Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding a new policy that allows scratch and root policy exceptions #1184

Merged
merged 1 commit into from
Jul 15, 2024
Merged

adding a new policy that allows scratch and root policy exceptions #1184

merged 1 commit into from
Jul 15, 2024

Conversation

acornett21
Copy link
Contributor

Motivation

Some partners need to run containers as both root and scratch for some of their product(s). Currently, we only allow for one of these exceptions at a time.

Explanation

This PR creates a net new Policy that runs a subset of checks, excluding any checks that do not appear in the current root and current scratch policy. Some existing policy names/variables were also refactored to provide better clarity.

Testing

Aside from the unit test updates, this was tested in stage with project 668ed5d57f921e72f6431c4c and below are the results.

{
    "image": "quay.io/acornett/scratch-root-passes:v1.0.0",
    "passed": true,
    "test_library": {
        "name": "github.com/redhat-openshift-ecosystem/openshift-preflight",
        "version": "unknown",
        "commit": "unknown"
    },
    "results": {
        "passed": [
            {
                "name": "HasLicense",
                "elapsed_time": 0,
                "description": "Checking if terms and conditions applicable to the software including open source licensing information are present. The license must be at /licenses"
            },
            {
                "name": "HasUniqueTag",
                "elapsed_time": 0,
                "description": "Checking if container has a tag other than 'latest', so that the image can be uniquely identified."
            },
            {
                "name": "LayerCountAcceptable",
                "elapsed_time": 0,
                "description": "Checking if container has less than 40 layers.  Too many layers within the container images can degrade container performance."
            },
            {
                "name": "HasRequiredLabel",
                "elapsed_time": 0,
                "description": "Checking if the required labels (name, vendor, version, release, summary, description) are present in the container metadata."
            }
        ],
        "failed": [],
        "errors": []
    }
}

Additional Info

More info and business approval for a new policy can be found in

  • JIRA: EET-4101

@acornett21 acornett21 requested review from bcrochet and komish July 10, 2024 21:31
@openshift-ci openshift-ci bot requested review from jomkz and tonytcampbell July 10, 2024 21:31
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 10, 2024
@dcibot
Copy link

dcibot commented Jul 10, 2024

from change #1184:

@acornett21
adding a new policy that allows scratch and root policy exceptions at…
87367e0 
… the same time

Signed-off-by: Adam D. Cornett <adc@redhat.com>
@acornett21 acornett21 force-pushed the root_plus_scratch_policy branch from 65fd541 to 87367e0 Compare July 11, 2024 14:05
@coveralls
Copy link

Coverage Status

coverage: 84.447% (+0.05%) from 84.397%
when pulling 87367e0 on acornett21:root_plus_scratch_policy
into c10fda5 on redhat-openshift-ecosystem:main.

@dcibot
Copy link

dcibot commented Jul 11, 2024

from change #1184:

komish
komish approved these changes Jul 11, 2024
View reviewed changes
Copy link
Contributor

@komish komish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 11, 2024
bcrochet
bcrochet approved these changes Jul 15, 2024
View reviewed changes
Copy link
Contributor

@bcrochet bcrochet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 15, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: acornett21, bcrochet, komish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [acornett21,bcrochet,komish]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@bcrochet bcrochet merged commit c9048da into redhat-openshift-ecosystem:main Jul 15, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@komish komish komish approved these changes

@bcrochet bcrochet bcrochet approved these changes

@jomkz jomkz Awaiting requested review from jomkz

@tonytcampbell tonytcampbell Awaiting requested review from tonytcampbell

Assignees

@bcrochet bcrochet

@komish komish

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@acornett21 @dcibot @coveralls @bcrochet @komish