Skip to content

Add support for constrained extension policy #3589

Open
mgunnala wants to merge 5 commits into
Azure:developfrom
mgunnala:constrained_ext
Open

Add support for constrained extension policy #3589
mgunnala wants to merge 5 commits into
Azure:developfrom
mgunnala:constrained_ext

Conversation

@mgunnala

@mgunnala mgunnala commented Apr 8, 2026

Copy link
Copy Markdown
Contributor

Description

Issue #

This PR adds support for constrained extension (runtime) policy. If "runtimePolicy" is specified for an extension in the policy file, and the extension supports runtime policy, the agent writes this policy to a file in the extension's config directory.

Behavior:

  • If "supportsPolicy" is true in the extension handler manifest:
    • If runtime policy is specified in "waagent_policy.json", agent will create a policy file "waagent_runtime_policy.json" in the config directory before enabling extension
      • Full path: /var/lib/waagent//config/waagent_runtime_policy.json
    • If runtime policy is not specified, create a policy file with an empty json object.
  • If "supportsPolicy is false in the extension handler manifest:
    • If runtime policy is specified in "waagent_policy.json", fail the extension.
    • If runtime policy is not specified, do not create waagent_runtime_policy.json file and continue with extension processing.

PR information

  • Ensure development PR is based on the develop branch.
  • If applicable, the PR references the bug/issue that it fixes in the description.
  • New Unit tests were added for the changes made

Quality of Code and Contribution Guidelines


Distro maintenance information, if applicable

  • This is a contribution from a distro maintainer
  • The changes in this PR have been taken as a downstream patch (Note: it is not recommended to patch the agent without upstream review and approval)

self._policy_engine.check_extension_policy(ext_handler_i.ext_handler.name, extension_is_signed)

# Create runtime policy file for extension before enabling
self._policy_engine.create_runtime_policy_file(ext_handler_i)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's have the calls to update_settings and create_runtime_policy_file in two consecutive lines, i.e. move this one a few lines below and the one above as part of __setup_new_handler

self._policy_engine.check_extension_policy(ext_handler_i.ext_handler.name, extension_is_signed)

# Create runtime policy file for extension before enabling
self._policy_engine.create_runtime_policy_file(ext_handler_i)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The extension handler should get the policy from the policy engine and create the file, instead of the policy engine having knowledge/dependencies of the extension manifest, config directory, etc

return

runtime_policy_file_path = ext_handler_i.get_runtime_policy_file()
supports_policy = ext_handler_i.load_manifest().supports_policy()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need some validation when reading the extension manifest

self.patch_is_cvm.start()
self.maxDiff = None # When long error messages don't match, display the entire diff.

self.runtime_policy_path = os.path.join(conf.get_lib_dir(), "OSTCExtensions.ExampleHandlerLinux-1.0.0", "config", "waagent_runtime_policy.json")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need end-to-end tests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants