diff --git a/src/confcom/HISTORY.rst b/src/confcom/HISTORY.rst index 30bae35cc27..6b373c19eed 100644 --- a/src/confcom/HISTORY.rst +++ b/src/confcom/HISTORY.rst @@ -3,6 +3,11 @@ Release History =============== +2.0.0b1 ++++++ +* Add Windows container support with CIM-based layer hashing +* Support for mounted_cim field in security policies for Windows containers + 1.8.0 +++++ * Ensure that fragments are attached to the correct manifest for a multiarch image. diff --git a/src/confcom/README.md b/src/confcom/README.md index fa5e8d19f87..cdb02ded90d 100644 --- a/src/confcom/README.md +++ b/src/confcom/README.md @@ -29,6 +29,9 @@ ``` - Windows: [Docker Desktop](https://www.docker.com/products/docker-desktop) and [WSL2](https://docs.microsoft.com/en-us/windows/wsl/install) +- **CimWriter.dll** (Windows only, for Windows container support) + - Required for generating security policies for Windows containers + - Windows Server 2025 or newer is recommended for deterministic hash generation ## Installation Instructions (End User) @@ -57,6 +60,21 @@ The `confcom` extension does not currently support: - Variables and Parameters with non-primitive data types e.g. objects and arrays - Nested and Linked ARM Templates +## Platform Support (Linux and Windows Policies) + +The `--platform` parameter controls whether policies are generated for Linux (`linux/amd64`, the default) or Windows (`windows/amd64`) containers. + +**Docker Desktop must be running in the matching container mode** to produce correct layer hashes: + +| Policy Target | Docker Container Mode | Where to Run | +|---|---|---| +| Linux (`--platform linux/amd64`) | Linux containers | WSL or PowerShell | +| Windows (`--platform windows/amd64`) | Windows containers | PowerShell only | + +- **Windows policies cannot be generated from WSL**, because Windows layer hashing (CIMfs) requires Windows APIs. +- **Linux policies can be generated from either WSL or PowerShell**, as long as Docker Desktop is in Linux containers mode. +- Running with the wrong Docker container mode may produce **incorrect layer hashes** that will cause the container to be rejected at runtime. + ## Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft diff --git a/src/confcom/azext_confcom/README.md b/src/confcom/azext_confcom/README.md index eb4c33725fb..aa132e91880 100644 --- a/src/confcom/azext_confcom/README.md +++ b/src/confcom/azext_confcom/README.md @@ -399,7 +399,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.1.0" fragments := [...] @@ -432,6 +432,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} ``` diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py index 031f439e004..ad6ec1dfcb7 100644 --- a/src/confcom/azext_confcom/_help.py +++ b/src/confcom/azext_confcom/_help.py @@ -105,6 +105,10 @@ type: boolean short-summary: 'When enabled, the default fragments are not included in the generated policy. This includes containers needed to mount azure files, mount secrets, mount git repos, and other common ACI features' + - name: --platform + type: string + short-summary: 'Target platform for policy generation (linux/amd64 or windows/amd64). Defaults to linux/amd64. Docker Desktop must be running in the matching container mode to produce correct layer hashes.' + examples: - name: Input an ARM Template file to inject a base64 encoded Confidential Container Security Policy into the ARM Template text: az confcom acipolicygen --template-file "./template.json" @@ -116,6 +120,8 @@ text: az confcom acipolicygen --template-file "./template.json" --tar "./image.tar" - name: Input an ARM Template file and use a fragments JSON file to generate a policy text: az confcom acipolicygen --template-file "./template.json" --fragments-json "./fragments.json" --include-fragments + - name: Generate a Windows container policy (requires Docker Desktop in Windows containers mode) + text: az confcom acipolicygen --template-file "./template.json" --platform windows/amd64 --outraw-pretty-print """ helps[ @@ -340,7 +346,7 @@ parameters: - name: --platform type: str - short-summary: 'The name of the platform the container definition will run on' + short-summary: 'The name of the platform the container definition will run on. Must be either "aci" or "vn2".' examples: diff --git a/src/confcom/azext_confcom/_params.py b/src/confcom/azext_confcom/_params.py index 464a540186d..cfd5f9da035 100644 --- a/src/confcom/azext_confcom/_params.py +++ b/src/confcom/azext_confcom/_params.py @@ -114,6 +114,17 @@ def load_arguments(self, _): help="Image Name", validator=validate_aci_source ) + c.argument( + "platform", + options_list=("--platform",), + required=False, + default="linux/amd64", + help="Target platform for policy generation. Defaults to linux/amd64. " + "Note: Docker Desktop must be running in the matching container mode " + "(Linux containers for linux/amd64, Windows containers for windows/amd64) " + "to produce correct layer hashes.", + choices=["linux/amd64", "windows/amd64"], + ) c.argument( "tar_mapping_location", options_list=("--tar",), diff --git a/src/confcom/azext_confcom/azext_metadata.json b/src/confcom/azext_confcom/azext_metadata.json index 906e368a65c..316f36c41c2 100644 --- a/src/confcom/azext_confcom/azext_metadata.json +++ b/src/confcom/azext_confcom/azext_metadata.json @@ -1,3 +1,4 @@ { - "azext.minCliCoreVersion": "2.26.2" -} \ No newline at end of file + "azext.minCliCoreVersion": "2.26.2", + "azext.isPreview": true +} diff --git a/src/confcom/azext_confcom/command/containers_from_image.py b/src/confcom/azext_confcom/command/containers_from_image.py index 72560a5317b..7b488d23c10 100644 --- a/src/confcom/azext_confcom/command/containers_from_image.py +++ b/src/confcom/azext_confcom/command/containers_from_image.py @@ -8,5 +8,5 @@ from azext_confcom.lib.containers import from_image as lib_containers_from_image -def containers_from_image(image: str, platform: str) -> None: - print(json.dumps(lib_containers_from_image(image, platform))) +def containers_from_image(image: str, aci_or_vn2: str) -> None: + print(json.dumps(lib_containers_from_image(image, aci_or_vn2))) diff --git a/src/confcom/azext_confcom/command/containers_from_vn2.py b/src/confcom/azext_confcom/command/containers_from_vn2.py index 1d4998b8183..4a0c657939c 100644 --- a/src/confcom/azext_confcom/command/containers_from_vn2.py +++ b/src/confcom/azext_confcom/command/containers_from_vn2.py @@ -192,7 +192,7 @@ def containers_from_vn2( container_defs = [] for template_container, template_doc in template_containers: - image_container_def = container_from_image(template_container.get("image"), platform="vn2") + image_container_def = container_from_image(template_container.get("image"), aci_or_vn2="vn2") template_container_def = { "name": template_container.get("name"), diff --git a/src/confcom/azext_confcom/config.py b/src/confcom/azext_confcom/config.py index 7726d5c139b..664c93f4b95 100644 --- a/src/confcom/azext_confcom/config.py +++ b/src/confcom/azext_confcom/config.py @@ -127,6 +127,7 @@ POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE = "pattern" POLICY_FIELD_CONTAINERS_ELEMENTS_REQUIRED = "required" POLICY_FIELD_CONTAINERS_ELEMENTS_LAYERS = "layers" +POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTED_CIM = "mounted_cim" POLICY_FIELD_CONTAINERS_ELEMENTS_WORKINGDIR = "working_dir" POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS = "mounts" POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS_SOURCE = "source" @@ -211,6 +212,7 @@ DEFAULT_REGO_FRAGMENTS = _config["default_rego_fragments"] # things that need to be set for debug mode DEBUG_MODE_SETTINGS = _config["debugMode"] +DEBUG_MODE_SETTINGS_WINDOWS = _config["debugModeWindows"] # reserved fragment names for existing pieces of Rego RESERVED_FRAGMENT_NAMES = _config["reserved_fragment_namespaces"] # fragment artifact type @@ -227,6 +229,7 @@ } """ CUSTOMER_REGO_POLICY = load_str_from_file(REGO_FILE_PATH) +CUSTOMER_REGO_POLICY_WINDOWS = load_str_from_file(f"{script_directory}/data/customer_rego_policy_windows.txt") CUSTOMER_REGO_FRAGMENT = load_str_from_file(REGO_FRAGMENT_FILE_PATH) # sidecar rego file SIDECAR_REGO_FILE = "./data/sidecar_rego_policy.txt" diff --git a/src/confcom/azext_confcom/container.py b/src/confcom/azext_confcom/container.py index fcdc063f33b..c8858eff970 100644 --- a/src/confcom/azext_confcom/container.py +++ b/src/confcom/azext_confcom/container.py @@ -563,6 +563,7 @@ def from_json( mounts=mounts, allow_elevated=allow_elevated, extraEnvironmentRules=[], + platform=container_json["platform"], execProcesses=exec_processes, signals=signals, user=user, @@ -583,6 +584,7 @@ def __init__( allow_elevated: bool, id_val: str, extraEnvironmentRules: Dict, + platform: str = "linux/amd64", entrypoint: List[str] = None, capabilities: Dict = copy.deepcopy(_CAPABILITIES), user: Dict = copy.deepcopy(_DEFAULT_USER), @@ -604,6 +606,7 @@ def __init__( self._command = command self._workingDir = workingDir self._layers = [] + self._mounted_cim = [] self._mounts = mounts self._allow_elevated = allow_elevated self._allow_stdio_access = allowStdioAccess @@ -615,6 +618,7 @@ def __init__( self._exec_processes = execProcesses or [] self._signals = signals or [] self._extraEnvironmentRules = extraEnvironmentRules + self._platform = platform def get_policy_json(self, omit_id: bool = False) -> str: return self._populate_policy_json_elements(omit_id=omit_id) @@ -658,6 +662,12 @@ def get_layers(self) -> List[str]: def set_layers(self, layers: List[str]) -> None: self._layers = layers + def get_mounted_cim(self) -> List[str]: + return self._mounted_cim + + def set_mounted_cim(self, mounted_cim: List[str]) -> None: + self._mounted_cim = mounted_cim + def get_user(self) -> Dict: return self._user @@ -764,16 +774,27 @@ def _populate_policy_json_elements(self, omit_id: bool = False) -> Dict[str, Any config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS: self._get_environment_rules(), config.POLICY_FIELD_CONTAINERS_ELEMENTS_WORKINGDIR: self._workingDir, config.POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS: self._get_mounts_json(), - config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED: self._allow_elevated, config.POLICY_FIELD_CONTAINERS_ELEMENTS_EXEC_PROCESSES: self._exec_processes, config.POLICY_FIELD_CONTAINERS_ELEMENTS_SIGNAL_CONTAINER_PROCESSES: self._signals, - config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user(), - config.POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES: self._capabilities, - config.POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256: self._seccomp_profile_sha256, config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS: self._allow_stdio_access, - config.POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES: not self._allow_privilege_escalation } + if self._platform.startswith("linux"): + elements.update({ + config.POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES: self._capabilities, + config.POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256: self._seccomp_profile_sha256, + config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user(), + config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED: self._allow_elevated, + config.POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES: not self._allow_privilege_escalation, + }) + elif self._platform.startswith("windows"): + elements.update({ + config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user()["user_idname"]["pattern"], + }) + # Add mounted_cim for Windows if present + if self._mounted_cim: + elements[config.POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTED_CIM] = self._mounted_cim + if not omit_id: elements[config.POLICY_FIELD_CONTAINERS_ID] = self._identifier # if we are omitting the id, we should remove the id value from the policy if it's in the name field @@ -793,13 +814,17 @@ def from_json( image.__class__ = UserContainerImage # inject default mounts for user container if (image.base not in config.BASELINE_SIDECAR_CONTAINERS) and (not is_vn2): - image.get_mounts().extend(_DEFAULT_MOUNTS) + if container_json["platform"].startswith("linux"): + image.get_mounts().extend(_DEFAULT_MOUNTS) if (image.base not in config.BASELINE_SIDECAR_CONTAINERS) and (is_vn2): image.get_mounts().extend(_DEFAULT_MOUNTS_VN2) # Start with the customer environment rules - env_rules = copy.deepcopy(_INJECTED_CUSTOMER_ENV_RULES) + env_rules = ( + copy.deepcopy(_INJECTED_CUSTOMER_ENV_RULES) + if container_json["platform"].startswith("linux") else [] + ) # If is_vn2, add the VN2 environment rules if is_vn2: env_rules += _INJECTED_SERVICE_VN2_ENV_RULES diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index ff2b03f6b6e..7f1885ae103 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -42,6 +42,7 @@ def acipolicygen_confcom( virtual_node_yaml_path: str, infrastructure_svn: str, tar_mapping_location: str, + platform: str = "linux/amd64", container_definitions: Optional[list] = None, approve_wildcards: str = False, outraw: bool = False, @@ -120,6 +121,7 @@ def acipolicygen_confcom( if output_type == security_policy.OutputType.DEFAULT else "clear text", ) + logger.warning("Using platform: %s", platform) # error checking for making sure an input is provided is above if input_path: container_group_policies = security_policy.load_policy_from_json_file( @@ -128,6 +130,7 @@ def acipolicygen_confcom( infrastructure_svn=infrastructure_svn, disable_stdio=(not stdio_enabled), exclude_default_fragments=exclude_default_fragments, + platform=platform, ) elif arm_template: container_group_policies = security_policy.load_policy_from_arm_template_file( @@ -140,10 +143,12 @@ def acipolicygen_confcom( diff_mode=diff, rego_imports=fragments_list, exclude_default_fragments=exclude_default_fragments, + platform=platform, ) elif image_name: container_group_policies = security_policy.load_policy_from_image_name( - image_name, debug_mode=debug_mode, disable_stdio=(not stdio_enabled) + image_name, debug_mode=debug_mode, disable_stdio=(not