diff --git a/src/interpreter.rs b/src/interpreter.rs index dca92770..c25fcd4f 100644 --- a/src/interpreter.rs +++ b/src/interpreter.rs @@ -1017,6 +1017,11 @@ impl Interpreter { if self.eval_stmts(stmts)? { count += 1; + if let Some(ctx) = self.contexts.last() { + if ctx.early_return { + break; + } + } } *self.current_scope_mut()? = scope_saved.clone(); } @@ -1035,6 +1040,11 @@ impl Interpreter { if self.eval_stmts(stmts)? { count += 1; + if let Some(ctx) = self.contexts.last() { + if ctx.early_return { + break; + } + } } *self.current_scope_mut()? = scope_saved.clone(); } @@ -1054,6 +1064,11 @@ impl Interpreter { if self.eval_stmts(stmts)? { count += 1; + if let Some(ctx) = self.contexts.last() { + if ctx.early_return { + break; + } + } } *self.current_scope_mut()? = scope_saved.clone(); } diff --git a/tests/kata/data/k8s-policy-job/prints.json b/tests/kata/data/k8s-policy-job/prints.json index 36de33df..b1da0133 100644 --- a/tests/kata/data/k8s-policy-job/prints.json +++ b/tests/kata/data/k8s-policy-job/prints.json @@ -307,56 +307,7 @@ "tests/kata/data/k8s-policy-job/policy.rego:389: allow_readonly_paths 1: true", "tests/kata/data/k8s-policy-job/policy.rego:392: allow_readonly_paths 2: start", "tests/kata/data/k8s-policy-job/policy.rego:340: allow_linux: true", - "tests/kata/data/k8s-policy-job/policy.rego:79: CreateContainerRequest: true", - "tests/kata/data/k8s-policy-job/policy.rego:57: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/k8s-policy-job/policy.rego:61: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/k8s-policy-job/policy.rego:66: CreateContainerRequest: p Version = 1.1.0 i Version = 1.1.0", - "tests/kata/data/k8s-policy-job/policy.rego:69: CreateContainerRequest: p Readonly = true i Readonly = true", - "tests/kata/data/k8s-policy-job/policy.rego:84: allow_anno 1: start", - "tests/kata/data/k8s-policy-job/policy.rego:91: allow_anno 2: p Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"hello\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/prometheus/busybox:latest\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-namespace\": \"kata-containers-k8s-tests\"}", - "tests/kata/data/k8s-policy-job/policy.rego:92: allow_anno 2: i Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/d2bc5590b33176f997388b25f600080d2276cbd08ad134ace2d254260ac864e4\", \"io.katacontainers.pkg.oci.container_type\": \"pod_sandbox\", \"io.kubernetes.cri.container-type\": \"sandbox\", \"io.kubernetes.cri.sandbox-cpu-period\": \"100000\", \"io.kubernetes.cri.sandbox-cpu-quota\": \"0\", \"io.kubernetes.cri.sandbox-cpu-shares\": \"2\", \"io.kubernetes.cri.sandbox-id\": \"d2bc5590b33176f997388b25f600080d2276cbd08ad134ace2d254260ac864e4\", \"io.kubernetes.cri.sandbox-log-directory\": \"/var/log/pods/kata-containers-k8s-tests_policy-job-dx6cb_392939d5-72a0-4421-9cd7-1e89c3f86256\", \"io.kubernetes.cri.sandbox-memory\": \"0\", \"io.kubernetes.cri.sandbox-name\": \"policy-job-dx6cb\", \"io.kubernetes.cri.sandbox-namespace\": \"kata-containers-k8s-tests\", \"io.kubernetes.cri.sandbox-uid\": \"392939d5-72a0-4421-9cd7-1e89c3f86256\", \"nerdctl/network-namespace\": \"/var/run/netns/cni-92275a86-e0ea-c2c4-9e0c-4ac1ebe428eb\"}", - "tests/kata/data/k8s-policy-job/policy.rego:95: allow_anno 2: i keys = {\"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.sandbox-cpu-period\", \"io.kubernetes.cri.sandbox-cpu-quota\", \"io.kubernetes.cri.sandbox-cpu-shares\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-log-directory\", \"io.kubernetes.cri.sandbox-memory\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\", \"nerdctl/network-namespace\"}", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/k8s-policy-job/policy.rego:117: allow_anno_key 2: true", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/k8s-policy-job/policy.rego:117: allow_anno_key 2: true", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/k8s-policy-job/policy.rego:117: allow_anno_key 2: true", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-cpu-period", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-cpu-period", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-cpu-quota", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-cpu-quota", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-cpu-shares", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-cpu-shares", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/k8s-policy-job/policy.rego:117: allow_anno_key 2: true", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-log-directory", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-log-directory", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-memory", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-memory", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/k8s-policy-job/policy.rego:117: allow_anno_key 2: true", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/k8s-policy-job/policy.rego:109: allow_anno_key 1: true", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/k8s-policy-job/policy.rego:105: allow_anno_key 1: i key = nerdctl/network-namespace", - "tests/kata/data/k8s-policy-job/policy.rego:112: allow_anno_key 2: i key = nerdctl/network-namespace" + "tests/kata/data/k8s-policy-job/policy.rego:79: CreateContainerRequest: true" ], [], [], diff --git a/tests/kata/data/k8s-policy-pod/prints.json b/tests/kata/data/k8s-policy-pod/prints.json index 7326977f..538e33b1 100644 --- a/tests/kata/data/k8s-policy-pod/prints.json +++ b/tests/kata/data/k8s-policy-pod/prints.json @@ -311,11 +311,7 @@ "tests/kata/data/k8s-policy-pod/policy.rego:389: allow_readonly_paths 1: true", "tests/kata/data/k8s-policy-pod/policy.rego:392: allow_readonly_paths 2: start", "tests/kata/data/k8s-policy-pod/policy.rego:340: allow_linux: true", - "tests/kata/data/k8s-policy-pod/policy.rego:79: CreateContainerRequest: true", - "tests/kata/data/k8s-policy-pod/policy.rego:57: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/k8s-policy-pod/policy.rego:61: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/k8s-policy-pod/policy.rego:66: CreateContainerRequest: p Version = 1.1.0 i Version = 1.1.0", - "tests/kata/data/k8s-policy-pod/policy.rego:69: CreateContainerRequest: p Readonly = false i Readonly = true" + "tests/kata/data/k8s-policy-pod/policy.rego:79: CreateContainerRequest: true" ], [], [], diff --git a/tests/kata/data/k8s-policy-rc/prints.json b/tests/kata/data/k8s-policy-rc/prints.json index 2c4a1dc6..2b2550dc 100644 --- a/tests/kata/data/k8s-policy-rc/prints.json +++ b/tests/kata/data/k8s-policy-rc/prints.json @@ -307,11 +307,7 @@ "tests/kata/data/k8s-policy-rc/policy.rego:389: allow_readonly_paths 1: true", "tests/kata/data/k8s-policy-rc/policy.rego:392: allow_readonly_paths 2: start", "tests/kata/data/k8s-policy-rc/policy.rego:340: allow_linux: true", - "tests/kata/data/k8s-policy-rc/policy.rego:79: CreateContainerRequest: true", - "tests/kata/data/k8s-policy-rc/policy.rego:57: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/k8s-policy-rc/policy.rego:61: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/k8s-policy-rc/policy.rego:66: CreateContainerRequest: p Version = 1.1.0 i Version = 1.1.0", - "tests/kata/data/k8s-policy-rc/policy.rego:69: CreateContainerRequest: p Readonly = false i Readonly = true" + "tests/kata/data/k8s-policy-rc/policy.rego:79: CreateContainerRequest: true" ], [], [], diff --git a/tests/kata/data/pod-cm1/prints.json b/tests/kata/data/pod-cm1/prints.json index 6b55af3d..4a52fb11 100644 --- a/tests/kata/data/pod-cm1/prints.json +++ b/tests/kata/data/pod-cm1/prints.json @@ -394,11 +394,7 @@ "tests/kata/data/pod-cm1/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-cm1/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-cm1/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-cm1/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-cm1/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-cm1/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-cm1/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-cm1/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true" + "tests/kata/data/pod-cm1/policy.rego:85: CreateContainerRequest: true" ], [], [], diff --git a/tests/kata/data/pod-cm2/prints.json b/tests/kata/data/pod-cm2/prints.json index b47bff68..28782a87 100644 --- a/tests/kata/data/pod-cm2/prints.json +++ b/tests/kata/data/pod-cm2/prints.json @@ -394,11 +394,7 @@ "tests/kata/data/pod-cm2/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-cm2/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-cm2/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-cm2/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-cm2/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-cm2/policy.rego:67: CreateContainerRequest: p_pidns = true i_pidns = false", - "tests/kata/data/pod-cm2/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-cm2/policy.rego:67: CreateContainerRequest: p_pidns = true i_pidns = false" + "tests/kata/data/pod-cm2/policy.rego:85: CreateContainerRequest: true" ], [], [], @@ -1339,65 +1335,7 @@ "tests/kata/data/pod-cm2/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-cm2/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-cm2/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-cm2/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-cm2/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-cm2/policy.rego:67: CreateContainerRequest: p_pidns = true i_pidns = true", - "tests/kata/data/pod-cm2/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-cm2/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-cm2/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-cm2/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"busybox2\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"cm2\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-cm2/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/0730592335b050edf5109d389763447a6771aaced62161efe5ce466b278cab87\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"busybox\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64\", \"io.kubernetes.cri.sandbox-id\": \"faf19d7261fcfb7121018a2abd34cbb58a2037f029d61467d8f32a8279ead55f\", \"io.kubernetes.cri.sandbox-name\": \"cm2\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"e171518a-2666-434f-86bb-1b067839f6e9\"}", - "tests/kata/data/pod-cm2/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-cm2/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-cm2/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-cm2/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-cm2/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-cm2/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-cm2/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-cm2/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-cm2/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-cm2/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-cm2/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-cm2/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-cm2/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-cm2/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-cm2/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-cm2/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-cm2/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-cm2/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-cm2/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-cm2/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-cm2/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-cm2/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-cm2/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-cm2/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-cm2/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-cm2/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-cm2/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-cm2/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-cm2/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-cm2/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-cm2/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-cm2/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-cm2/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-cm2/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-cm2/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-cm2/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-cm2/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-cm2/policy.rego:149: allow_by_anno 2: i_s_name = cm2 p_s_name = cm2", - "tests/kata/data/pod-cm2/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-cm2/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-cm2/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-cm2/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-cm2/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-cm2/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-cm2/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-cm2/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-cm2/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-cm2/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-cm2/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-cm2/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-cm2/policy.rego:271: allow_container_annotation: p_value = busybox2 i_value = busybox" + "tests/kata/data/pod-cm2/policy.rego:85: CreateContainerRequest: true" ], [], [ diff --git a/tests/kata/data/pod-exec/prints.json b/tests/kata/data/pod-exec/prints.json index bb53481f..91107707 100644 --- a/tests/kata/data/pod-exec/prints.json +++ b/tests/kata/data/pod-exec/prints.json @@ -394,11 +394,7 @@ "tests/kata/data/pod-exec/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-exec/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-exec/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-exec/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-exec/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-exec/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-exec/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-exec/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true" + "tests/kata/data/pod-exec/policy.rego:85: CreateContainerRequest: true" ], [], [], @@ -1590,7 +1586,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"52f23a0b-0f09-4673-9541-5636889b6ca7\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1603,7 +1598,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"f1d04442-303f-40cb-ac48-eff1f9406895\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1614,8 +1608,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"bd33b367-2e42-4a83-8cf6-817eb10a1795\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1628,8 +1620,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"df812e16-cae6-46c4-b0fa-fdcc0e67472c\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1641,7 +1631,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"30724ed8-fff6-4b60-949d-e1380ace3706\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1654,8 +1643,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"91fdfbb6-07fa-4db6-b0be-c4a96f9a55f0\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1667,7 +1654,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"37faef9b-60ad-4b1d-a421-9481e3e4f155\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1680,8 +1666,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"45cce89a-2b14-4af8-a139-a24246b3def0\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1693,7 +1677,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"3e1adff3-61e4-467e-9b4c-f74e253287b3\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1707,7 +1690,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"1e3e1846-0136-4a05-aa7b-29601f7503f7\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1718,8 +1700,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"f8119a2e-06c8-4e6e-b94d-c7d360ae0c6e\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1733,7 +1713,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"4afec5b2-c29e-42f6-adbb-410b398dc377\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1744,8 +1723,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"f6abfe03-0dca-41e8-b6a5-d4364c205005\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1758,8 +1735,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"00945adb-7fa5-43b6-8dc0-b5d36378d1dc\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1771,7 +1746,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"301bb564-c4fd-484b-8c46-4044c051ba9f\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1784,8 +1758,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"28470f50-4f0c-4fca-a247-9634c70d5512\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1797,7 +1769,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"bbe55000-3e78-43a4-963a-c762cde3a0e2\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1810,8 +1781,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"ac547fa2-97c2-4026-9e5a-5c1a51a2fdb1\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1823,7 +1792,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"de7ce829-d867-4ada-a8df-08de72c3fec2\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1836,8 +1804,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"a1b1e13c-d22f-41e6-857f-dd256f3f0d6a\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1849,7 +1815,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"bfb9e571-b1dd-4217-b4a5-6d4d7c277332\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1863,7 +1828,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"7829bfcf-0e79-4e1c-ab63-3e715f3551d7\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], @@ -1874,8 +1838,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"56ccd0f4-1142-49a4-9732-146efca8e771\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1888,8 +1850,6 @@ "tests/kata/data/pod-exec/policy.rego:1192: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"ebb9afb5-e802-491d-9a4c-a49e9c0e655b\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"${ISTIO_META_APP_CONTAINERS}\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo ${ISTIO_META_APP_CONTAINERS}" ], @@ -1901,7 +1861,6 @@ "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_APP_CONTAINERS}", "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo Ready ${POD_IP}!", "tests/kata/data/pod-exec/policy.rego:1201: ExecProcessRequest 2: true", - "tests/kata/data/pod-exec/policy.rego:1196: ExecProcessRequest 2: p_command = echo ${ISTIO_META_NODE_NAME} startup", "tests/kata/data/pod-exec/policy.rego:1204: ExecProcessRequest 3: input = {\"container_id\": \"42cd455d88baf5b3d2a94fe7bdef82da5bcca78d6c2c62149724a952897bf5b6\", \"exec_id\": \"15ba4186-176e-4903-b8c9-672f676645ef\", \"process\": {\"ApparmorProfile\": \"\", \"Args\": [\"echo\", \"Ready ${POD_IP}!