adding in PrivilegedContainerPolicy which is to be used to exclude Ru…

…nAsNonRoot check for projects that have Host level access set to `Privileged` in connect project setup Signed-off-by: Adam D. Cornett <[email protected]>
redhat-openshift-ecosystem · Apr 19, 2022 · a5e6a10 · a5e6a10
1 parent 6fb61a7
commit a5e6a10
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/certification/engine/engine.go b/certification/engine/engine.go
@@ -137,6 +137,18 @@ var scratchContainerPolicy = map[string]certification.Check{
 	// runSystemContainerCheck.Name(): runSystemContainerCheck,
 }
 
+var rootExceptionContainerPolicy = map[string]certification.Check{
+	hasLicenseCheck.Name():        hasLicenseCheck,
+	hasUniqueTagCheck.Name():      hasUniqueTagCheck,
+	maxLayersCheck.Name():         maxLayersCheck,
+	hasNoProhibitedCheck.Name():   hasNoProhibitedCheck,
+	hasRequiredLabelsCheck.Name(): hasRequiredLabelsCheck,
+	basedOnUbiCheck.Name():        basedOnUbiCheck,
+	hasModifiedFilesCheck.Name():  hasModifiedFilesCheck,
+	// runnableContainerCheck.Name():  runnableContainerCheck,
+	// runSystemContainerCheck.Name(): runSystemContainerCheck,
+}
+
 func makeCheckList(checkMap map[string]certification.Check) []string {
 	checks := make([]string, 0, len(checkMap))
 
@@ -158,3 +170,7 @@ func ContainerPolicy() []string {
 func ScratchContainerPolicy() []string {
 	return makeCheckList(scratchContainerPolicy)
 }
+
+func RootExceptionContainerPolicy() []string {
+	return makeCheckList(rootExceptionContainerPolicy)
+}
diff --git a/certification/pyxis/types.go b/certification/pyxis/types.go
@@ -102,6 +102,7 @@ type Container struct {
 	Registry         string `json:"registry,omitempty"`
 	Repository       string `json:"repository,omitempty"`
 	OsContentType    string `json:"os_content_type,omitempty"`
+	Privileged       bool   `json:"privileged,omitempty"`
 }
 
 type Layer struct {

diff --git a/cmd/check_container.go b/cmd/check_container.go
@@ -95,6 +95,11 @@ var checkContainerCmd = &cobra.Command{
 				cfg.EnabledChecks = engine.ScratchContainerPolicy()
 				cfg.Scratch = true
 			}
+
+			// if a partner sets `Host Level Access` in connect to `Privileged`, enable RootExceptionContainerPolicy checks
+			if certProject.Container.Privileged {
+				cfg.EnabledChecks = engine.RootExceptionContainerPolicy()
+			}
 		}
 
 		engine, err := engine.NewForConfig(cfg)