stdio_enabled), + platform=platform, ) elif virtual_node_yaml_path: container_group_policies = security_policy.load_policy_from_virtual_node_yaml_file( @@ -155,6 +160,7 @@ def acipolicygen_confcom( rego_imports=fragments_list, exclude_default_fragments=exclude_default_fragments, infrastructure_svn=infrastructure_svn, + platform=platform, ) elif container_definitions: container_group_policies = AciPolicy( @@ -193,7 +199,6 @@ def acipolicygen_confcom( policy.set_fragment_contents(fragment_policy_list) for count, policy in enumerate(container_group_policies): - # this is where parameters and variables are populated policy.populate_policy_content_for_all_images( individual_image=bool(image_name), tar_mapping=tar_mapping, faster_hashing=faster_hashing ) @@ -581,7 +586,7 @@ def containers_from_image( ) -> None: _containers_from_image( image=image, - platform=platform, + aci_or_vn2=platform, ) diff --git a/src/confcom/azext_confcom/data/README b/src/confcom/azext_confcom/data/README new file mode 100644 index 00000000000..bd324ae2744 --- /dev/null +++ b/src/confcom/azext_confcom/data/README @@ -0,0 +1 @@ +internal_config.json and customer_rego_policy.txt are used by the "old style" acipolicygen command. New work should (also) happen in src/confcom/azext_confcom/lib/policy.py (or ensure that it is implemented for `containers from_image`), as eventually the old command will invoke that. diff --git a/src/confcom/azext_confcom/data/customer_rego_policy.txt b/src/confcom/azext_confcom/data/customer_rego_policy.txt index d3b891c04b0..56b1ef7fbcd 100644 --- a/src/confcom/azext_confcom/data/customer_rego_policy.txt +++ b/src/confcom/azext_confcom/data/customer_rego_policy.txt @@ -34,5 +34,6 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} \ No newline at end of file diff --git a/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt b/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt new file mode 100644 index 00000000000..f0b3bb7bcad --- /dev/null +++ b/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt @@ -0,0 +1,30 @@ +package policy + +import future.keywords.every +import future.keywords.in + +api_version := %s +framework_version := "0.4.1" + +fragments := %s + +containers := %s + +allow_properties_access := %s +allow_dump_stacks := %s +allow_runtime_logging := %s +allow_environment_variable_dropping := %s + +create_container := data.framework.create_container +exec_in_container := data.framework.exec_in_container +exec_external := data.framework.exec_external +shutdown_container := data.framework.shutdown_container +signal_container_process := data.framework.signal_container_process +get_properties := data.framework.get_properties +dump_stacks := data.framework.dump_stacks +runtime_logging := data.framework.runtime_logging +load_fragment := data.framework.load_fragment +scratch_mount := data.framework.scratch_mount +mount_cims := data.framework.mount_cims + +reason := {"errors": data.framework.errors} \ No newline at end of file diff --git a/src/confcom/azext_confcom/data/internal_config.json b/src/confcom/azext_confcom/data/internal_config.json index 9a87356e721..9df4fbcd70e 100644 --- a/src/confcom/azext_confcom/data/internal_config.json +++ b/src/confcom/azext_confcom/data/internal_config.json @@ -4,7 +4,7 @@ "maxVersion": "1.0.0", "minVersion": "0.0.1" }, - "version_api": "0.10.0", + "version_api": "0.11.0", "openGCS": { "environmentVariables": [ { @@ -193,6 +193,29 @@ "allowCapabilityDropping": true, "allowUnencryptedScratch": false }, + "debugModeWindows": { + "environmentVariables": [ + { + "name": ".+", + "value": ".+", + "strategy": "re2", + "required": false + } + ], + "execProcesses": [ + { + "command": [ + "cmd.exe" + ], + "signals": [], + "allow_stdio_access": true + } + ], + "allowPropertiesAccess": true, + "allowDumpStacks": true, + "allowRuntimeLogging": true, + "allowEnvironmentVariableDropping": true + }, "containerd": { "defaultWorkingDir": "/" }, diff --git a/src/confcom/azext_confcom/docs/policy_enforcement_points.md b/src/confcom/azext_confcom/docs/policy_enforcement_points.md index 9ce26f93b4a..52195b8717b 100644 --- a/src/confcom/azext_confcom/docs/policy_enforcement_points.md +++ b/src/confcom/azext_confcom/docs/policy_enforcement_points.md @@ -38,7 +38,7 @@ package mypolicy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.1.0" fragments := [...] @@ -71,6 +71,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} ``` diff --git a/src/confcom/azext_confcom/lib/containers.py b/src/confcom/azext_confcom/lib/containers.py index 4a0523ff3f0..586dbc4e55e 100644 --- a/src/confcom/azext_confcom/lib/containers.py +++ b/src/confcom/azext_confcom/lib/containers.py @@ -3,8 +3,9 @@ # Licensed under the MIT License. See License.txt in the project root for license information. # -------------------------------------------------------------------------------------------- + from dataclasses import asdict -from azext_confcom.lib.images import get_image_layers, get_image_config +from azext_confcom.lib.images import get_image_layers, get_image_config, get_image_platform # pylint: disable=unused-import from azext_confcom.lib.platform import ACI_MOUNTS, VN2_MOUNTS @@ -35,17 +36,18 @@ def merge_containers(*args) -> dict: return merged_container -def from_image(image: str, platform: str) -> dict: +def from_image(image: str, aci_or_vn2: str, platform: str = "linux/amd64") -> dict: mounts = { "aci": [asdict(mount) for mount in ACI_MOUNTS], "vn2": VN2_MOUNTS, - }.get(platform, None) + }.get(aci_or_vn2, None) return { "id": image, "name": image, - "layers": get_image_layers(image), + "layers": get_image_layers(image, platform=platform), + "platform": platform, **({"mounts": mounts} if mounts else {}), **get_image_config(image), } diff --git a/src/confcom/azext_confcom/lib/defaults.py b/src/confcom/azext_confcom/lib/defaults.py new file mode 100644 index 00000000000..8a381cb3d2e --- /dev/null +++ b/src/confcom/azext_confcom/lib/defaults.py @@ -0,0 +1,13 @@ +from azext_confcom import config + + +def get_debug_mode_exec_procs(debug_mode: bool, platform: str) -> list: + + if not debug_mode: + return [] + + if platform.startswith("linux"): + return config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) + if platform.startswith("windows"): + return config.DEBUG_MODE_SETTINGS_WINDOWS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) + raise ValueError(f"Unsupported platform for debug mode settings: {platform}") diff --git a/src/confcom/azext_confcom/lib/images.py b/src/confcom/azext_confcom/lib/images.py index 810c12ae259..63d1259b64f 100644 --- a/src/confcom/azext_confcom/lib/images.py +++ b/src/confcom/azext_confcom/lib/images.py @@ -13,6 +13,26 @@ logger = logging.getLogger(__name__) +SUPPORTED_PLATFORMS = [ + "linux/amd64", + "windows/amd64", +] + + +@functools.lru_cache() +def pull_image(image_reference: str) -> docker.models.images.Image: + client = docker.from_env() + + for platform in SUPPORTED_PLATFORMS: + try: + image = client.images.pull(image_reference, platform=platform) + return image + except (docker.errors.ImageNotFound, docker.errors.NotFound): + continue + + raise ValueError(f"Image '{image_reference}' not found for any supported platform: {SUPPORTED_PLATFORMS}") + + @functools.lru_cache() def get_image(image_ref: str) -> docker.models.images.Image: @@ -27,13 +47,27 @@ def get_image(image_ref: str) -> docker.models.images.Image: return image -def get_image_layers(image: str) -> list[str]: +def get_image_platform(image_reference: str) -> str: + """Return the platform of the pulled image (e.g. 