Integration with OPA: use rego rules

[alban]

Integration with OPA: use rego rules

The Seccomp Agent can be configured by a ConfigMap containing rules in the rego language from OPA.

How to use

Example of rules in policies.rego:

    package syscall.authz

    action[{"passthrough": passthrough, "reason": reason}] {
        input.syscall = "execve"

        passthrough := true
        reason := "execve are always accepted"
    }
    action[{"handler": handler, "reason": reason, "suffix": suffix}] {
        input.syscall = "mkdir"
        input.pod.namespace = "default"
        input.pod.name = "mynotifypod"
        startswith(input.arg0, "foo")

        handler := "mkdir"
        reason := "directories can start with foo"
        suffix := "-{{.Namespace}}-{{.Pod}}-{{.Container}}"
    }
    action[{"handler": handler, "reason": reason, "suffix": suffix}] {
        input.syscall = "mkdir"
        input.pod.namespace = "default"
        input.pod.name = "mynotifypod"
        endswith(input.arg0, "bar")

        handler := "mkdir"
        reason := "directories can end with bar"
        suffix := "-{{.Namespace}}-{{.Pod}}-{{.Container}}"
    }
    action[{"handler": handler, "reason": reason}] {
        input.syscall = "mount"
        allowedfs := {"proc", "tmpfs"}
        allowedfs[input.arg2]
        input.pod.namespace = "default"
        input.pod.name = "mynotifypod"

        handler := "mount"
        reason := "mounting specific filesystems is allowed"
    }

Testing done

The behaviour of the mkdir and mount syscalls below follow the rules expressed in rego:

$ kubectl exec -ti mynotifypod -- /bin/sh
/ # mkdir foo-A
/ # ls -ld foo-A-default-mynotifypod-container1/
drwxr-xr-x    2 root     root          4096 May 15 16:47 foo-A-default-mynotifypod-container1/
/ # mkdir B-bar
/ # mkdir none
mkdir: can't create directory 'none': Function not implemented
/ # mount -t tmpfs tmpfs root
/ # mount -t cgroup cgroup root
mount: mounting cgroup on root failed: Function not implemented
/ #