyJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZTRVRJRCIsIkNBUF9GT1dORVIiLCJDQVBfTUtOT0QiLCJDQVBfTkVUX1JBVyIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUVUlEIiwiQ0FQX1NFVEZDQVAiLCJDQVBfU0VUUENBUCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX1NZU19DSFJPT1QiLCJDQVBfS0lMTCIsIkNBUF9BVURJVF9XUklURSJdLCJpbmhlcml0YWJsZSI6W10sInBlcm1pdHRlZCI6WyJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZTRVRJRCIsIkNBUF9GT1dORVIiLCJDQVBfTUtOT0QiLCJDQVBfTkVUX1JBVyIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUVUlEIiwiQ0FQX1NFVEZDQVAiLCJDQVBfU0VUUENBUCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX1NZU19DSFJPT1QiLCJDQVBfS0lMTCIsIkNBUF9BVURJVF9XUklURSJdfSwiY29tbWFuZCI6WyIvcGF1c2UiXSwiZW52X3J1bGVzIjpbeyJwYXR0ZXJuIjoiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iLCJyZXF1aXJlZCI6dHJ1ZSwic3RyYXRlZ3kiOiJzdHJpbmcifSx7InBhdHRlcm4iOiJURVJNPXh0ZXJtIiwicmVxdWlyZWQiOmZhbHNlLCJzdHJhdGVneSI6InN0cmluZyJ9XSwiZXhlY19wcm9jZXNzZXMiOltdLCJsYXllcnMiOlsiMTZiNTE0MDU3YTA2YWQ2NjVmOTJjMDI4NjNhY2EwNzRmZDU5NzZjNzU1ZDI2YmZmMTYzNjUyOTkxNjllODQxNSJdLCJtb3VudHMiOltdLCJuYW1lIjoicGF1c2UtY29udGFpbmVyIiwibm9fbmV3X3ByaXZpbGVnZXMiOmZhbHNlLCJzZWNjb21wX3Byb2ZpbGVfc2hhMjU2IjoiIiwic2lnbmFscyI6W10sInVzZXIiOnsiZ3JvdXBfaWRuYW1lcyI6W3sicGF0dGVybiI6IiIsInN0cmF0ZWd5IjoiYW55In1dLCJ1bWFzayI6IjAwMjIiLCJ1c2VyX2lkbmFtZSI6eyJwYXR0ZXJuIjoiIiwic3RyYXRlZ3kiOiJhbnkifX0sIndvcmtpbmdfZGlyIjoiLyJ9XQoKYWxsb3dfcHJvcGVydGllc19hY2Nlc3MgOj0gdHJ1ZQphbGxvd19kdW1wX3N0YWNrcyA6PSBmYWxzZQphbGxvd19ydW50aW1lX2xvZ2dpbmcgOj0gZmFsc2UKYWxsb3dfZW52aXJvbm1lbnRfdmFyaWFibGVfZHJvcHBpbmcgOj0gdHJ1ZQphbGxvd191bmVuY3J5cHRlZF9zY3JhdGNoIDo9IGZhbHNlCmFsbG93X2NhcGFiaWxpdHlfZHJvcHBpbmcgOj0gdHJ1ZQoKbW91bnRfZGV2aWNlIDo9IGRhdGEuZnJhbWV3b3JrLm1vdW50X2RldmljZQp1bm1vdW50X2RldmljZSA6PSBkYXRhLmZyYW1ld29yay51bm1vdW50X2RldmljZQptb3VudF9vdmVybGF5IDo9IGRhdGEuZnJhbWV3b3JrLm1vdW50X292ZXJsYXkKdW5tb3VudF9vdmVybGF5IDo9IGRhdGEuZnJhbWV3b3JrLnVubW91bnRfb3ZlcmxheQpjcmVhdGVfY29udGFpbmVyIDo9IGRhdGEuZnJhbWV3b3JrLmNyZWF0ZV9jb250YWluZXIKZXhlY19pbl9jb250YWluZXIgOj0gZGF0YS5mcmFtZXdvcmsuZXhlY19pbl9jb250YWluZXIKZXhlY19leHRlcm5hbCA6PSBkYXRhLmZyYW1ld29yay5leGVjX2V4dGVybmFsCnNodXRkb3duX2NvbnRhaW5lciA6PSBkYXRhLmZyYW1ld29yay5zaHV0ZG93bl9jb250YWluZXIKc2lnbmFsX2NvbnRhaW5lcl9wcm9jZXNzIDo9IGRhdGEuZnJhbWV3b3JrLnNpZ25hbF9jb250YWluZXJfcHJvY2VzcwpwbGFuOV9tb3VudCA6PSBkYXRhLmZyYW1ld29yay5wbGFuOV9tb3VudApwbGFuOV91bm1vdW50IDo9IGRhdGEuZnJhbWV3b3JrLnBsYW45X3VubW91bnQKZ2V0X3Byb3BlcnRpZXMgOj0gZGF0YS5mcmFtZXdvcmsuZ2V0X3Byb3BlcnRpZXMKZHVtcF9zdGFja3MgOj0gZGF0YS5mcmFtZXdvcmsuZHVtcF9zdGFja3MKcnVudGltZV9sb2dnaW5nIDo9IGRhdGEuZnJhbWV3b3JrLnJ1bnRpbWVfbG9nZ2luZwpsb2FkX2ZyYWdtZW50IDo9IGRhdGEuZnJhbWV3b3JrLmxvYWRfZnJhZ21lbnQKc2NyYXRjaF9tb3VudCA6PSBkYXRhLmZyYW1ld29yay5zY3JhdGNoX21vdW50CnNjcmF0Y2hfdW5tb3VudCA6PSBkYXRhLmZyYW1ld29yay5zY3JhdGNoX3VubW91bnQKCnJlYXNvbiA6PSB7ImVycm9ycyI6IGRhdGEuZnJhbWV3b3JrLmVycm9yc30=" }, "containers": [ { diff --git a/src/confcom/samples/aci/environment_variables/policy.rego b/src/confcom/samples/aci/environment_variables/policy.rego index 6966ac35d00..38cf5f391d5 100644 --- a/src/confcom/samples/aci/environment_variables/policy.rego +++ b/src/confcom/samples/aci/environment_variables/policy.rego @@ -18,7 +18,7 @@ fragments := [ } ] -containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := false diff --git a/src/confcom/samples/aci/environment_variables/policy_debug.rego b/src/confcom/samples/aci/environment_variables/policy_debug.rego index 79a435f36ef..848baebf7de 100644 --- a/src/confcom/samples/aci/environment_variables/policy_debug.rego +++ b/src/confcom/samples/aci/environment_variables/policy_debug.rego @@ -18,7 +18,7 @@ fragments := [ } ] -containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[{"command":["/bin/sh"],"signals":[]},{"command":["/bin/bash"],"signals":[]}],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[{"command":["/bin/sh"],"signals":[]},{"command":["/bin/bash"],"signals":[]}],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := true diff --git a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego index 1b3bf3399eb..a26a5b00418 100644 --- a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego @@ -18,7 +18,7 @@ fragments := [ } ] -containers := [{"allow_elevated":false,"allow_stdio_access":false,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":false,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":false,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":false,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := false diff --git a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego index 0582ec2f8b7..99f3ccd9025 100644 --- a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego @@ -8,7 +8,7 @@ framework_version := "0.2.3" fragments := [] -containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := false diff --git a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego index 5c5771f5e79..9fd94dcaad5 100644 --- a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego @@ -18,7 +18,7 @@ fragments := [ } ] -containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := false diff --git a/src/confcom/samples/aci/environment_variables/policy_spec.json b/src/confcom/samples/aci/environment_variables/policy_spec.json index 60fe9fc5397..0b3973abb09 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec.json @@ -80,7 +80,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_debug.json b/src/confcom/samples/aci/environment_variables/policy_spec_debug.json index cca55e30157..13365db6519 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_debug.json @@ -92,7 +92,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json index 682b93fc23d..9bfa004aa51 100644 --- a/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/environment_variables/policy_spec_disable_stdio.json @@ -82,7 +82,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/minimal/policy_spec.json b/src/confcom/samples/aci/minimal/policy_spec.json index b576e7a43b2..55193e921aa 100644 --- a/src/confcom/samples/aci/minimal/policy_spec.json +++ b/src/confcom/samples/aci/minimal/policy_spec.json @@ -75,7 +75,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/minimal/policy_spec_debug.json b/src/confcom/samples/aci/minimal/policy_spec_debug.json index 708187e9b14..cb0dc3d9d8d 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_debug.json +++ b/src/confcom/samples/aci/minimal/policy_spec_debug.json @@ -87,7 +87,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json b/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json index 382c4c29524..499435d5cac 100644 --- a/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/minimal/policy_spec_disable_stdio.json @@ -77,7 +77,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec.json b/src/confcom/samples/aci/multi_container_groups/policy_spec.json index 18bcab564e1..4bb34e82b57 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec.json @@ -75,7 +75,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] }, @@ -155,7 +155,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json index e8557622035..f0842283b48 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_debug.json @@ -87,7 +87,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" @@ -180,7 +180,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json index 6b6509cc7df..f6f8f34c6d6 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_disable_stdio.json @@ -77,7 +77,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] }, @@ -159,7 +159,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/multi_container_groups/policy_spec_minimal.json b/src/confcom/samples/aci/multi_container_groups/policy_spec_minimal.json index 31510b1739c..4d84b482ecb 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_spec_minimal.json +++ b/src/confcom/samples/aci/multi_container_groups/policy_spec_minimal.json @@ -14,6 +14,58 @@ { "name": "container1", "properties": { + "environmentVariables": [ + { + "name": "TERM", + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "strategy": "re2", + "value": ".+" + } + ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" } } diff --git a/src/confcom/samples/aci/multi_containers/policy_spec.json b/src/confcom/samples/aci/multi_containers/policy_spec.json index 3a604d10df0..fc979f1c0f5 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec.json @@ -140,7 +140,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_debug.json b/src/confcom/samples/aci/multi_containers/policy_spec_debug.json index d33047dfd88..45e66a5f84c 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_debug.