Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions util-scripts/skip-init-container-evaluation/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Skip Init Container Evaluation

Starting in ACS 5.0, policies evaluate init containers by default. This script is a **one-time post-upgrade tool** that adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated.

This script is not intended to be run repeatedly or as a long-term maintenance tool.

## Usage

```bash
export ROX_ENDPOINT="central.example.com:443"
export ROX_API_TOKEN="your-api-token"

./skip-init-container-evaluation.sh
```

Each policy is presented for confirmation with options: `yes` (update this policy), `no` (skip this policy), or `all` (update this and all remaining policies without further prompts).

## Requirements

- ACS 5.0 or later
- `curl` and `jq` installed
Comment thread
c-du marked this conversation as resolved.
- An API token with policy read/write permissions

## What it does

1. Checks that Central is running ACS 5.0+
2. Lists all policies and prompts for confirmation before making changes
3. For each applicable policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]`
4. Skips policies that already have an evaluation filter
5. Skips build-only policies (container type filters are not applicable at build time)
6. Skips declarative (CRD-managed) policies
7. Skips audit log and node event policies (they don't evaluate containers)

## Policy-as-Code users

If you manage policies via SecurityPolicy CRDs and a GitOps workflow, update your policy manifests directly instead of running this script. Add the following to each policy spec:

```yaml
spec:
# ... existing policy fields ...
evaluationFilter:
skipContainerTypes:
- INIT
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
#!/bin/bash
# Adds skipContainerTypes: ["INIT"] to all existing policies that don't already have it.
# This is intended for customers upgrading to 5.0+ who want to preserve the pre-5.0 behavior
# where init containers were not evaluated by policies.

set -euo pipefail

CONFIRM_EACH=true

if [[ -z "${ROX_ENDPOINT:-}" ]]; then
echo >&2 "ROX_ENDPOINT must be set"
exit 1
fi

if [[ -z "${ROX_API_TOKEN:-}" ]]; then
echo >&2 "ROX_API_TOKEN must be set"
exit 1
fi

API="https://${ROX_ENDPOINT}"
AUTH="Authorization: Bearer ${ROX_API_TOKEN}"

# Version check — require 5.0+
version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version')
Comment thread
coderabbitai[bot] marked this conversation as resolved.
major=$(echo "$version" | cut -d. -f1)

if [[ "$major" -lt 5 ]]; then
echo >&2 "This script requires ACS 5.0 or later (detected: $version)"
exit 1
fi

echo "ACS version: $version"

# List all policies
policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id')
if [[ -z "$policies" ]]; then
echo "No policies found."
exit 0
fi
total=$(echo "$policies" | wc -l | tr -d ' ')
Comment thread
AlexVulaj marked this conversation as resolved.
updated=0
skipped=0
Comment thread
coderabbitai[bot] marked this conversation as resolved.
failed=0

echo "Found $total policies"
echo ""

for id in $policies; do
policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id")
name=$(echo "$policy" | jq -r '.name')

# Skip if any evaluation filter is already configured
existing_filter=$(echo "$policy" | jq '.evaluationFilter // empty' 2>/dev/null)
if [[ -n "$existing_filter" && "$existing_filter" != "{}" && "$existing_filter" != "null" ]]; then
echo " SKIP: \"$name\" — already has evaluation filter"
skipped=$((skipped + 1))
continue
fi

# Skip build-only policies — container type filters don't apply at build time
lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]')
if [[ "$lifecycle_stages" == "BUILD" ]]; then
Comment thread
c-du marked this conversation as resolved.
echo " SKIP: \"$name\" — build-only policy"
skipped=$((skipped + 1))
continue
fi
Comment thread
c-du marked this conversation as resolved.

# Skip declarative (CRD-managed) policies — customers should update their CRD manifests directly
source=$(echo "$policy" | jq -r '.source')
if [[ "$source" == "DECLARATIVE" ]]; then
echo " SKIP: \"$name\" — declarative policy (update CRD directly)"
skipped=$((skipped + 1))
continue
fi

# Skip audit log and node event policies — they don't evaluate containers
event_source=$(echo "$policy" | jq -r '.eventSource')
if [[ "$event_source" == "AUDIT_LOG_EVENT" ]]; then
echo " SKIP: \"$name\" — audit log event policy"
skipped=$((skipped + 1))
continue
fi
if [[ "$event_source" == "NODE_EVENT" ]]; then
echo " SKIP: \"$name\" — node event policy"
skipped=$((skipped + 1))
continue
fi

if [[ "$CONFIRM_EACH" == "true" ]]; then
read -rp " Update \"$name\"? (yes/no/all): " answer
case "$answer" in
all) CONFIRM_EACH=false ;;
yes) ;;
*) echo " SKIP: \"$name\" — skipped by user"; skipped=$((skipped + 1)); continue ;;
esac
fi

# Add skipContainerTypes: ["INIT"] to the evaluation filter
updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}')

result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \
"$API/v1/policies/$id" --data "$updated_policy")

if [[ "$result" == "200" ]]; then
echo " UPDATED: \"$name\""
updated=$((updated + 1))
else
echo >&2 " ERROR: \"$name\" — HTTP $result"
failed=$((failed + 1))
fi
done

echo ""
echo "Done. Updated: $updated, Skipped: $skipped, Failed: $failed, Total: $total"

if [[ "$failed" -gt 0 ]]; then
exit 1
fi