'linux/amd64').""" + return "/".join([ + pull_image(image_reference).attrs['Os'], + pull_image(image_reference).attrs['Architecture'] + ]) + + +def get_image_layers(image: str, platform: str = "linux/amd64") -> list[str]: binary_path = Path(__file__).parent.parent / "bin" / "dmverity-vhd" get_image(image) + + arg_list = [binary_path.as_posix(), "-d", "roothash", "-i", image] + + if platform: + arg_list += ["--platform", platform] + result = subprocess.run( - [binary_path.as_posix(), "-d", "roothash", "-i", image], + arg_list, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, check=True, diff --git a/src/confcom/azext_confcom/lib/policy.py b/src/confcom/azext_confcom/lib/policy.py index 748ed55d0ff..2de1610dc00 100644 --- a/src/confcom/azext_confcom/lib/policy.py +++ b/src/confcom/azext_confcom/lib/policy.py @@ -106,7 +106,7 @@ class Container: @dataclass class Policy: package: str = "policy" - api_version: str = "0.10.0" + api_version: str = "0.11.0" framework_version: str = "0.2.3" fragments: List[FragmentReference] = OrderlessField(default_factory=list) containers: List[Container] = OrderlessField(default_factory=list) diff --git a/src/confcom/azext_confcom/lib/serialization.py b/src/confcom/azext_confcom/lib/serialization.py index 7702bfef8ba..7e41cff884b 100644 --- a/src/confcom/azext_confcom/lib/serialization.py +++ b/src/confcom/azext_confcom/lib/serialization.py @@ -53,6 +53,7 @@ def policy_serialize(policy: Union[Policy, Fragment]): load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {{"errors": data.framework.errors}} """) diff --git a/src/confcom/azext_confcom/rootfs_proxy.py b/src/confcom/azext_confcom/rootfs_proxy.py index f41dbd8f008..b72f6793b5d 100644 --- a/src/confcom/azext_confcom/rootfs_proxy.py +++ b/src/confcom/azext_confcom/rootfs_proxy.py @@ -5,12 +5,13 @@ import hashlib +import json import os import platform import stat import subprocess import sys -from typing import List +from typing import List, Dict import requests from azext_confcom.errors import eprint @@ -27,13 +28,13 @@ _dmverity_vhd_binaries = { "Linux": { "path": _binaries_dir / "dmverity-vhd", - "url": "https://github.com/microsoft/integrity-vhd/releases/download/v1.6/dmverity-vhd", - "sha256": "b8cf3fa3594e48070a31aa538d5b4b40d5b33b8ac18bc25a1816245159648fb0", + "url": "https://github.com/microsoft/integrity-vhd/releases/download/v2.0/dmverity-vhd", + "sha256": "e7ad858fef018acd7d8a4ccb74f1b7a9cc1b3d6db5a7f8da5a259f71b26c12ea", }, "Windows": { "path": _binaries_dir / "dmverity-vhd.exe", - "url": "https://github.com/microsoft/integrity-vhd/releases/download/v1.6/dmverity-vhd.exe", - "sha256": "ca0f95d798323f3ef26feb036112be9019f5ceaa6233ee2a65218d5a143ae474", + "url": "https://github.com/microsoft/integrity-vhd/releases/download/v2.0/dmverity-vhd.exe", + "sha256": "6ef425c4bd07739d9cc90e57488985c1fca41f8d106fc816123b95b6305ee0af", }, } @@ -84,13 +85,14 @@ def __init__(self): st = os.stat(self.policy_bin) os.chmod(self.policy_bin, st.st_mode | stat.S_IXUSR) - def get_policy_image_layers( + def get_policy_image_layers( # pylint: disable=redefined-outer-name self, image: str, tag: str, + platform: str = "linux/amd64", tar_location: str = "", faster_hashing=False - ) -> List[str]: + ) -> Dict[str, List[str]]: image_name = f"{image}:{tag}" # populate layer info if self.layer_cache.get(image_name): @@ -115,13 +117,16 @@ def get_policy_image_layers( # add the image to the end of the parameter list arg_list += ["roothash", "-i", f"{image_name}"] + if platform.startswith("windows"): + arg_list += ["--platform", platform] + item = subprocess.run( arg_list, capture_output=True, check=False, ) - output = [] + result = {} if item.returncode != 0: if item.stderr.decode("utf-8") != "" and item.stderr.decode("utf-8") is not None: logger.warning(item.stderr.decode("utf-8")) @@ -133,13 +138,29 @@ def get_policy_image_layers( ) sys.exit(item.returncode) elif len(item.stdout) > 0: - output = item.stdout.decode("utf8").strip("\n").split("\n") - output = [i.split(": ", 1)[1] for i in output if len(i.split(": ", 1)) > 1] + stdout_str = item.stdout.decode("utf8").strip() + + # Try parsing as JSON (both Linux and Windows now output JSON) + if stdout_str.startswith("{"): + try: + json_output = json.loads(stdout_str) + result["layers"] = json_output.get("layers", []) + # mounted_cim is only present for Windows + if "mounted_cim" in json_output: + result["mounted_cim"] = json_output["mounted_cim"] + except json.JSONDecodeError as e: + logger.error("Failed to parse JSON output: %s", e) + sys.exit(1) + else: + # Fallback: line-by-line parsing for older dmverity-vhd versions + lines = stdout_str.split("\n") + layers = [i.split(": ", 1)[1] for i in lines if len(i.split(": ", 1)) > 1] + result["layers"] = layers else: eprint( "Could not get layer hashes" ) - # cache output layers - self.layer_cache[image_name] = output - return output + # cache output + self.layer_cache[image_name] = result + return result diff --git a/src/confcom/azext_confcom/sample_policy.md b/src/confcom/azext_confcom/sample_policy.md index a2d9c6032e8..79001b4a6ab 100644 --- a/src/confcom/azext_confcom/sample_policy.md +++ b/src/confcom/azext_confcom/sample_policy.md @@ -103,6 +103,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index bbecbf528b2..83e0bcc4e9b 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -41,7 +41,10 @@ process_fragment_imports, process_mounts, process_mounts_from_config, - readable_diff) + readable_diff, + find_value_in_params_and_vars) +from azext_confcom.lib.images import get_image_platform # pylint: disable=unused-import +from azext_confcom.lib.defaults import get_debug_mode_exec_procs from knack.log import get_logger from tqdm import tqdm @@ -70,6 +73,7 @@ def __init__( container_definitions: Optional[list] = None, ) -> None: self._rootfs_proxy = None + self._platform = None self._policy_str = None self._policy_str_pp = None self._disable_stdio = disable_stdio @@ -141,6 +145,13 @@ def __init__( # parse and generate each container, either user or sidecar for c in containers: + + image_platform = c.get("platform", "linux/amd64") + if self._platform is None: + self._platform = image_platform + else: + assert self._platform == image_platform, "All images must have the same platform" + if not is_sidecar(c[config.POLICY_FIELD_CONTAINERS_ID]): container_image = UserContainerImage.from_json(c, is_vn2=is_vn2) else: @@ -148,6 +159,10 @@ def __init__( container_image.parse_all_parameters_and_variables(self.all_params, self.all_vars) container_results.append(container_image) + # Default platform if no containers were present to set it + if self._platform is None: + self._platform = "linux/amd64" + self._images = container_results def __enter__(self) -> Any: @@ -212,17 +227,29 @@ def _add_rego_boilerplate(self, output: str) -> str: # get rid of fields that aren't strictly needed for the fragment import sanitized_fragments = sanitize_fragment_fields(self.get_fragments()) - return config.CUSTOMER_REGO_POLICY % ( - pretty_print_func(self._api_version), - pretty_print_func(sanitized_fragments), - output, - pretty_print_func(self._allow_properties_access), - pretty_print_func(self._allow_dump_stacks), - pretty_print_func(self._allow_runtime_logging), - pretty_print_func(self._allow_environment_variable_dropping), - pretty_print_func(self._allow_unencrypted_scratch), - pretty_print_func(self._allow_capability_dropping), - ) + + if self._platform.startswith("linux"): + return config.CUSTOMER_REGO_POLICY % ( + pretty_print_func(self._api_version), + pretty_print_func(sanitized_fragments), + output, + pretty_print_func(self._allow_properties_access), + pretty_print_func(self._allow_dump_stacks), + pretty_print_func(self._allow_runtime_logging), + pretty_print_func(self._allow_environment_variable_dropping), + pretty_print_func(self._allow_unencrypted_scratch), + pretty_print_func(self._allow_capability_dropping), + ) + if self._platform.startswith("windows"): + return config.CUSTOMER_REGO_POLICY_WINDOWS % ( + pretty_print_func(self._api_version), + pretty_print_func(sanitized_fragments), + output, + pretty_print_func(self._allow_properties_access), + pretty_print_func(self._allow_dump_stacks), + pretty_print_func(self._allow_runtime_logging), + pretty_print_func(self._allow_environment_variable_dropping), + ) def validate_cce_policy(self) -> Tuple[bool, Dict]: """Utility method: check to see if the existing policy @@ -258,7 +285,7 @@ def validate_sidecars(self) -> Tuple[bool, Dict]: if len(policy_ids) == 0: eprint("No sidecar images found in the policy.") - policy = load_policy_from_image_name(policy_ids) + policy = load_policy_from_image_name(policy_ids, platform=self._platform or "linux/amd64") policy.populate_policy_content_for_all_images(individual_image=True) policy_str = self.get_serialized_output( @@ -406,7 +433,8 @@ def _policy_serialization(self, pretty_print=False, include_sidecars: bool = Tru policy.append(image_dict) if (not is_sidecars or len(regular_container_images) == 0) and include_sidecars: # add in the default containers that have their hashes pre-computed - policy += copy.deepcopy(config.DEFAULT_CONTAINERS) + if self._platform.startswith("linux"): + policy += copy.deepcopy(config.DEFAULT_CONTAINERS) if self._disable_stdio: for container in policy: container[config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] = False @@ -574,9 +602,17 @@ def populate_policy_content_for_all_images( if isinstance(tar_mapping, dict): tar_location = get_tar_location_from_mapping(tar_mapping, image_name) # populate layer info - image.set_layers(proxy.get_policy_image_layers( - image.base, image.tag, tar_location=tar_location if tar else "", faster_hashing=faster_hashing - )) + layer_info = proxy.get_policy_image_layers( + image.base, + image.tag, + platform=self._platform, + tar_location=tar_location if tar else "", + faster_hashing=faster_hashing, + ) + image.set_layers(layer_info.get("layers", [])) + # Set mounted_cim for Windows containers + if "mounted_cim" in layer_info: + image.set_mounted_cim(layer_info["mounted_cim"]) progress.update() progress.close() @@ -634,6 +670,60 @@ def set_images(self, images: List[ContainerImage]) -> None: self._images = images +def validate_image_platform(image_name: str, platform: str) -> None: + """Validate that the image's platform matches --platform. + + Checks the local Docker image first, then attempts to pull with the + specified platform if not found locally. Verifies the image's + Os/Architecture attrs match the requested platform. + """ + import docker as docker_module + try: + client = docker_module.from_env() + except docker_module.errors.DockerException: + eprint("Docker is not running. Please start Docker.") + return + + image = None + + # Try local image first + try: + image = client.images.get(image_name) + except (docker_module.errors.ImageNotFound, docker_module.errors.NullResource): + pass + + # If not local, try pulling with the specified platform + if image is None: + try: + image = client.images.pull(image_name, platform=platform) + except (docker_module.errors.ImageNotFound, docker_module.errors.NotFound): + eprint( + f'Image "{image_name}" is not found. ' + f'Please check the image name and repository.' + ) + except docker_module.errors.APIError as e: + error_msg = str(e).lower() + if "not supported" in error_msg or "no matching manifest" in error_msg: + eprint( + f'Image "{image_name}" could not be pulled for platform "{platform}". ' + f'Docker Desktop must be in the correct container mode ' + f'(Linux containers for linux/amd64, ' + f'Windows containers for windows/amd64).' + ) + else: + eprint( + f'Image "{image_name}" could not be pulled for platform ' + f'"{platform}": {e}' + ) + + detected = f"{image.attrs.get('Os')}/{image.attrs.get('Architecture')}" + if detected != platform: + eprint( + f'Image "{image_name}" has platform "{detected}", ' + f'which does not match the specified platform "{platform}".' + ) + + # pylint: disable=R0914, def load_policy_from_arm_template_str( template_data: str, @@ -646,6 +736,7 @@ def load_policy_from_arm_template_str( rego_imports: Any = None, fragment_contents: Any = None, exclude_default_fragments: bool = False, + platform: str = "linux/amd64", ) -> List[AciPolicy]: """Function that converts ARM template string to an ACI Policy""" input_arm_json = os_util.load_json_from_str(template_data) @@ -683,7 +774,8 @@ def load_policy_from_arm_template_str( get_values_for_params(input_parameter_json, all_params) AciPolicy.all_params = all_params - AciPolicy.all_vars = case_insensitive_dict_get(input_arm_json, config.ACI_FIELD_TEMPLATE_VARIABLES) or {} + all_vars = case_insensitive_dict_get(input_arm_json, config.ACI_FIELD_TEMPLATE_VARIABLES) or {} + AciPolicy.all_vars = all_vars container_groups = [] @@ -704,6 +796,18 @@ def load_policy_from_arm_template_str( container_group_properties = case_insensitive_dict_get( resource, config.ACI_FIELD_TEMPLATE_PROPERTIES ) + + # Validate that osType in the ARM template matches the specified platform + os_type = case_insensitive_dict_get(container_group_properties, "osType") + if os_type: + expected_os = "linux" if platform.startswith("linux") else "windows" + if os_type.lower() != expected_os: + eprint( + f'ARM template osType "{os_type}" does not match ' + f'the supplied platform "{platform}". ' + f'Please use --platform to specify a consistent