Skip to content

Commit

Permalink
Merge pull request #1016 from jvanz/rename-url-field
Browse files Browse the repository at this point in the history 
fix!: renames "url" field into "module".
  • Loading branch information
@jvanz
jvanz authored Jan 7, 2025
2 parents 323ee15 + 6847459 commit 378ca5b
Show file tree
Hide file tree
Showing 7 changed files with 59 additions and 59 deletions.
18 changes: 9 additions & 9 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,11 @@ This is an example of the policies file:

```yml
psp-apparmor:
url: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.3
module: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.3
psp-capabilities:
url: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
namespace_simple:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings:
valid_namespace: kubewarden-approved
```
Expand Down Expand Up @@ -98,22 +98,22 @@ This is an example of the policies file with a policy group:
pod-image-signatures: # policy group
policies:
- name: sigstore_pgp
url: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
settings:
signatures:
- image: "*"
pubKeys:
- "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----"
- "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----"
- name: sigstore_gh_action
url: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
settings:
signatures:
- image: "*"
githubActions:
owner: "kubewarden"
- name: reject_latest_tag
url: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12
module: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12
settings:
tags:
reject:
Expand All @@ -133,7 +133,7 @@ that is allowed to access:
strict-ingress-checks:
policies:
- name: unique_ingress
url: ghcr.io/kubewarden/policies/cel-policy:latest
module: ghcr.io/kubewarden/policies/cel-policy:latest
contextAwareResources:
- apiVersion: networking.k8s.io/v1
kind: Ingress
Expand All @@ -154,13 +154,13 @@ strict-ingress-checks:
!variables.knownHost.exists_one(hosts, sets.intersects(hosts, variables.desiredHosts))
message: "Cannot reuse a host across multiple ingresses"
- name: https_only
url: ghcr.io/kubewarden/policies/ingress:latest
module: ghcr.io/kubewarden/policies/ingress:latest
settings:
requireTLS: true
allowPorts: [443]
denyPorts: [80]
- name: http_only
url: ghcr.io/kubewarden/policies/ingress:latest
module: ghcr.io/kubewarden/policies/ingress:latest
settings:
requireTLS: false
allowPorts: [80]
Expand Down
10 changes: 5 additions & 5 deletions policies.yml.example
View file
Original file line number Diff line number Diff line change
@@ -1,30 +1,30 @@
psp-apparmor:
url: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.7
module: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.7
psp-capabilities:
url: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.7
module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.7
allowedToMutate: true
settings:
allowed_capabilities: ["*"]
required_drop_capabilities: ["KILL"]
pod-image-signatures: # policy group
policies:
sigstore_pgp:
url: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
settings:
signatures:
- image: "*"
pubKeys:
- "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----"
- "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----"
sigstore_gh_action:
url: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
settings:
signatures:
- image: "*"
githubActions:
owner: "kubewarden"
reject_latest_tag:
url: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12
module: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12
settings:
tags:
reject:
Expand Down
40 changes: 20 additions & 20 deletions src/config.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,7 @@ pub enum PolicyOrPolicyGroupSettings {
#[serde(deny_unknown_fields, rename_all = "camelCase")]
pub struct PolicyGroupMember {
/// Thge URL where the policy is located
pub url: String,
pub module: String,
/// The settings for the policy
pub settings: Option<HashMap<String, serde_yaml::Value>>,
/// The list of Kubernetes resources the policy is allowed to access
Expand All @@ -341,7 +341,7 @@ pub enum PolicyOrPolicyGroup {
#[serde(rename_all = "camelCase")]
Policy {
/// The URL where the policy is located
url: String,
module: String,
#[serde(default)]
/// The mode of the policy
policy_mode: PolicyMode,
Expand Down Expand Up @@ -485,7 +485,7 @@ mod tests {
let policies_yaml = r#"
---
example:
url: ghcr.io/kubewarden/policies/context-aware-policy:0.1.0
module: ghcr.io/kubewarden/policies/context-aware-policy:0.1.0
settings: {}
allowedToMutate: true
contextAwareResources:
Expand All @@ -499,10 +499,10 @@ group_policy:
message: "group policy message"
policies:
policy1:
url: ghcr.io/kubewarden/policies/policy1:0.1.0
module: ghcr.io/kubewarden/policies/policy1:0.1.0
settings: {}
policy2:
url: ghcr.io/kubewarden/policies/policy2:0.1.0
module: ghcr.io/kubewarden/policies/policy2:0.1.0
settings: {}
"#;

