-
Notifications
You must be signed in to change notification settings - Fork 44
ROX-35289: add post-upgrade script to skip init container evaluation #123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
AlexVulaj
merged 5 commits into
main
from
AlexVulaj/ROX-35289-skip-init-container-script
Jul 1, 2026
+162
−0
Merged
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
52dd31f
ROX-35289: add post-upgrade script to skip init container evaluation
AlexVulaj 4c67286
ROX-35289: skip declarative, audit log, and node event policies
AlexVulaj 6cc34fb
ROX-35289: fix jq -e under set -e, add failure counter and non-zero exit
AlexVulaj 38b4e47
ROX-35289: per-policy confirmation by default, clean up skip messages
AlexVulaj cee0cd3
ROX-35289: handle empty policy list
AlexVulaj File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # Skip Init Container Evaluation | ||
|
|
||
| Starting in ACS 5.0, policies evaluate init containers by default. This script is a **one-time post-upgrade tool** that adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated. | ||
|
|
||
| This script is not intended to be run repeatedly or as a long-term maintenance tool. | ||
|
|
||
| ## Usage | ||
|
|
||
| ```bash | ||
| export ROX_ENDPOINT="central.example.com:443" | ||
| export ROX_API_TOKEN="your-api-token" | ||
|
|
||
| ./skip-init-container-evaluation.sh | ||
| ``` | ||
|
|
||
| Each policy is presented for confirmation with options: `yes` (update this policy), `no` (skip this policy), or `all` (update this and all remaining policies without further prompts). | ||
|
|
||
| ## Requirements | ||
|
|
||
| - ACS 5.0 or later | ||
| - `curl` and `jq` installed | ||
| - An API token with policy read/write permissions | ||
|
|
||
| ## What it does | ||
|
|
||
| 1. Checks that Central is running ACS 5.0+ | ||
| 2. Lists all policies and prompts for confirmation before making changes | ||
| 3. For each applicable policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]` | ||
| 4. Skips policies that already have an evaluation filter | ||
| 5. Skips build-only policies (container type filters are not applicable at build time) | ||
| 6. Skips declarative (CRD-managed) policies | ||
| 7. Skips audit log and node event policies (they don't evaluate containers) | ||
|
|
||
| ## Policy-as-Code users | ||
|
|
||
| If you manage policies via SecurityPolicy CRDs and a GitOps workflow, update your policy manifests directly instead of running this script. Add the following to each policy spec: | ||
|
|
||
| ```yaml | ||
| spec: | ||
| # ... existing policy fields ... | ||
| evaluationFilter: | ||
| skipContainerTypes: | ||
| - INIT | ||
| ``` | ||
118 changes: 118 additions & 0 deletions
118
util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| #!/bin/bash | ||
| # Adds skipContainerTypes: ["INIT"] to all existing policies that don't already have it. | ||
| # This is intended for customers upgrading to 5.0+ who want to preserve the pre-5.0 behavior | ||
| # where init containers were not evaluated by policies. | ||
|
|
||
| set -euo pipefail | ||
|
|
||
| CONFIRM_EACH=true | ||
|
|
||
| if [[ -z "${ROX_ENDPOINT:-}" ]]; then | ||
| echo >&2 "ROX_ENDPOINT must be set" | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [[ -z "${ROX_API_TOKEN:-}" ]]; then | ||
| echo >&2 "ROX_API_TOKEN must be set" | ||
| exit 1 | ||
| fi | ||
|
|
||
| API="https://${ROX_ENDPOINT}" | ||
| AUTH="Authorization: Bearer ${ROX_API_TOKEN}" | ||
|
|
||
| # Version check — require 5.0+ | ||
| version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version') | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
| major=$(echo "$version" | cut -d. -f1) | ||
|
|
||
| if [[ "$major" -lt 5 ]]; then | ||
| echo >&2 "This script requires ACS 5.0 or later (detected: $version)" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "ACS version: $version" | ||
|
|
||
| # List all policies | ||
| policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id') | ||
| if [[ -z "$policies" ]]; then | ||
| echo "No policies found." | ||
| exit 0 | ||
| fi | ||
| total=$(echo "$policies" | wc -l | tr -d ' ') | ||
|
AlexVulaj marked this conversation as resolved.
