ExecProcessRequest if {
input_command = concat(" ", input.process.Args)
some allowed_command in policy_data.allowed_commands
input_command == allowed_command
}
policy_data := {
"allowed_commands": [
"curl http://127.0.0.1:8006/cdh/resource/default/attestation-status/status"
]
}
This will make verifying the attestation status easier withou the need to use a permissive policy.
It also needs a change in the Trustee config to add the attestation-status secret.
It might be a good idea to extend the policy to reflect the latest 1.11 example - https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.11/html/deploying_confidential_containers/deploying-cc_azure-cc#creating-initdat_azure-cc.
Specifically adding this
This will make verifying the attestation status easier withou the need to use a permissive policy.
It also needs a change in the Trustee config to add the attestation-status secret.
Originally posted by @bpradipt in validatedpatterns/layered-zero-trust#80 (comment)