platform.' + ) + container_list = case_insensitive_dict_get( container_group_properties, config.ACI_FIELD_TEMPLATE_CONTAINERS ) @@ -781,6 +885,10 @@ def load_policy_from_arm_template_str( f'Field ["{config.ACI_FIELD_TEMPLATE_IMAGE}"] is empty or cannot be found' ) + # Resolve ARM parameters/variables to get the real image name for validation + resolved_image = find_value_in_params_and_vars(all_params, all_vars, image_name) + validate_image_platform(resolved_image, platform) + exec_processes = [] extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_READINESS_PROBE) extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_LIVENESS_PROBE) @@ -798,15 +906,15 @@ def load_policy_from_arm_template_str( or [], config.ACI_FIELD_CONTAINERS_MOUNTS: process_mounts(image_properties, volumes) + process_configmap(image_properties), - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes - + config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) - if debug_mode - else exec_processes, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: ( + exec_processes + get_debug_mode_exec_procs(debug_mode, platform) + ), config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( image_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT ), + "platform": platform, } ) @@ -839,6 +947,7 @@ def load_policy_from_arm_template_file( rego_imports: list = None, fragment_contents: list = None, exclude_default_fragments: bool = False, + platform: str = "linux/amd64", ) -> List[AciPolicy]: """Utility function: generate policy object from given arm template and parameter file paths""" input_arm_json = os_util.load_str_from_file(template_path) @@ -856,11 +965,13 @@ def load_policy_from_arm_template_file( diff_mode=diff_mode, fragment_contents=fragment_contents, exclude_default_fragments=exclude_default_fragments, + platform=platform, ) def load_policy_from_image_name( - image_names: Union[List[str], str], debug_mode: bool = False, disable_stdio: bool = False + image_names: Union[List[str], str], debug_mode: bool = False, disable_stdio: bool = False, + platform: str = "linux/amd64", ) -> AciPolicy: # can either take a list of image names or a single image name if isinstance(image_names, str): @@ -868,6 +979,8 @@ def load_policy_from_image_name( containers = [] for image_name in image_names: + validate_image_platform(image_name, platform) + container = {} # assign just the fields that are expected # the values will come when calling @@ -882,6 +995,8 @@ def load_policy_from_image_name( container[config.ACI_FIELD_CONTAINERS_CONTAINERIMAGE] = image_name container[config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS] = not disable_stdio + container["platform"] = platform + containers.append(container) return AciPolicy( @@ -900,6 +1015,7 @@ def load_policy_from_json_file( disable_stdio: bool = False, infrastructure_svn: str = None, exclude_default_fragments: bool = False, + platform: str = "linux/amd64", ) -> AciPolicy: json_content = os_util.load_str_from_file(data) return load_policy_from_json( @@ -907,7 +1023,8 @@ def load_policy_from_json_file( debug_mode=debug_mode, disable_stdio=disable_stdio, infrastructure_svn=infrastructure_svn, - exclude_default_fragments=exclude_default_fragments + exclude_default_fragments=exclude_default_fragments, + platform=platform, ) @@ -917,6 +1034,7 @@ def load_policy_from_json( disable_stdio: bool = False, infrastructure_svn: str = None, exclude_default_fragments: bool = False, + platform: str = "linux/amd64", ) -> AciPolicy: output_containers = [] # 1) Parse incoming string as JSON @@ -980,6 +1098,8 @@ def load_policy_from_json( f'Field ["{config.ACI_FIELD_TEMPLATE_IMAGE}"] is empty or cannot be found' ) + validate_image_platform(image_name, platform) + container_name = case_insensitive_dict_get( container, config.ACI_FIELD_CONTAINERS_NAME ) or image_name @@ -1036,15 +1156,15 @@ def load_policy_from_json( container_properties, config.ACI_FIELD_TEMPLATE_COMMAND ) or [], config.ACI_FIELD_CONTAINERS_MOUNTS: mounts, - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes - + config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) - if debug_mode - else exec_processes, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: ( + exec_processes + get_debug_mode_exec_procs(debug_mode, platform) + ), config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( container_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT ), + "platform": platform, } ) @@ -1082,6 +1202,7 @@ def load_policy_from_virtual_node_yaml_file( exclude_default_fragments: bool = False, fragment_contents: list = None, infrastructure_svn: str = None, + platform: str = "linux/amd64", ) -> List[AciPolicy]: yaml_contents_str = os_util.load_str_from_file(virtual_node_yaml_path) return load_policy_from_virtual_node_yaml_str( @@ -1094,6 +1215,7 @@ def load_policy_from_virtual_node_yaml_file( exclude_default_fragments=exclude_default_fragments, fragment_contents=fragment_contents, infrastructure_svn=infrastructure_svn, + platform=platform, ) @@ -1108,6 +1230,7 @@ def load_policy_from_virtual_node_yaml_str( exclude_default_fragments: bool = False, fragment_contents: Any = None, infrastructure_svn: str = None, + platform: str = "linux/amd64", ) -> List[AciPolicy]: """ Load a virtual node yaml file and generate a policy object @@ -1190,6 +1313,8 @@ def load_policy_from_virtual_node_yaml_str( if not image: eprint("Container does not have an image field") + validate_image_platform(image, platform) + # env vars envs = process_env_vars_from_yaml( container, @@ -1306,13 +1431,13 @@ def load_policy_from_virtual_node_yaml_str( config.ACI_FIELD_TEMPLATE_ENTRYPOINT: command, config.ACI_FIELD_CONTAINERS_COMMAND: args, config.ACI_FIELD_CONTAINERS_MOUNTS: mounts, - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes - + config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) - if debug_mode - else exec_processes, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: ( + exec_processes + get_debug_mode_exec_procs(debug_mode, platform) + ), config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, - config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: security_context + config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: security_context, + "platform": platform, } ) all_policies.append( diff --git a/src/confcom/azext_confcom/template_util.py b/src/confcom/azext_confcom/template_util.py index 5615ba5a15b..d4ebe73c886 100644 --- a/src/confcom/azext_confcom/template_util.py +++ b/src/confcom/azext_confcom/template_util.py @@ -130,7 +130,10 @@ def get_image_info(progress, message_queue, tar_mapping, image): try: client = DockerClient().get_client() raw_image = client.images.get(image_name) - image_info = raw_image.attrs.get("Config") + image_info = { + "platform": "/".join([raw_image.attrs.get("Os"), raw_image.attrs.get("Architecture")]), + **raw_image.attrs.get("Config") + } message_queue.append( f"Using local version of {image_name}. It may differ from the remote image" ) @@ -149,8 +152,18 @@ def get_image_info(progress, message_queue, tar_mapping, image): # pull image to local daemon (if not in local # daemon) if not raw_image: - raw_image = client.images.pull(image_name) - image_info = raw_image.attrs.get("Config") + for platform in ["linux/amd64", "windows/amd64"]: + try: + raw_image = client.images.pull(image_name, platform=platform) + break + except (docker.errors.ImageNotFound, docker.errors.NotFound): + continue + if raw_image is None: + raise docker.errors.ImageNotFound(image_name) + image_info = { + "platform": "/".join([raw_image.attrs.get("Os"), raw_image.attrs.get("Architecture")]), + **raw_image.attrs.get("Config") + } except (docker.errors.ImageNotFound, docker.errors.NotFound): progress.close() eprint( diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py b/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py index ff94812c09f..f02d72a9b72 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py @@ -59,7 +59,7 @@ def test_containers_from_image(sample_directory: str, platform: str): with redirect_stdout(buffer): containers_from_image( image=f"confcom_test_{sample_directory.name}", - platform=platform, + aci_or_vn2=platform, ) actual_container_def = json.loads(buffer.getvalue()) diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_image.py b/src/confcom/azext_confcom/tests/latest/test_confcom_image.py index 9b95e82cc6d..d034a5c9e70 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_image.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_image.py @@ -89,10 +89,10 @@ def test_sidecar_image_policy(self): class PolicyGeneratingImageInvalid(unittest.TestCase): def test_invalid_image_policy(self): - policy = load_policy_from_image_name( - "mcr.microsoft.com/aci/fake-image:master_20201210.2" - ) with self.assertRaises(SystemExit) as exc_info: + policy = load_policy_from_image_name( + "mcr.microsoft.com/aci/fake-image:master_20201210.2" + ) policy.populate_policy_content_for_all_images(individual_image=True) self.assertEqual(exc_info.exception.code, 1) diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py b/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py index c1a7049a318..8d4fc0ef7e2 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py @@ -796,10 +796,10 @@ def test_get_layers_from_not_exists_image(self): ] } """ - with load_policy_from_json(custom_json) as aci_policy: - with self.assertRaises(SystemExit) as exc_info: + with self.assertRaises(SystemExit) as exc_info: + with load_policy_from_json(custom_json) as aci_policy: aci_policy.populate_policy_content_for_all_images() - self.assertEqual(exc_info.exception.code, 1) + self.assertEqual(exc_info.exception.code, 1) def test_incorrect_allow_elevated_data_type(self): custom_json = """ diff --git a/src/confcom/samples/aci/command/policy.rego b/src/confcom/samples/aci/command/policy.rego index 0a8288ed727..5458cc68fa0 100644 --- a/src/confcom/samples/aci/command/policy.rego +++ b/src/confcom/samples/aci/command/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_debug.rego b/src/confcom/samples/aci/command/policy_debug.rego index 5726d4f6d31..e2fd4241d36 100644 --- a/src/confcom/samples/aci/command/policy_debug.rego +++ b/src/confcom/samples/aci/command/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_disable_stdio.rego b/src/confcom/samples/aci/command/policy_disable_stdio.rego index c93faa1ea15..2bef0422b25 100644 --- a/src/confcom/samples/aci/command/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/command/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego index ec1dd9acf8a..5dc73e916c6 100644 --- a/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_fragment.rego b/src/confcom/samples/aci/command/policy_fragment.rego index 70e92051fb0..dcf751eabb8 100644 --- a/src/confcom/samples/aci/command/policy_fragment.rego +++ b/src/confcom/samples/aci/command/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego index 38f5330d1e4..7c5d4ff3b9b 100644 --- a/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_infrastructure_svn.rego b/src/confcom/samples/aci/command/policy_infrastructure_svn.rego index a465b27eba7..e0b8b03ef0e 100644 --- a/src/confcom/samples/aci/command/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/command/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy.rego b/src/confcom/samples/aci/conflicting_variables/policy.rego index 2564d1f4d7d..e501b01cee8 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_debug.rego b/src/confcom/samples/aci/conflicting_variables/policy_debug.rego index 37ecc10f214..b0526f3f5ad 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_debug.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego index 9177bee6ae8..293f2bf6064 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego index 292d288f836..d2d5b3e8185 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego b/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego index da895107e92..dd7e5decea5 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego index 5d2305ae9a2..4db0d2a66e9 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego index 8c07f4ee697..597926c4ce3 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy.rego b/src/confcom/samples/aci/container_group_profiles/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_debug.rego b/src/confcom/samples/aci/container_group_profiles/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_debug.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego b/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego b/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego b/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy.rego b/src/confcom/samples/aci/default_variables/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/default_variables/policy.rego +++ b/src/confcom/samples/aci/default_variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_debug.rego b/src/confcom/samples/aci/default_variables/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/default_variables/policy_debug.rego +++ b/src/confcom/samples/aci/default_variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_fragment.rego b/src/confcom/samples/aci/default_variables/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/default_variables/policy_fragment.rego +++ b/src/confcom/samples/aci/default_variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy.rego b/src/confcom/samples/aci/default_variables_override/policy.rego index 2564d1f4d7d..e501b01cee8 100644 --- a/src/confcom/samples/aci/default_variables_override/policy.rego +++ b/src/confcom/samples/aci/default_variables_override/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_debug.rego b/src/confcom/samples/aci/default_variables_override/policy_debug.rego index 37ecc10f214..b0526f3f5ad 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_debug.