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_debug.json @@ -164,7 +164,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json b/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json index 851ed3a9e22..22aa2b5f194 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_disable_stdio.json @@ -143,7 +143,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/multi_containers/policy_spec_minimal.json b/src/confcom/samples/aci/multi_containers/policy_spec_minimal.json index ce9b6e397bc..00a4af50d70 100644 --- a/src/confcom/samples/aci/multi_containers/policy_spec_minimal.json +++ b/src/confcom/samples/aci/multi_containers/policy_spec_minimal.json @@ -10,6 +10,58 @@ { "name": "container2", "properties": { + "environmentVariables": [ + { + "name": "TERM", + "strategy": "string", + "value": "xterm" + }, + { + "name": "(?i)(FABRIC)_.+", + "strategy": "re2", + "value": ".+" + }, + { + "name": "HOSTNAME", + "strategy": "re2", + "value": ".+" + }, + { + "name": "T(E)?MP", + "strategy": "re2", + "value": ".+" + }, + { + "name": "FabricPackageFileName", + "strategy": "re2", + "value": ".+" + }, + { + "name": "HostedServiceName", + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_API_VERSION", + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_HEADER", + "strategy": "re2", + "value": ".+" + }, + { + "name": "IDENTITY_SERVER_THUMBPRINT", + "strategy": "re2", + "value": ".+" + }, + { + "name": "azurecontainerinstance_restarted_by", + "strategy": "re2", + "value": ".+" + } + ], "image": "mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2" } } diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json index eebb5b7a485..04eb9607916 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec.json @@ -83,7 +83,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json index 653e30f2e5c..31ebb7db259 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_debug.json @@ -95,7 +95,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json index cea650612b4..3315b1af492 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_spec_disable_stdio.json @@ -85,7 +85,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json index 2c464ab0873..de8217e87d9 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec.json @@ -87,7 +87,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json index e1302bd5f73..91ff2a6fa62 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_debug.json @@ -99,7 +99,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json index 06605bc4ab1..0c0bb9044a9 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_spec_disable_stdio.json @@ -89,7 +89,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json index b2cedd9dc1e..048a9a62b2b 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec.json @@ -83,7 +83,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json index fbf8a4c5c83..03dc73418b2 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_debug.json @@ -95,7 +95,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json index 907e7d8edf4..ff0c78f714b 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_spec_disable_stdio.json @@ -85,7 +85,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json index 42d9e19695e..e186e1e3c1d 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec.json @@ -78,7 +78,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json index 24a176fec70..74b687b3a2d 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_debug.json @@ -90,7 +90,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json index 9ee6238af78..c3d8a158f1c 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_spec_disable_stdio.json @@ -80,7 +80,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json index 6dfc8ff6f29..e59530f76cb 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec.json @@ -78,7 +78,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json index 3d502999116..010fdc02846 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_debug.json @@ -90,7 +90,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json index 591641ef419..efe4375f375 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_spec_disable_stdio.json @@ -80,7 +80,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/variables/policy_spec.json b/src/confcom/samples/aci/variables/policy_spec.json index b576e7a43b2..55193e921aa 100644 --- a/src/confcom/samples/aci/variables/policy_spec.json +++ b/src/confcom/samples/aci/variables/policy_spec.json @@ -75,7 +75,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/variables/policy_spec_debug.json b/src/confcom/samples/aci/variables/policy_spec_debug.json index 