Forbidden sysctls cel

[ritazh]

What this PR does / why we need it:

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #541

Special notes for your reviewer:

will rebase once #519 is merged

[maxsmythe]

I don't think the Rego code considers undefined allowedSysctls to mean "all allowed". I think it just denies all sysctls. Worth creating a test case to validate this edge case.

[ritazh]

Looking at the history: https://github.com/open-policy-agent/gatekeeper-library/pull/253/files#diff-b14d9c092cc66bb50ced20769a8508a11132aa8425a27e3a65666fb580b52414R117-R119

comment in the test:

Empty allowedSysctls means none are allowed
unspecified allowedSysctls which does not place any restrictions by itself

The rego code also does not put any restriction on unspecified allowedSysctls.

If we want to change this behavior, it is definitely not backward compatible. IMO we should keep the same logic to reduce confusion. WDYT? @maxsmythe

[maxsmythe]

Definitely no need to change the behavior. My reading of the Rego code was that empty allowedSysctls leads to a violation (despite what the test comment says).

Maybe my reading is wrong? In either case, adding a test suite for the edge case would validate uniform behavior.

But yeah, to re-iterate, VAP-CEL should behave like the Rego, just want to ensure that is the case.

[ritazh]

yes I adding 2 new tests (one for empty allowedSysctls and one for unspecified allowedSysctls, which showed existing rego has the same behavior as the test comment due to:

not allowed_sysctl(sysctl) and allowed_sysctl(_) never actually checks for not input.parameters.allowedSysctls

[maxsmythe]

Ah, I think I see why. The message expression below fails if the parameter is unspecified vs. empty:

msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])

which will cause the violation not to be thrown. I imaging replacing the message with a constant would change the behavior of that edge case. Fun times.

Sorry for the extra work. If we add the undefined vs. empty list test, at least we can make sure the edge-case behavior doesn't change in the future. Worth doing?

[ritazh]

updated for cel.

e.g. output:

The sysctl is not allowed for pod: nginx-forbidden-sysctls-disallowed, forbidden: kernel.*, allowed: unspecified

and

The sysctl is not allowed for pod: nginx-forbidden-sysctls-disallowed, forbidden: kernel.*, allowed: empty

[ritazh]

re: rego bug, I propose to fix the message and add condition for no violations for unspecified allowedSysctls to ensure backward compat. wdyt?

[maxsmythe]

Is the rego not WAI? It will simply not return a message/violation if allowedSysctls is unspecified, which is the expected behavior.

I am definitely down for making the test for allowedSysctls explicit in the Rego... having an implicit logic gate buried in a string formatting statement seems a bit hard to catch for readers.

[maxsmythe]

Ah, I think I see why. The message expression below fails if the parameter is unspecified vs. empty:

msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])

which will cause the violation not to be thrown. I imaging replacing the message with a constant would change the behavior of that edge case. Fun times.

Sorry for the extra work. If we add the undefined vs. empty list test, at least we can make sure the edge-case behavior doesn't change in the future. Worth doing?

[JaydipGabani]

LGTM otherwise

[JaydipGabani]

Suggested change

	name: nginx-forbidden-sysctls-disallowed
	name: nginx-forbidden-sysctls-allowed

[stale]

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.