\"], \"Capabilities\": null, \"ConsoleSize\": null, \"Cwd\": \"/\", \"Env\": [\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", \"HOSTNAME=exec-test\", \"POD_IP=10.244.0.16\", \"SERVICE_ACCOUNT=default\", \"POD_NAME=exec-test\", \"POD_NAMESPACE=default\", \"PROXY_CONFIG={}\\n\", \"ISTIO_META_POD_PORTS=[\\n]\", \"ISTIO_META_APP_CONTAINERS=serviceaclient\", \"ISTIO_META_CLUSTER_ID=Kubernetes\", \"ISTIO_META_NODE_NAME=aks-nodepool1-38464071-vmss000000\", \"KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1\", \"KUBERNETES_SERVICE_HOST=10.0.0.1\", \"KUBERNETES_SERVICE_PORT=443\", \"KUBERNETES_SERVICE_PORT_HTTPS=443\", \"KUBERNETES_PORT=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443\", \"KUBERNETES_PORT_443_TCP_PROTO=tcp\", \"KUBERNETES_PORT_443_TCP_PORT=443\"], \"NoNewPrivileges\": false, \"OOMScoreAdj\": 0, \"Rlimits\": [], \"SelinuxLabel\": \"\", \"Terminal\": false, \"User\": {\"AdditionalGids\": [0, 10], \"GID\": 0, \"UID\": 0, \"Username\": \"\"}}, \"string_user\": null}", "tests/kata/data/pod-exec/policy.rego:1207: ExecProcessRequest 3: i_command = echo Ready ${POD_IP}!" ], diff --git a/tests/kata/data/pod-lifecycle/prints.json b/tests/kata/data/pod-lifecycle/prints.json index 0df6e780..c788425e 100644 --- a/tests/kata/data/pod-lifecycle/prints.json +++ b/tests/kata/data/pod-lifecycle/prints.json @@ -394,11 +394,7 @@ "tests/kata/data/pod-lifecycle/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-lifecycle/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-lifecycle/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-lifecycle/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-lifecycle/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-lifecycle/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-lifecycle/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-lifecycle/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true" + "tests/kata/data/pod-lifecycle/policy.rego:85: CreateContainerRequest: true" ], [], [], diff --git a/tests/kata/data/pod-many-layers/prints.json b/tests/kata/data/pod-many-layers/prints.json index 340f7241..2d625c80 100644 --- a/tests/kata/data/pod-many-layers/prints.json +++ b/tests/kata/data/pod-many-layers/prints.json @@ -394,23 +394,7 @@ "tests/kata/data/pod-many-layers/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-many-layers/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-many-layers/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-many-layers/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true" + "tests/kata/data/pod-many-layers/policy.rego:85: CreateContainerRequest: true" ], [], [], @@ -2392,181 +2376,7 @@ "tests/kata/data/pod-many-layers/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-many-layers/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-many-layers/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-many-layers/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-many-layers/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"bootloose\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/k0sproject/bootloose-ubuntu22.04:latest\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-many-layers/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"footloose\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/footloose/ubuntu18.04:latest\", \"io.kubernetes.cri.sandbox-id\": \"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"b78866ba-f3f0-4467-96f7-f610d8db99ac\"}", - "tests/kata/data/pod-many-layers/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-many-layers/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-many-layers/policy.rego:149: allow_by_anno 2: i_s_name = many-layers p_s_name = many-layers", - "tests/kata/data/pod-many-layers/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-many-layers/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-many-layers/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-many-layers/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-many-layers/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-many-layers/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-many-layers/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-many-layers/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:271: allow_container_annotation: p_value = bootloose i_value = footloose", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-many-layers/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"nginx\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/cbl-mariner/base/nginx:1.22.1-9-cm2.0.20230904-amd64\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-many-layers/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"footloose\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/footloose/ubuntu18.04:latest\", \"io.kubernetes.cri.sandbox-id\": \"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"b78866ba-f3f0-4467-96f7-f610d8db99ac\"}", - "tests/kata/data/pod-many-layers/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-many-layers/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-many-layers/policy.rego:149: allow_by_anno 2: i_s_name = many-layers p_s_name = many-layers", - "tests/kata/data/pod-many-layers/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-many-layers/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-many-layers/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-many-layers/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-many-layers/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-many-layers/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-many-layers/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-many-layers/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:271: allow_container_annotation: p_value = nginx i_value = footloose", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-many-layers/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"python\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/baselibrary/python:latest\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-many-layers/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3e18310a4ef5b67a048cd90c7a3e861095925bf9cdd9c9ebea8dfe9a14869d06\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"footloose\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/footloose/ubuntu18.04:latest\", \"io.kubernetes.cri.sandbox-id\": \"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"b78866ba-f3f0-4467-96f7-f610d8db99ac\"}", - "tests/kata/data/pod-many-layers/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-many-layers/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-many-layers/policy.rego:149: allow_by_anno 2: i_s_name = many-layers p_s_name = many-layers", - "tests/kata/data/pod-many-layers/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-many-layers/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-many-layers/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-many-layers/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-many-layers/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-many-layers/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-many-layers/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-many-layers/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:271: allow_container_annotation: p_value = python i_value = footloose" + "tests/kata/data/pod-many-layers/policy.rego:85: CreateContainerRequest: true" ], [], [ @@ -3839,65 +3649,7 @@ "tests/kata/data/pod-many-layers/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-many-layers/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-many-layers/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-many-layers/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-many-layers/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"python\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/baselibrary/python:latest\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-many-layers/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/b2857301a288aebb2752aa2dacdaa6c65fd2531f0b311cace466c4d6f5a687ca\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"nginx\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/cbl-mariner/base/nginx:1.22.1-9-cm2.0.20230904-amd64\", \"io.kubernetes.cri.sandbox-id\": \"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"b78866ba-f3f0-4467-96f7-f610d8db99ac\"}", - "tests/kata/data/pod-many-layers/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-many-layers/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-many-layers/policy.rego:149: allow_by_anno 2: i_s_name = many-layers p_s_name = many-layers", - "tests/kata/data/pod-many-layers/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-many-layers/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-many-layers/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-many-layers/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-many-layers/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-many-layers/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-many-layers/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-many-layers/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:271: allow_container_annotation: p_value = python i_value = nginx" + "tests/kata/data/pod-many-layers/policy.rego:85: CreateContainerRequest: true" ], [], [ @@ -7965,123 +7717,7 @@ "tests/kata/data/pod-many-layers/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-many-layers/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-many-layers/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-many-layers/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-many-layers/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"nginx\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/cbl-mariner/base/nginx:1.22.1-9-cm2.0.20230904-amd64\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-many-layers/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"bootloose\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/k0sproject/bootloose-ubuntu22.04:latest\", \"io.kubernetes.cri.sandbox-id\": \"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"b78866ba-f3f0-4467-96f7-f610d8db99ac\"}", - "tests/kata/data/pod-many-layers/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-many-layers/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-many-layers/policy.rego:149: allow_by_anno 2: i_s_name = many-layers p_s_name = many-layers", - "tests/kata/data/pod-many-layers/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-many-layers/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-many-layers/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-many-layers/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-many-layers/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-many-layers/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-many-layers/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-many-layers/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:271: allow_container_annotation: p_value = nginx i_value = bootloose", - "tests/kata/data/pod-many-layers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-many-layers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-many-layers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-many-layers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-many-layers/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"python\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/baselibrary/python:latest\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-many-layers/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/2f2d56ca980c38212dd93439d6d02381ac24882a363a648ab3724666a410d100\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"bootloose\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"quay.io/k0sproject/bootloose-ubuntu22.04:latest\", \"io.kubernetes.cri.sandbox-id\": \"1a97281baf36632476e6601c47269dfa70f153b73add2ecad27d682a267cc03c\", \"io.kubernetes.cri.sandbox-name\": \"many-layers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"b78866ba-f3f0-4467-96f7-f610d8db99ac\"}", - "tests/kata/data/pod-many-layers/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-many-layers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-many-layers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-many-layers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-many-layers/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-many-layers/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-many-layers/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-many-layers/policy.rego:149: allow_by_anno 2: i_s_name = many-layers p_s_name = many-layers", - "tests/kata/data/pod-many-layers/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-many-layers/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-many-layers/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-many-layers/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-many-layers/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-many-layers/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-many-layers/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-many-layers/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-many-layers/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-many-layers/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-many-layers/policy.rego:271: allow_container_annotation: p_value = python i_value = bootloose" + "tests/kata/data/pod-many-layers/policy.rego:85: CreateContainerRequest: true" ], [] ] \ No newline at end of file diff --git a/tests/kata/data/pod-persistent-volumes/prints.json b/tests/kata/data/pod-persistent-volumes/prints.json index 9a63d00d..199ad9c1 100644 --- a/tests/kata/data/pod-persistent-volumes/prints.json +++ b/tests/kata/data/pod-persistent-volumes/prints.json @@ -392,57 +392,7 @@ "tests/kata/data/pod-persistent-volumes/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-persistent-volumes/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-persistent-volumes/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-persistent-volumes/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-persistent-volumes/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-persistent-volumes/policy.rego:75: CreateContainerRequest: p Readonly = true i Readonly = true", - "tests/kata/data/pod-persistent-volumes/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-persistent-volumes/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"busybox\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"persistent\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-persistent-volumes/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f\", \"io.katacontainers.pkg.oci.container_type\": \"pod_sandbox\", \"io.kubernetes.cri.container-type\": \"sandbox\", \"io.kubernetes.cri.sandbox-cpu-period\": \"100000\", \"io.kubernetes.cri.sandbox-cpu-quota\": \"0\", \"io.kubernetes.cri.sandbox-cpu-shares\": \"2\", \"io.kubernetes.cri.sandbox-id\": \"cb3724318db4d1ddfafe9b75b46c9f4ad0d99a02e5bbba15ec7276f3fb46391f\", \"io.kubernetes.cri.sandbox-log-directory\": \"/var/log/pods/default_persistent_20a48b4d-0fcd-4547-9183-6ab69262ba04\", \"io.kubernetes.cri.sandbox-memory\": \"0\", \"io.kubernetes.cri.sandbox-name\": \"persistent\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"20a48b4d-0fcd-4547-9183-6ab69262ba04\", \"nerdctl/network-namespace\": \"/var/run/netns/cnitest-8951ee22-d2ae-ab42-5453-5920971b906d\"}", - "tests/kata/data/pod-persistent-volumes/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.sandbox-cpu-period\", \"io.kubernetes.cri.sandbox-cpu-quota\", \"io.kubernetes.cri.sandbox-cpu-shares\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-log-directory\", \"io.kubernetes.cri.sandbox-memory\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\", \"nerdctl/network-namespace\"}", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-persistent-volumes/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-persistent-volumes/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-persistent-volumes/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-cpu-period", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-cpu-period", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-cpu-quota", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-cpu-quota", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-cpu-shares", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-cpu-shares", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-persistent-volumes/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-log-directory", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-log-directory", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-memory", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-memory", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-persistent-volumes/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-persistent-volumes/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-persistent-volumes/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-persistent-volumes/policy.rego:111: allow_anno_key 1: i key = nerdctl/network-namespace", - "tests/kata/data/pod-persistent-volumes/policy.rego:118: allow_anno_key 2: i key = nerdctl/network-namespace" + "tests/kata/data/pod-persistent-volumes/policy.rego:85: CreateContainerRequest: true" ], [], [], diff --git a/tests/kata/data/pod-same-containers/prints.json b/tests/kata/data/pod-same-containers/prints.json index 8d9e433a..e31bbbc8 100644 --- a/tests/kata/data/pod-same-containers/prints.json +++ b/tests/kata/data/pod-same-containers/prints.json @@ -397,19 +397,7 @@ "tests/kata/data/pod-same-containers/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-same-containers/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-same-containers/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-same-containers/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-same-containers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-same-containers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-same-containers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-same-containers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true", - "tests/kata/data/pod-same-containers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-same-containers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-same-containers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-same-containers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true", - "tests/kata/data/pod-same-containers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-same-containers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-same-containers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-same-containers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true" + "tests/kata/data/pod-same-containers/policy.rego:85: CreateContainerRequest: true" ], [], [], @@ -1346,129 +1334,7 @@ "tests/kata/data/pod-same-containers/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-same-containers/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-same-containers/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-same-containers/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-same-containers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-same-containers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-same-containers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-same-containers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-same-containers/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-same-containers/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.config.agent.policyOption.execCommands\": \"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=\", \"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"busybox2\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"same-containers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-same-containers/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.config.agent.policyOption.execCommands\": \"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=\", \"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"busybox1\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64\", \"io.kubernetes.cri.sandbox-id\": \"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73\", \"io.kubernetes.cri.sandbox-name\": \"same-containers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"5b6eaa52-24fd-4a6e-8371-936515f32c7f\"}", - "tests/kata/data/pod-same-containers/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.config.agent.policyOption.execCommands\", \"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.config.agent.policyOption.execCommands", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.config.agent.policyOption.execCommands", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-same-containers/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-same-containers/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-same-containers/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-same-containers/policy.rego:149: allow_by_anno 2: i_s_name = same-containers p_s_name = same-containers", - "tests/kata/data/pod-same-containers/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-same-containers/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-same-containers/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-same-containers/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-same-containers/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-same-containers/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-same-containers/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-same-containers/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-same-containers/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-same-containers/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-same-containers/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-same-containers/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-same-containers/policy.rego:271: allow_container_annotation: p_value = busybox2 i_value = busybox1", - "tests/kata/data/pod-same-containers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-same-containers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-same-containers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-same-containers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-same-containers/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-same-containers/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.config.agent.policyOption.execCommands\": \"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=\", \"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"busybox3\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"same-containers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-same-containers/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.config.agent.policyOption.execCommands\": \"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=\", \"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8906ef3aa3d8f75de0f95009e8fab3480bc5e7b118c51896b2e35d8df1fc2c26\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"busybox1\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64\", \"io.kubernetes.cri.sandbox-id\": \"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73\", \"io.kubernetes.cri.sandbox-name\": \"same-containers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"5b6eaa52-24fd-4a6e-8371-936515f32c7f\"}", - "tests/kata/data/pod-same-containers/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.config.agent.policyOption.execCommands\", \"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.config.agent.policyOption.execCommands", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.config.agent.policyOption.execCommands", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-same-containers/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-same-containers/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-same-containers/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-same-containers/policy.rego:149: allow_by_anno 2: i_s_name = same-containers p_s_name = same-containers", - "tests/kata/data/pod-same-containers/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-same-containers/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-same-containers/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-same-containers/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-same-containers/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-same-containers/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-same-containers/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-same-containers/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-same-containers/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-same-containers/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-same-containers/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-same-containers/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-same-containers/policy.rego:271: allow_container_annotation: p_value = busybox3 i_value = busybox1" + "tests/kata/data/pod-same-containers/policy.rego:85: CreateContainerRequest: true" ], [], [ @@ -2423,68 +2289,7 @@ "tests/kata/data/pod-same-containers/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/pod-same-containers/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/pod-same-containers/policy.rego:346: allow_linux: true", - "tests/kata/data/pod-same-containers/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/pod-same-containers/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/pod-same-containers/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/pod-same-containers/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/pod-same-containers/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = false", - "tests/kata/data/pod-same-containers/policy.rego:90: allow_anno 1: start", - "tests/kata/data/pod-same-containers/policy.rego:97: allow_anno 2: p Annotations = {\"io.katacontainers.config.agent.policyOption.execCommands\": \"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=\", \"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/$(bundle-id)\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"busybox3\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64\", \"io.kubernetes.cri.sandbox-id\": \"^[a-z0-9]{64}$\", \"io.kubernetes.cri.sandbox-name\": \"same-containers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\"}", - "tests/kata/data/pod-same-containers/policy.rego:98: allow_anno 2: i Annotations = {\"io.katacontainers.config.agent.policyOption.execCommands\": \"W3siY29udGFpbmVyTmFtZSI6ImJ1c3lib3gyIiwiZXhlY0NvbW1hbmRzIjpbImRoIC1oIiwicHMgLWVmIl19LCB7ImNvbnRhaW5lck5hbWUiOiJidXN5Ym94MyIsImV4ZWNDb21tYW5kcyI6WyJscyJdfV0=\", \"io.katacontainers.pkg.oci.bundle_path\": \"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8ab188b8cbf32be40c40cbeaf26d340c100b586a9ba800fd1b3d505b735172b9\", \"io.katacontainers.pkg.oci.container_type\": \"pod_container\", \"io.kubernetes.cri.container-name\": \"busybox2\", \"io.kubernetes.cri.container-type\": \"container\", \"io.kubernetes.cri.image-name\": \"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64\", \"io.kubernetes.cri.sandbox-id\": \"971f00d742eb5728de5b147808f02a301d559b70c0dc17dcffd72855b4676a73\", \"io.kubernetes.cri.sandbox-name\": \"same-containers\", \"io.kubernetes.cri.sandbox-namespace\": \"default\", \"io.kubernetes.cri.sandbox-uid\": \"5b6eaa52-24fd-4a6e-8371-936515f32c7f\"}", - "tests/kata/data/pod-same-containers/policy.rego:101: allow_anno 2: i keys = {\"io.katacontainers.config.agent.policyOption.execCommands\", \"io.katacontainers.pkg.oci.bundle_path\", \"io.katacontainers.pkg.oci.container_type\", \"io.kubernetes.cri.container-name\", \"io.kubernetes.cri.container-type\", \"io.kubernetes.cri.image-name\", \"io.kubernetes.cri.sandbox-id\", \"io.kubernetes.cri.sandbox-name\", \"io.kubernetes.cri.sandbox-namespace\", \"io.kubernetes.cri.sandbox-uid\"}", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.config.agent.policyOption.execCommands", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.config.agent.policyOption.execCommands", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.bundle_path", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.katacontainers.pkg.oci.container_type", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.container-type", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.image-name", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-id", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-name", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-namespace", - "tests/kata/data/pod-same-containers/policy.rego:123: allow_anno_key 2: true", - "tests/kata/data/pod-same-containers/policy.rego:111: allow_anno_key 1: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-same-containers/policy.rego:115: allow_anno_key 1: true", - "tests/kata/data/pod-same-containers/policy.rego:118: allow_anno_key 2: i key = io.kubernetes.cri.sandbox-uid", - "tests/kata/data/pod-same-containers/policy.rego:107: allow_anno 2: true", - "tests/kata/data/pod-same-containers/policy.rego:129: allow_by_anno 1: start", - "tests/kata/data/pod-same-containers/policy.rego:143: allow_by_anno 2: start", - "tests/kata/data/pod-same-containers/policy.rego:149: allow_by_anno 2: i_s_name = same-containers p_s_name = same-containers", - "tests/kata/data/pod-same-containers/policy.rego:175: allow_sandbox_name 1: start", - "tests/kata/data/pod-same-containers/policy.rego:179: allow_sandbox_name 1: true", - "tests/kata/data/pod-same-containers/policy.rego:182: allow_sandbox_name 2: start", - "tests/kata/data/pod-same-containers/policy.rego:158: allow_by_sandbox_name: start", - "tests/kata/data/pod-same-containers/policy.rego:164: allow_by_sandbox_name: p_namespace = default i_namespace = default", - "tests/kata/data/pod-same-containers/policy.rego:196: allow_by_container_types: checking io.kubernetes.cri.container-type", - "tests/kata/data/pod-same-containers/policy.rego:202: allow_by_container_types: p_cri_type = container i_cri_type = container", - "tests/kata/data/pod-same-containers/policy.rego:211: allow_by_container_type 1: i_cri_type = container", - "tests/kata/data/pod-same-containers/policy.rego:226: allow_by_container_type 2: i_cri_type = container", - "tests/kata/data/pod-same-containers/policy.rego:230: allow_by_container_type 2: i_kata_type = pod_container", - "tests/kata/data/pod-same-containers/policy.rego:250: allow_container_name: start", - "tests/kata/data/pod-same-containers/policy.rego:267: allow_container_annotation: key = io.kubernetes.cri.container-name", - "tests/kata/data/pod-same-containers/policy.rego:271: allow_container_annotation: p_value = busybox3 i_value = busybox2" + "tests/kata/data/pod-same-containers/policy.rego:85: CreateContainerRequest: true" ], [], [ diff --git a/tests/kata/data/web/prints.json b/tests/kata/data/web/prints.json index 82483beb..9e8f9af8 100644 --- a/tests/kata/data/web/prints.json +++ b/tests/kata/data/web/prints.json @@ -390,11 +390,7 @@ "tests/kata/data/web/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/web/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/web/policy.rego:346: allow_linux: true", - "tests/kata/data/web/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/web/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/web/policy.rego:67: CreateContainerRequest: p_pidns = false i_pidns = false", - "tests/kata/data/web/policy.rego:72: CreateContainerRequest: p Version = 1.1.0-rc.1 i Version = 1.1.0-rc.1", - "tests/kata/data/web/policy.rego:75: CreateContainerRequest: p Readonly = false i Readonly = true" + "tests/kata/data/web/policy.rego:85: CreateContainerRequest: true" ], [], [], diff --git a/tests/kata/data/web2/prints.json b/tests/kata/data/web2/prints.json index 6e47f9b4..ee65b99d 100644 --- a/tests/kata/data/web2/prints.json +++ b/tests/kata/data/web2/prints.json @@ -390,9 +390,7 @@ "tests/kata/data/web2/policy.rego:395: allow_readonly_paths 1: true", "tests/kata/data/web2/policy.rego:398: allow_readonly_paths 2: start", "tests/kata/data/web2/policy.rego:346: allow_linux: true", - "tests/kata/data/web2/policy.rego:85: CreateContainerRequest: true", - "tests/kata/data/web2/policy.rego:63: ======== CreateContainerRequest: trying next policy container", - "tests/kata/data/web2/policy.rego:67: CreateContainerRequest: p_pidns = true i_pidns = false" + "tests/kata/data/web2/policy.rego:85: CreateContainerRequest: true" ], [], [],