708187e9b14..cb0dc3d9d8d 100644 --- a/src/confcom/samples/aci/variables/policy_spec_debug.json +++ b/src/confcom/samples/aci/variables/policy_spec_debug.json @@ -87,7 +87,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json b/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json index 382c4c29524..499435d5cac 100644 --- a/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/variables/policy_spec_disable_stdio.json @@ -77,7 +77,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec.json index 09a84cd5560..f4db669ae88 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec.json @@ -80,7 +80,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json index 8ee1ba9710a..7a8e74dd164 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_debug.json @@ -92,7 +92,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json b/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json index 67f0260435e..9530f58200d 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/volume_mount_secret/policy_spec_disable_stdio.json @@ -82,7 +82,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec.json b/src/confcom/samples/aci/volume_mounts/policy_spec.json index bdb584e058a..5f39aa094df 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec.json @@ -79,7 +79,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json b/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json index 3f1d501ebe5..ffee19fa57a 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_debug.json @@ -91,7 +91,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ], "profile": "debug" diff --git a/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json b/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json index 8d27c3bb498..4df76d68153 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json +++ b/src/confcom/samples/aci/volume_mounts/policy_spec_disable_stdio.json @@ -81,7 +81,7 @@ "fragments" ], "issuer": "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.3", - "minimum_svn": "1" + "minimum_svn": "4" } ] } From 8451a499a12f0bbeaa8a94c35879371c95978602 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 6 Oct 2025 13:38:03 +0000 Subject: [PATCH 13/16] Fix arbitrary ordering of env variables --- src/confcom/azext_confcom/container.py | 38 ++++++++++++------- src/confcom/azext_confcom/security_policy.py | 4 +- .../aci/environment_variables/policy.rego | 2 +- .../environment_variables/policy_debug.rego | 2 +- .../policy_disable_stdio.rego | 2 +- .../policy_exclude_default_fragment.rego | 2 +- .../policy_infrastructure_svn.rego | 2 +- 7 files changed, 31 insertions(+), 21 deletions(-) diff --git a/src/confcom/azext_confcom/container.py b/src/confcom/azext_confcom/container.py index 0b252a6b3b9..8e44f8acf22 100644 --- a/src/confcom/azext_confcom/container.py +++ b/src/confcom/azext_confcom/container.py @@ -705,21 +705,31 @@ def _get_environment_rules(self) -> List[Dict[str, Any]]: var[config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE].split("=")[0] for var in out_rules ] + + # Remove variables from out_rules which appear in extraEnvironmentRules + # so they're always at the end of the list. This is to maintain the + # arbitrary order that already exists to avoid breaking customers + out_rules = [ + rule for rule in out_rules + if rule["pattern"] not in { + f"{r["name"]}={r["value"]}" for r in self._extraEnvironmentRules + } + ] + for rule in self._extraEnvironmentRules: - if rule[config.ACI_FIELD_CONTAINERS_ENVS_NAME] not in env_var_names: - out_rules.append( - { - config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE: - f"{rule[config.ACI_FIELD_CONTAINERS_ENVS_NAME]}=" - + f"{rule[config.ACI_FIELD_CONTAINERS_ENVS_VALUE]}", - config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_STRATEGY: rule[ - config.ACI_FIELD_CONTAINERS_ENVS_STRATEGY - ], - config.POLICY_FIELD_CONTAINERS_ELEMENTS_REQUIRED: rule[ - config.ACI_FIELD_CONTAINERS_ENVS_REQUIRED - ], - } - ) + out_rules.append( + { + config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE: + f"{rule[config.ACI_FIELD_CONTAINERS_ENVS_NAME]}=" + + f"{rule[config.ACI_FIELD_CONTAINERS_ENVS_VALUE]}", + config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_STRATEGY: rule[ + config.ACI_FIELD_CONTAINERS_ENVS_STRATEGY + ], + config.POLICY_FIELD_CONTAINERS_ELEMENTS_REQUIRED: rule.get( + config.ACI_FIELD_CONTAINERS_ENVS_REQUIRED, False + ), + } + ) return