Expand All @@ -516,7 +516,7 @@ group_policy:
(
"example".to_owned(),
PolicyOrPolicyGroup::Policy {
url: "ghcr.io/kubewarden/policies/context-aware-policy:0.1.0".to_owned(),
module: "ghcr.io/kubewarden/policies/context-aware-policy:0.1.0".to_owned(),
policy_mode: PolicyMode::Protect,
allowed_to_mutate: Some(true),
settings: Some(HashMap::new()),
Expand All @@ -542,15 +542,15 @@ group_policy:
(
"policy1".to_owned(),
PolicyGroupMember {
url: "ghcr.io/kubewarden/policies/policy1:0.1.0".to_owned(),
module: "ghcr.io/kubewarden/policies/policy1:0.1.0".to_owned(),
settings: Some(HashMap::new()),
context_aware_resources: BTreeSet::new(),
},
),
(
"policy2".to_string(),
PolicyGroupMember {
url: "ghcr.io/kubewarden/policies/policy2:0.1.0".to_owned(),
module: "ghcr.io/kubewarden/policies/policy2:0.1.0".to_owned(),
settings: Some(HashMap::new()),
context_aware_resources: BTreeSet::new(),
},
Expand All @@ -568,30 +568,30 @@ group_policy:
r#"
---
example:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: {}
"#, json!({})
)]
#[case::settings_missing(
r#"
---
example:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
"#, json!({})
)]
#[case::settings_null(
r#"
---
example:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: null
"#, json!({})
)]
#[case::settings_provided(
r#"
---
example:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings:
"counter": 1
"items": ["a", "b"]
Expand All @@ -617,7 +617,7 @@ example:
let policies_yaml = r#"
---
example:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: {}
"#;
let mut temp_file = NamedTempFile::new().unwrap();
Expand Down Expand Up @@ -654,17 +654,17 @@ example:
r#"
---
example:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: {}
group_policy:
expression: "true"
message: "group policy message"
policies:
policy1:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: {}
policy2:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: {}
"#,
true
Expand All @@ -673,7 +673,7 @@ group_policy:
r#"
---
example/invalid:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: {}
"#,
false
Expand All @@ -682,17 +682,17 @@ example/invalid:
r#"
---
example:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: {}
group_policy:
expression: "true"
message: "group policy message"
policies:
policy1/a:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: {}
policy2:
url: file:///tmp/namespace-validate-policy.wasm
module: file:///tmp/namespace-validate-policy.wasm
settings: {}
"#,
false
Expand Down
24 changes: 12 additions & 12 deletions src/evaluation/evaluation_environment.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ impl<'engine, 'precompiled_policies> EvaluationEnvironmentBuilder<'engine, 'prec

match policy {
PolicyOrPolicyGroup::Policy {
url,
module: url,
policy_mode,
allowed_to_mutate,
context_aware_resources,
Expand Down Expand Up @@ -297,7 +297,7 @@ impl<'engine, 'precompiled_policies> EvaluationEnvironmentBuilder<'engine, 'prec
if let Err(e) = self.bootstrap_policy(
&mut eval_env,
policy_id.clone(),
&policy.url,
&policy.module,
policy_evaluation_settings,
eval_ctx,
) {
Expand Down Expand Up @@ -820,7 +820,7 @@ mod tests {
policies.insert(
policy_id.to_string(),
PolicyOrPolicyGroup::Policy {
url: policy_url.clone(),
module: policy_url.clone(),
policy_mode: PolicyMode::Protect,
allowed_to_mutate: None,
settings: None,
Expand All @@ -838,7 +838,7 @@ mod tests {
policies: vec![(
"happy_policy_1".to_string(),
PolicyGroupMember {
url: "file:///tmp/happy_policy_1.wasm".to_string(),
module: "file:///tmp/happy_policy_1.wasm".to_string(),
settings: None,
context_aware_resources: BTreeSet::new(),
},
Expand All @@ -865,7 +865,7 @@ mod tests {
policies: vec![(
"happy_policy_1".to_string(),
PolicyGroupMember {
url: "file:///tmp/happy_policy_1.wasm".to_string(),
module: "file:///tmp/happy_policy_1.wasm".to_string(),
settings: None,
context_aware_resources: BTreeSet::new(),
},
Expand Down Expand Up @@ -902,7 +902,7 @@ mod tests {
policies: vec![(
"happy_policy_1".to_string(),
PolicyGroupMember {
url: "file:///tmp/happy_policy_1.wasm".to_string(),
module: "file:///tmp/happy_policy_1.wasm".to_string(),
settings: None,
context_aware_resources: BTreeSet::new(),
},
Expand All @@ -921,23 +921,23 @@ mod tests {
(
"happy_policy_1".to_string(),
PolicyGroupMember {
url: "file:///tmp/happy_policy_1.wasm".to_string(),
module: "file:///tmp/happy_policy_1.wasm".to_string(),
settings: None,
context_aware_resources: BTreeSet::new(),
},
),
(
"unhappy_policy_1".to_string(),
PolicyGroupMember {
url: "file:///tmp/unhappy_policy_1.wasm".to_string(),
module: "file:///tmp/unhappy_policy_1.wasm".to_string(),
settings: None,
context_aware_resources: BTreeSet::new(),
},
),
(
"unhappy_policy_2".to_string(),
PolicyGroupMember {
url: "file:///tmp/unhappy_policy_1.wasm".to_string(),
module: "file:///tmp/unhappy_policy_1.wasm".to_string(),
settings: None,
context_aware_resources: BTreeSet::new(),
},
Expand All @@ -959,23 +959,23 @@ mod tests {
(
"happy_policy_1".to_string(),
PolicyGroupMember {
url: "file:///tmp/happy_policy_1.wasm".to_string(),
module: "file:///tmp/happy_policy_1.wasm".to_string(),
settings: None,
context_aware_resources: BTreeSet::new(),
},
),
(
"unhappy_policy_1".to_string(),
PolicyGroupMember {
url: "file:///tmp/unhappy_policy_1.wasm".to_string(),
module: "file:///tmp/unhappy_policy_1.wasm".to_string(),
settings: None,
context_aware_resources: BTreeSet::new(),
},
),
(
"unhappy_policy_2".to_string(),
PolicyGroupMember {
url: "file:///tmp/unhappy_policy_1.wasm".to_string(),
module: "file:///tmp/unhappy_policy_1.wasm".to_string(),
settings: None,
context_aware_resources: BTreeSet::new(),
},
Expand Down
Loading

0 comments on commit 378ca5b

Please sign in to comment.