From a5e6a1007da388f609c0fefd05c9b3c556b09cf0 Mon Sep 17 00:00:00 2001 From: "Adam D. Cornett" Date: Thu, 14 Apr 2022 16:32:30 -0700 Subject: [PATCH] adding in PrivilegedContainerPolicy which is to be used to exclude RunAsNonRoot check for projects that have Host level access set to `Privileged` in connect project setup Signed-off-by: Adam D. Cornett --- certification/engine/engine.go | 16 ++++++++++++++++ certification/pyxis/types.go | 1 + cmd/check_container.go | 5 +++++ 3 files changed, 22 insertions(+) diff --git a/certification/engine/engine.go b/certification/engine/engine.go index b6b1ef1b..e19b07bd 100644 --- a/certification/engine/engine.go +++ b/certification/engine/engine.go @@ -137,6 +137,18 @@ var scratchContainerPolicy = map[string]certification.Check{ // runSystemContainerCheck.Name(): runSystemContainerCheck, } +var rootExceptionContainerPolicy = map[string]certification.Check{ + hasLicenseCheck.Name(): hasLicenseCheck, + hasUniqueTagCheck.Name(): hasUniqueTagCheck, + maxLayersCheck.Name(): maxLayersCheck, + hasNoProhibitedCheck.Name(): hasNoProhibitedCheck, + hasRequiredLabelsCheck.Name(): hasRequiredLabelsCheck, + basedOnUbiCheck.Name(): basedOnUbiCheck, + hasModifiedFilesCheck.Name(): hasModifiedFilesCheck, + // runnableContainerCheck.Name(): runnableContainerCheck, + // runSystemContainerCheck.Name(): runSystemContainerCheck, +} + func makeCheckList(checkMap map[string]certification.Check) []string { checks := make([]string, 0, len(checkMap)) @@ -158,3 +170,7 @@ func ContainerPolicy() []string { func ScratchContainerPolicy() []string { return makeCheckList(scratchContainerPolicy) } + +func RootExceptionContainerPolicy() []string { + return makeCheckList(rootExceptionContainerPolicy) +} diff --git a/certification/pyxis/types.go b/certification/pyxis/types.go index de151b09..3074254d 100644 --- a/certification/pyxis/types.go +++ b/certification/pyxis/types.go @@ -102,6 +102,7 @@ type Container struct { Registry string `json:"registry,omitempty"` Repository string `json:"repository,omitempty"` OsContentType string `json:"os_content_type,omitempty"` + Privileged bool `json:"privileged,omitempty"` } type Layer struct { diff --git a/cmd/check_container.go b/cmd/check_container.go index fc985140..fb3390a5 100644 --- a/cmd/check_container.go +++ b/cmd/check_container.go @@ -95,6 +95,11 @@ var checkContainerCmd = &cobra.Command{ cfg.EnabledChecks = engine.ScratchContainerPolicy() cfg.Scratch = true } + + // if a partner sets `Host Level Access` in connect to `Privileged`, enable RootExceptionContainerPolicy checks + if certProject.Container.Privileged { + cfg.EnabledChecks = engine.RootExceptionContainerPolicy() + } } engine, err := engine.NewForConfig(cfg)