|
||
| updated=0 | ||
| skipped=0 | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
| failed=0 | ||
|
|
||
| echo "Found $total policies" | ||
| echo "" | ||
|
|
||
| for id in $policies; do | ||
| policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id") | ||
| name=$(echo "$policy" | jq -r '.name') | ||
|
|
||
| # Skip if any evaluation filter is already configured | ||
| existing_filter=$(echo "$policy" | jq '.evaluationFilter // empty' 2>/dev/null) | ||
| if [[ -n "$existing_filter" && "$existing_filter" != "{}" && "$existing_filter" != "null" ]]; then | ||
| echo " SKIP: \"$name\" — already has evaluation filter" | ||
| skipped=$((skipped + 1)) | ||
| continue | ||
| fi | ||
|
|
||
| # Skip build-only policies — container type filters don't apply at build time | ||
| lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]') | ||
| if [[ "$lifecycle_stages" == "BUILD" ]]; then | ||
|
c-du marked this conversation as resolved.
|
||
| echo " SKIP: \"$name\" — build-only policy" | ||
| skipped=$((skipped + 1)) | ||
| continue | ||
| fi | ||
|
c-du marked this conversation as resolved.
|
||
|
|
||
| # Skip declarative (CRD-managed) policies — customers should update their CRD manifests directly | ||
| source=$(echo "$policy" | jq -r '.source') | ||
| if [[ "$source" == "DECLARATIVE" ]]; then | ||
| echo " SKIP: \"$name\" — declarative policy (update CRD directly)" | ||
| skipped=$((skipped + 1)) | ||
| continue | ||
| fi | ||
|
|
||
| # Skip audit log and node event policies — they don't evaluate containers | ||
| event_source=$(echo "$policy" | jq -r '.eventSource') | ||
| if [[ "$event_source" == "AUDIT_LOG_EVENT" ]]; then | ||
| echo " SKIP: \"$name\" — audit log event policy" | ||
| skipped=$((skipped + 1)) | ||
| continue | ||
| fi | ||
| if [[ "$event_source" == "NODE_EVENT" ]]; then | ||
| echo " SKIP: \"$name\" — node event policy" | ||
| skipped=$((skipped + 1)) | ||
| continue | ||
| fi | ||
|
|
||
| if [[ "$CONFIRM_EACH" == "true" ]]; then | ||
| read -rp " Update \"$name\"? (yes/no/all): " answer | ||
| case "$answer" in | ||
| all) CONFIRM_EACH=false ;; | ||
| yes) ;; | ||
| *) echo " SKIP: \"$name\" — skipped by user"; skipped=$((skipped + 1)); continue ;; | ||
| esac | ||
| fi | ||
|
|
||
| # Add skipContainerTypes: ["INIT"] to the evaluation filter | ||
| updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}') | ||
|
|
||
| result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \ | ||
| "$API/v1/policies/$id" --data "$updated_policy") | ||
|
|
||
| if [[ "$result" == "200" ]]; then | ||
| echo " UPDATED: \"$name\"" | ||
| updated=$((updated + 1)) | ||
| else | ||
| echo >&2 " ERROR: \"$name\" — HTTP $result" | ||
| failed=$((failed + 1)) | ||
| fi | ||
| done | ||
|
|
||
| echo "" | ||
| echo "Done. Updated: $updated, Skipped: $skipped, Failed: $failed, Total: $total" | ||
|
|
||
| if [[ "$failed" -gt 0 ]]; then | ||
| exit 1 | ||
| fi | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.