out_rules diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index 49643236c44..ccb2c1707d9 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -497,12 +497,12 @@ def populate_policy_content_for_all_images( for env_var in image.get_environment_rules() ] - for idx, env in enumerate(envs): + for env in envs: name, value = env.split("=", 1) # when user set environment variables conflict with the ones read from image, always # keep user set environment variables if name not in env_names: - image.get_environment_rules().insert(idx, + image.get_environment_rules().append( { config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE: f"{name}={value}", config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_STRATEGY: "string", diff --git a/src/confcom/samples/aci/environment_variables/policy.rego b/src/confcom/samples/aci/environment_variables/policy.rego index 38cf5f391d5..6966ac35d00 100644 --- a/src/confcom/samples/aci/environment_variables/policy.rego +++ b/src/confcom/samples/aci/environment_variables/policy.rego @@ -18,7 +18,7 @@ fragments := [ } ] -containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := false diff --git a/src/confcom/samples/aci/environment_variables/policy_debug.rego b/src/confcom/samples/aci/environment_variables/policy_debug.rego index 848baebf7de..79a435f36ef 100644 --- a/src/confcom/samples/aci/environment_variables/policy_debug.rego +++ b/src/confcom/samples/aci/environment_variables/policy_debug.rego @@ -18,7 +18,7 @@ fragments := [ } ] -containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[{"command":["/bin/sh"],"signals":[]},{"command":["/bin/bash"],"signals":[]}],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[{"command":["/bin/sh"],"signals":[]},{"command":["/bin/bash"],"signals":[]}],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := true diff --git a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego index a26a5b00418..1b3bf3399eb 100644 --- a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego @@ -18,7 +18,7 @@ fragments := [ } ] -containers := [{"allow_elevated":false,"allow_stdio_access":false,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":false,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":false,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":false,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := false diff --git a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego index 99f3ccd9025..0582ec2f8b7 100644 --- a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego @@ -8,7 +8,7 @@ framework_version := "0.2.3" fragments := [] -containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := false diff --git a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego index 9fd94dcaad5..5c5771f5e79 100644 --- a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego @@ -18,7 +18,7 @@ fragments := [ } ] -containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] +containers := [{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"effective":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"],"inheritable":[],"permitted":["CAP_AUDIT_WRITE","CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FOWNER","CAP_FSETID","CAP_KILL","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_SETUID","CAP_SYS_CHROOT"]},"command":null,"env_rules":[{"pattern":"MY_VAR=MY_VAL","required":false,"strategy":"string"},{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":false,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"},{"pattern":"(?i)(FABRIC)_.+=.+","required":false,"strategy":"re2"},{"pattern":"HOSTNAME=.+","required":false,"strategy":"re2"},{"pattern":"T(E)?MP=.+","required":false,"strategy":"re2"},{"pattern":"FabricPackageFileName=.+","required":false,"strategy":"re2"},{"pattern":"HostedServiceName=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_API_VERSION=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_HEADER=.+","required":false,"strategy":"re2"},{"pattern":"IDENTITY_SERVER_THUMBPRINT=.+","required":false,"strategy":"re2"},{"pattern":"azurecontainerinstance_restarted_by=.+","required":false,"strategy":"re2"}],"exec_processes":[],"id":"mcr.microsoft.com/azurelinux/distroless/base@sha256:1e77d97e1e39f22ed9c52f49b3508b4c1044cec23743df9098ac44e025f654f2","layers":["243e1b3ce08093f2f0d9cd6a9eafde8737f64fec105ed59c346d309fbe760b58"],"mounts":[{"destination":"/etc/resolv.conf","options":["rbind","rshared","rw"],"source":"sandbox:///tmp/atlas/resolvconf/.+","type":"bind"}],"name":"container1","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"},{"allow_elevated":false,"allow_stdio_access":true,"capabilities":{"ambient":[],"bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"inheritable":[],"permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"]},"command":["/pause"],"env_rules":[{"pattern":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","required":true,"strategy":"string"},{"pattern":"TERM=xterm","required":false,"strategy":"string"}],"exec_processes":[],"layers":["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],"mounts":[],"name":"pause-container","no_new_privileges":false,"seccomp_profile_sha256":"","signals":[],"user":{"group_idnames":[{"pattern":"","strategy":"any"}],"umask":"0022","user_idname":{"pattern":"","strategy":"any"}},"working_dir":"/"}] allow_properties_access := true allow_dump_stacks := false From 1bbd2a4e2724524d008871bf813f61aaddfd0fbe Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 6 Oct 2025 13:39:34 +0000 Subject: [PATCH 14/16] Fix typo --- src/confcom/samples/aci/environment_variables/arm_template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confcom/samples/aci/environment_variables/arm_template.json b/src/confcom/samples/aci/environment_variables/arm_template.json index 82f93c55b5a..6a84bf44335 100644 --- a/src/confcom/samples/aci/environment_variables/arm_template.json +++ b/src/confcom/samples/aci/environment_variables/arm_template.json @@ -11,7 +11,7 @@ "osType": "Linux", "restartPolicy": "OnFailure", "confidentialComputeProperties": { - "ccePolicy": "cGFja2FnZSBwb2xpY3kKCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKaW1wb3J0IGZ1dHVyZS5rZXl3b3Jkcy5pbgoKYXBpX3ZlcnNpb24gOj0gIjAuMTAuMCIKZnJhbWV3b3JrX3ZlcnNpb24gOj0gIjAuMi4zIgoKZnJhZ21lbnRzIDo9IFsKICB7CiAgICAiZmVlZCI6ICJtY3IubWljcm9zb2Z0LmNvbS9hY2kvYWNpLWNjLWluZnJhLWZyYWdtZW50IiwKICAgICJpbmNsdWRlcyI6IFsKICAgICAgImNvbnRhaW5lcnMiLAogICAgICAiZnJhZ21lbnRzIgogICAgXSwKICAgICJpc3N1ZXIiOiAiZGlkOng1MDk6MDpzaGEyNTY6SV9faXVMMjVvWEVWRmRUUF9hQkx4X2VUMVJQSGJDUV9FQ0JRZllacHQ5czo6ZWt1OjEuMy42LjEuNC4xLjMxMS43Ni41OS4xLjMiLAogICAgIm1pbmltdW1fc3ZuIjogIjQiCiAgfQpdCgpjb250YWluZXJzIDo9IFt7ImFsbG93X2VsZXZhdGVkIjpmYWxzZSwiYWxsb3dfc3RkaW9fYWNjZXNzIjp0cnVlLCJjYXBhYmlsaXRpZXMiOnsiYW1iaWVudCI6W10sImJvdW5kaW5nIjpbIkNBUF9BVURJVF9XUklURSIsIkNBUF9DSE9XTiIsIkNBUF9EQUNfT1ZFUlJJREUiLCJDQVBfRk9XTkVSIiwiQ0FQX0ZTRVRJRCIsIkNBUF9LSUxMIiwiQ0FQX01LTk9EIiwiQ0FQX05FVF9CSU5EX1NFUlZJQ0UiLCJDQVBfTkVUX1JBVyIsIkNBUF9TRVRGQ0FQIiwiQ0FQX1NFVEdJRCIsIkNBUF9TRVRQQ0FQIiwiQ0FQX1NFVFVJRCIsIkNBUF9TWVNfQ0hST09UIl0sImVmZmVjdGl2ZSI6WyJDQVBfQVVESVRfV1JJVEUiLCJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZPV05FUiIsIkNBUF9GU0VUSUQiLCJDQVBfS0lMTCIsIkNBUF9NS05PRCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX05FVF9SQVciLCJDQVBfU0VURkNBUCIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUUENBUCIsIkNBUF9TRVRVSUQiLCJDQVBfU1lTX0NIUk9PVCJdLCJpbmhlcml0YWJsZSI6W10sInBlcm1pdHRlZCI6WyJDQVBfQVVESVRfV1JJVEUiLCJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZPV05FUiIsIkNBUF9GU0VUSUQiLCJDQVBfS0lMTCIsIkNBUF9NS05PRCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX05FVF9SQVciLCJDQVBfU0VURkNBUCIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUUENBUCIsIkNBUF9TRVRVSUQiLCJDQVBfU1lTX0NIUk9PVCJdfSwiY29tbWFuZCI6bnVsbCwiZW52X3J1bGVzIjpbeyJwYXR0ZXJuIjoiTVlfVkFSPU1ZX1ZBTCIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJzdHJpbmcifSx7InBhdHRlcm4iOiJURVJNPXh0ZXJtIiwicmVxdWlyZWQiOmZhbHNlLCJzdHJhdGVneSI6InN0cmluZyJ9LHsicGF0dGVybiI6Iig/aSkoRkFCUklDKV8uKz0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJIT1NUTkFNRT0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJUKEUpP01QPS4rIiwicmVxdWlyZWQiOmZhbHNlLCJzdHJhdGVneSI6InJlMiJ9LHsicGF0dGVybiI6IkZhYnJpY1BhY2thZ2VGaWxlTmFtZT0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJIb3N0ZWRTZXJ2aWNlTmFtZT0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJJREVOVElUWV9BUElfVkVSU0lPTj0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJJREVOVElUWV9IRUFERVI9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiSURFTlRJVFlfU0VSVkVSX1RIVU1CUFJJTlQ9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiYXp1cmVjb250YWluZXJpbnN0YW5jZV9yZXN0YXJ0ZWRfYnk9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5Ijoic3RyaW5nIn1dLCJleGVjX3Byb2Nlc3NlcyI6W10sImlkIjoibWNyLm1pY3Jvc29mdC5jb20vYXp1cmVsaW51eC9kaXN0cm9sZXNzL2Jhc2VAc2hhMjU2OjFlNzdkOTdlMWUzOWYyMmVkOWM1MmY0OWIzNTA4YjRjMTA0NGNlYzIzNzQzZGY5MDk4YWM0NGUwMjVmNjU0ZjIiLCJsYXllcnMiOlsiMjQzZTFiM2NlMDgwOTNmMmYwZDljZDZhOWVhZmRlODczN2Y2NGZlYzEwNWVkNTljMzQ2ZDMwOWZiZTc2MGI1OCJdLCJtb3VudHMiOlt7ImRlc3RpbmF0aW9uIjoiL2V0Yy9yZXNvbHYuY29uZiIsIm9wdGlvbnMiOlsicmJpbmQiLCJyc2hhcmVkIiwicnciXSwic291cmNlIjoic2FuZGJveDovLy90bXAvYXRsYXMvcmVzb2x2Y29uZi8uKyIsInR5cGUiOiJiaW5kIn1dLCJuYW1lIjoiY29udGFpbmVyMSIsIm5vX25ld19wcml2aWxlZ2VzIjpmYWxzZSwic2VjY29tcF9wcm9maWxlX3NoYTI1NiI6IiIsInNpZ25hbHMiOltdLCJ1c2VyIjp7Imdyb3VwX2lkbmFtZXMiOlt7InBhdHRlcm4iOiIiLCJzdHJhdGVneSI6ImFueSJ9XSwidW1hc2siOiIwMDIyIiwidXNlcl9pZG5hbWUiOnsicGF0dGVybiI6IiIsInN0cmF0ZWd5IjoiYW55In19LCJ3b3JraW5nX2RpciI6Ii8ifSx7ImFsbG93X2VsZXZhdGVkIjpmYWxzZSwiYWxsb3dfc3RkaW9fYWNjZXNzIjp0cnVlLCJjYXBhYmlsaXRpZXMiOnsiYW1iaWVudCI6W10sImJvdW5kaW5nIjpbIkNBUF9DSE9XTiIsIkNBUF9EQUNfT1ZFUlJJREUiLCJDQVBfRlNFVElEIiwiQ0FQX0ZPV05FUiIsIkNBUF9NS05PRCIsIkNBUF9ORVRfUkFXIiwiQ0FQX1NFVEdJRCIsIkNBUF9TRVRVSUQiLCJDQVBfU0VURkNBUCIsIkNBUF9TRVRQQ0FQIiwiQ0FQX05FVF9CSU5EX1NFUlZJQ0UiLCJDQVBfU1lTX0NIUk9PVCIsIkNBUF9LSUxMIiwiQ0FQX0FVRElUX1dSSVRFIl0sImVmZmVjdGl2ZSI6WyJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZTRVRJRCIsIkNBUF9GT1dORVIiLCJDQVBfTUtOT0QiLCJDQVBfTkVUX1JBVyIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUVUlEIiwiQ0FQX1NFVEZDQVAiLCJDQVBfU0VUUENBUCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX1NZU19DSFJPT1QiLCJDQVBfS0lMTCIsIkNBUF9BVURJVF9XUklURSJdLCJpbmhlcml0YWJsZSI6W10sInBlcm1pdHRlZCI6WyJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZTRVRJRCIsIkNBUF9GT1dORVIiLCJDQVBfTUtOT0QiLCJDQVBfTkVUX1JBVyIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUVUlEIiwiQ0FQX1NFVEZDQVAiLCJDQVBfU0VUUENBUCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX1NZU19DSFJPT1QiLCJDQVBfS0lMTCIsIkNBUF9BVURJVF9XUklURSJdfSwiY29tbWFuZCI6WyIvcGF1c2UiXSwiZW52X3J1bGVzIjpbeyJwYXR0ZXJuIjoiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iLCJyZXF1aXJlZCI6dHJ1ZSwic3RyYXRlZ3kiOiJzdHJpbmcifSx7InBhdHRlcm4iOiJURVJNPXh0ZXJtIiwicmVxdWlyZWQiOmZhbHNlLCJzdHJhdGVneSI6InN0cmluZyJ9XSwiZXhlY19wcm9jZXNzZXMiOltdLCJsYXllcnMiOlsiMTZiNTE0MDU3YTA2YWQ2NjVmOTJjMDI4NjNhY2EwNzRmZDU5NzZjNzU1ZDI2YmZmMTYzNjUyOTkxNjllODQxNSJdLCJtb3VudHMiOltdLCJuYW1lIjoicGF1c2UtY29udGFpbmVyIiwibm9fbmV3X3ByaXZpbGVnZXMiOmZhbHNlLCJzZWNjb21wX3Byb2ZpbGVfc2hhMjU2IjoiIiwic2lnbmFscyI6W10sInVzZXIiOnsiZ3JvdXBfaWRuYW1lcyI6W3sicGF0dGVybiI6IiIsInN0cmF0ZWd5IjoiYW55In1dLCJ1bWFzayI6IjAwMjIiLCJ1c2VyX2lkbmFtZSI6eyJwYXR0ZXJuIjoiIiwic3RyYXRlZ3kiOiJhbnkifX0sIndvcmtpbmdfZGlyIjoiLyJ9XQoKYWxsb3dfcHJvcGVydGllc19hY2Nlc3MgOj0gdHJ1ZQphbGxvd19kdW1wX3N0YWNrcyA6PSBmYWxzZQphbGxvd19ydW50aW1lX2xvZ2dpbmcgOj0gZmFsc2UKYWxsb3dfZW52aXJvbm1lbnRfdmFyaWFibGVfZHJvcHBpbmcgOj0gdHJ1ZQphbGxvd191bmVuY3J5cHRlZF9zY3JhdGNoIDo9IGZhbHNlCmFsbG93X2NhcGFiaWxpdHlfZHJvcHBpbmcgOj0gdHJ1ZQoKbW91bnRfZGV2aWNlIDo9IGRhdGEuZnJhbWV3b3JrLm1vdW50X2RldmljZQp1bm1vdW50X2RldmljZSA6PSBkYXRhLmZyYW1ld29yay51bm1vdW50X2RldmljZQptb3VudF9vdmVybGF5IDo9IGRhdGEuZnJhbWV3b3JrLm1vdW50X292ZXJsYXkKdW5tb3VudF9vdmVybGF5IDo9IGRhdGEuZnJhbWV3b3JrLnVubW91bnRfb3ZlcmxheQpjcmVhdGVfY29udGFpbmVyIDo9IGRhdGEuZnJhbWV3b3JrLmNyZWF0ZV9jb250YWluZXIKZXhlY19pbl9jb250YWluZXIgOj0gZGF0YS5mcmFtZXdvcmsuZXhlY19pbl9jb250YWluZXIKZXhlY19leHRlcm5hbCA6PSBkYXRhLmZyYW1ld29yay5leGVjX2V4dGVybmFsCnNodXRkb3duX2NvbnRhaW5lciA6PSBkYXRhLmZyYW1ld29yay5zaHV0ZG93bl9jb250YWluZXIKc2lnbmFsX2NvbnRhaW5lcl9wcm9jZXNzIDo9IGRhdGEuZnJhbWV3b3JrLnNpZ25hbF9jb250YWluZXJfcHJvY2VzcwpwbGFuOV9tb3VudCA6PSBkYXRhLmZyYW1ld29yay5wbGFuOV9tb3VudApwbGFuOV91bm1vdW50IDo9IGRhdGEuZnJhbWV3b3JrLnBsYW45X3VubW91bnQKZ2V0X3Byb3BlcnRpZXMgOj0gZGF0YS5mcmFtZXdvcmsuZ2V0X3Byb3BlcnRpZXMKZHVtcF9zdGFja3MgOj0gZGF0YS5mcmFtZXdvcmsuZHVtcF9zdGFja3MKcnVudGltZV9sb2dnaW5nIDo9IGRhdGEuZnJhbWV3b3JrLnJ1bnRpbWVfbG9nZ2luZwpsb2FkX2ZyYWdtZW50IDo9IGRhdGEuZnJhbWV3b3JrLmxvYWRfZnJhZ21lbnQKc2NyYXRjaF9tb3VudCA6PSBkYXRhLmZyYW1ld29yay5zY3JhdGNoX21vdW50CnNjcmF0Y2hfdW5tb3VudCA6PSBkYXRhLmZyYW1ld29yay5zY3JhdGNoX3VubW91bnQKCnJlYXNvbiA6PSB7ImVycm9ycyI6IGRhdGEuZnJhbWV3b3JrLmVycm9yc30=" + "ccePolicy": "" }, "containers": [ { From f02ab7c8ad30968b9f502f58f5465265fb9bdebe Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 6 Oct 2025 14:06:42 +0000 Subject: [PATCH 15/16] Fix zero sidecar annotation --- src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py index feb547b60a3..fc9bc5928fe 100644 --- a/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py +++ b/src/confcom/azext_confcom/lib/arm_to_aci_policy_spec.py @@ -215,6 +215,8 @@ def replace_min_svn(frag): "minimum_svn": infrastructure_fragment_min_svn or min_svn, } + include_infrastructure_fragment = not container_group.get("tags", {}).get("Annotate-zero-sidecar", not include_infrastructure_fragment) + return AciPolicySpec( fragments=[ *arm_container_group_to_aci_policy_spec_fragments(container_group), @@ -235,7 +237,7 @@ def replace_min_svn(frag): for c in containers + container_group.get("properties", {}).get("initContainers", []) ], profile="debug" if debug_mode else "strict", - include_infrastructure_fragment=not container_group.get("tags", {}).get("Annotate-zero-sidecar", not include_infrastructure_fragment), + include_infrastructure_fragment=include_infrastructure_fragment, allow_stdio_access=allow_stdio_access, ) From 49fb60cf947b743098a0457e3870946ad5ade54f Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 6 Oct 2025 14:09:31 +0000 Subject: [PATCH 16/16] Satisfy azdev style --- src/confcom/azext_confcom/command/parse_aci_arm.py | 2 +- src/confcom/azext_confcom/container.py | 4 ---- src/confcom/azext_confcom/custom.py | 1 + src/confcom/azext_confcom/lib/aci_infrastructure.py | 7 +++++-- src/confcom/azext_confcom/security_policy.py | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/confcom/azext_confcom/command/parse_aci_arm.py b/src/confcom/azext_confcom/command/parse_aci_arm.py index ba9ec1dde5f..6e7a231dd5f 100644 --- a/src/confcom/azext_confcom/command/parse_aci_arm.py +++ b/src/confcom/azext_confcom/command/parse_aci_arm.py @@ -60,4 +60,4 @@ def parse_aci_arm( spec = omit_implicit_features(spec) specs.append(asdict(spec, dict_factory=omit_defaults_dict_factory)) - return specs \ No newline at end of file + return specs diff --git a/src/confcom/azext_confcom/container.py b/src/confcom/azext_confcom/container.py index 8e44f8acf22..e9d95e6eed9 100644 --- a/src/confcom/azext_confcom/container.py +++ b/src/confcom/azext_confcom/container.py @@ -701,10 +701,6 @@ def parse_all_parameters_and_variables(self, params, vars_dict) -> None: def _get_environment_rules(self) -> List[Dict[str, Any]]: out_rules = copy.deepcopy(self._environmentRules) - env_var_names = [ - var[config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE].split("=")[0] - for var in out_rules - ] # Remove variables from out_rules which appear in extraEnvironmentRules # so they're always at the end of the list. This is to maintain the diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index f9814367a1b..cb4e419a024 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -491,6 +491,7 @@ def get_fragment_output_type(outraw): output_type = security_policy.OutputType.RAW return output_type + # This should be *args, **kwargs to avoid having to touch this, however the az # extension frameworks then expects literal args and kwargs parameters. def parse_aci_arm( diff --git a/src/confcom/azext_confcom/lib/aci_infrastructure.py b/src/confcom/azext_confcom/lib/aci_infrastructure.py index c2414f2a8db..c52de7a37b7 100644 --- a/src/confcom/azext_confcom/lib/aci_infrastructure.py +++ b/src/confcom/azext_confcom/lib/aci_infrastructure.py @@ -1,4 +1,7 @@ - +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# -------------------------------------------------------------------------------------------- from dataclasses import fields, is_dataclass, replace @@ -31,4 +34,4 @@ def omit_implicit_features(obj): return replace(obj, **{f.name: omit_implicit_features(getattr(obj, f.name)) for f in fields(obj)}) if isinstance(obj, list): return [omit_implicit_features(x) for x in obj if x not in implicit_features] - return obj \ No newline at end of file + return obj diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index ccb2c1707d9..0a2f2eb4839 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -11,7 +11,6 @@ from typing import Any, Dict, List, Tuple, Union from dataclasses import asdict -from azext_confcom.lib.aci_policy_spec import AciFragmentSpec from azext_confcom.lib.arm_to_aci_policy_spec import arm_to_aci_policy_spec from azext_confcom import (config, os_util) from azext_confcom.container import ContainerImage, UserContainerImage @@ -738,6 +737,7 @@ def load_policy_from_json_file( ) +# pylint: disable=too-many-branches def load_policy_from_json( data: str, debug_mode: bool = False,