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego b/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego index 9177bee6ae8..293f2bf6064 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego index 292d288f836..d2d5b3e8185 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_fragment.rego b/src/confcom/samples/aci/default_variables_override/policy_fragment.rego index da895107e92..dd7e5decea5 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_fragment.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego index 5d2305ae9a2..4db0d2a66e9 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego index 8c07f4ee697..597926c4ce3 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy.rego b/src/confcom/samples/aci/environment_variables/policy.rego index 6966ac35d00..1f153ed257e 100644 --- a/src/confcom/samples/aci/environment_variables/policy.rego +++ b/src/confcom/samples/aci/environment_variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_debug.rego b/src/confcom/samples/aci/environment_variables/policy_debug.rego index 79a435f36ef..fcbfbcd4165 100644 --- a/src/confcom/samples/aci/environment_variables/policy_debug.rego +++ b/src/confcom/samples/aci/environment_variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego index 1b3bf3399eb..c3c7d5d6d98 100644 --- a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego index 0582ec2f8b7..613f9afcb71 100644 --- a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_fragment.rego b/src/confcom/samples/aci/environment_variables/policy_fragment.rego index f3c958b6d44..0a0eb4c839b 100644 --- a/src/confcom/samples/aci/environment_variables/policy_fragment.rego +++ b/src/confcom/samples/aci/environment_variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego index e2c54c52975..c3540fb6c95 100644 --- a/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego index 5c5771f5e79..bfa4e9804b5 100644 --- a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy.rego b/src/confcom/samples/aci/existing_policy/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/existing_policy/policy.rego +++ b/src/confcom/samples/aci/existing_policy/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_debug.rego b/src/confcom/samples/aci/existing_policy/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/existing_policy/policy_debug.rego +++ b/src/confcom/samples/aci/existing_policy/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego b/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_fragment.rego b/src/confcom/samples/aci/existing_policy/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/existing_policy/policy_fragment.rego +++ b/src/confcom/samples/aci/existing_policy/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/arm_template.json b/src/confcom/samples/aci/minimal/arm_template.json index 69e66680cc0..f3545cc01d0 100644 --- a/src/confcom/samples/aci/minimal/arm_template.json +++ b/src/confcom/samples/aci/minimal/arm_template.json @@ -11,7 +11,7 @@ "osType": "Linux", "restartPolicy": "OnFailure", "confidentialComputeProperties": { - "ccePolicy": "" + "ccePolicy": "cGFja2FnZSBwb2xpY3kKCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKaW1wb3J0IGZ1dHVyZS5rZXl3b3Jkcy5pbgoKYXBpX3ZlcnNpb24gOj0gIjAuMTEuMCIKZnJhbWV3b3JrX3ZlcnNpb24gOj0gIjAuMi4zIgoKZnJhZ21lbnRzIDo9IFsKICB7CiAgICAiZmVlZCI6ICJtY3IubWljcm9zb2Z0LmNvbS9hY2kvYWNpLWNjLWluZnJhLWZyYWdtZW50IiwKICAgICJpbmNsdWRlcyI6IFsKICAgICAgImNvbnRhaW5lcnMiLAogICAgICAiZnJhZ21lbnRzIgogICAgXSwKICAgICJpc3N1ZXIiOiAiZGlkOng1MDk6MDpzaGEyNTY6SV9faXVMMjVvWEVWRmRUUF9hQkx4X2VUMVJQSGJDUV9FQ0JRZllacHQ5czo6ZWt1OjEuMy42LjEuNC4xLjMxMS43Ni41OS4xLjMiLAogICAgIm1pbmltdW1fc3ZuIjogIjQiCiAgfQpdCgpjb250YWluZXJzIDo9IFt7ImFsbG93X2VsZXZhdGVkIjpmYWxzZSwiYWxsb3dfc3RkaW9fYWNjZXNzIjp0cnVlLCJjYXBhYmlsaXRpZXMiOnsiYW1iaWVudCI6W10sImJvdW5kaW5nIjpbIkNBUF9BVURJVF9XUklURSIsIkNBUF9DSE9XTiIsIkNBUF9EQUNfT1ZFUlJJREUiLCJDQVBfRk9XTkVSIiwiQ0FQX0ZTRVRJRCIsIkNBUF9LSUxMIiwiQ0FQX01LTk9EIiwiQ0FQX05FVF9CSU5EX1NFUlZJQ0UiLCJDQVBfTkVUX1JBVyIsIkNBUF9TRVRGQ0FQIiwiQ0FQX1NFVEdJRCIsIkNBUF9TRVRQQ0FQIiwiQ0FQX1NFVFVJRCIsIkNBUF9TWVNfQ0hST09UIl0sImVmZmVjdGl2ZSI6WyJDQVBfQVVESVRfV1JJVEUiLCJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZPV05FUiIsIkNBUF9GU0VUSUQiLCJDQVBfS0lMTCIsIkNBUF9NS05PRCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX05FVF9SQVciLCJDQVBfU0VURkNBUCIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUUENBUCIsIkNBUF9TRVRVSUQiLCJDQVBfU1lTX0NIUk9PVCJdLCJpbmhlcml0YWJsZSI6W10sInBlcm1pdHRlZCI6WyJDQVBfQVVESVRfV1JJVEUiLCJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZPV05FUiIsIkNBUF9GU0VUSUQiLCJDQVBfS0lMTCIsIkNBUF9NS05PRCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX05FVF9SQVciLCJDQVBfU0VURkNBUCIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUUENBUCIsIkNBUF9TRVRVSUQiLCJDQVBfU1lTX0NIUk9PVCJdfSwiY29tbWFuZCI6bnVsbCwiZW52X3J1bGVzIjpbeyJwYXR0ZXJuIjoiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5Ijoic3RyaW5nIn0seyJwYXR0ZXJuIjoiVEVSTT14dGVybSIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJzdHJpbmcifSx7InBhdHRlcm4iOiIoP2kpKEZBQlJJQylfLis9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiSE9TVE5BTUU9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiVChFKT9NUD0uKyIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJyZTIifSx7InBhdHRlcm4iOiJGYWJyaWNQYWNrYWdlRmlsZU5hbWU9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiSG9zdGVkU2VydmljZU5hbWU9LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiSURFTlRJVFlfQVBJX1ZFUlNJT049LisiLCJyZXF1aXJlZCI6ZmFsc2UsInN0cmF0ZWd5IjoicmUyIn0seyJwYXR0ZXJuIjoiSURFTlRJVFlfSEVBREVSPS4rIiwicmVxdWlyZWQiOmZhbHNlLCJzdHJhdGVneSI6InJlMiJ9LHsicGF0dGVybiI6IklERU5USVRZX1NFUlZFUl9USFVNQlBSSU5UPS4rIiwicmVxdWlyZWQiOmZhbHNlLCJzdHJhdGVneSI6InJlMiJ9LHsicGF0dGVybiI6ImF6dXJlY29udGFpbmVyaW5zdGFuY2VfcmVzdGFydGVkX2J5PS4rIiwicmVxdWlyZWQiOmZhbHNlLCJzdHJhdGVneSI6InJlMiJ9XSwiZXhlY19wcm9jZXNzZXMiOltdLCJpZCI6Im1jci5taWNyb3NvZnQuY29tL2F6dXJlbGludXgvZGlzdHJvbGVzcy9iYXNlQHNoYTI1NjoxZTc3ZDk3ZTFlMzlmMjJlZDljNTJmNDliMzUwOGI0YzEwNDRjZWMyMzc0M2RmOTA5OGFjNDRlMDI1ZjY1NGYyIiwibGF5ZXJzIjpbIjI0M2UxYjNjZTA4MDkzZjJmMGQ5Y2Q2YTllYWZkZTg3MzdmNjRmZWMxMDVlZDU5YzM0NmQzMDlmYmU3NjBiNTgiXSwibW91bnRzIjpbeyJkZXN0aW5hdGlvbiI6Ii9ldGMvcmVzb2x2LmNvbmYiLCJvcHRpb25zIjpbInJiaW5kIiwicnNoYXJlZCIsInJ3Il0sInNvdXJjZSI6InNhbmRib3g6Ly8vdG1wL2F0bGFzL3Jlc29sdmNvbmYvLisiLCJ0eXBlIjoiYmluZCJ9XSwibmFtZSI6ImNvbnRhaW5lcjEiLCJub19uZXdfcHJpdmlsZWdlcyI6ZmFsc2UsInNlY2NvbXBfcHJvZmlsZV9zaGEyNTYiOiIiLCJzaWduYWxzIjpbXSwidXNlciI6eyJncm91cF9pZG5hbWVzIjpbeyJwYXR0ZXJuIjoiIiwic3RyYXRlZ3kiOiJhbnkifV0sInVtYXNrIjoiMDAyMiIsInVzZXJfaWRuYW1lIjp7InBhdHRlcm4iOiIiLCJzdHJhdGVneSI6ImFueSJ9fSwid29ya2luZ19kaXIiOiIvIn0seyJhbGxvd19lbGV2YXRlZCI6ZmFsc2UsImFsbG93X3N0ZGlvX2FjY2VzcyI6dHJ1ZSwiY2FwYWJpbGl0aWVzIjp7ImFtYmllbnQiOltdLCJib3VuZGluZyI6WyJDQVBfQ0hPV04iLCJDQVBfREFDX09WRVJSSURFIiwiQ0FQX0ZTRVRJRCIsIkNBUF9GT1dORVIiLCJDQVBfTUtOT0QiLCJDQVBfTkVUX1JBVyIsIkNBUF9TRVRHSUQiLCJDQVBfU0VUVUlEIiwiQ0FQX1NFVEZDQVAiLCJDQVBfU0VUUENBUCIsIkNBUF9ORVRfQklORF9TRVJWSUNFIiwiQ0FQX1NZU19DSFJPT1QiLCJDQVBfS0lMTCIsIkNBUF9BVURJVF9XUklURSJdLCJlZmZlY3RpdmUiOlsiQ0FQX0NIT1dOIiwiQ0FQX0RBQ19PVkVSUklERSIsIkNBUF9GU0VUSUQiLCJDQVBfRk9XTkVSIiwiQ0FQX01LTk9EIiwiQ0FQX05FVF9SQVciLCJDQVBfU0VUR0lEIiwiQ0FQX1NFVFVJRCIsIkNBUF9TRVRGQ0FQIiwiQ0FQX1NFVFBDQVAiLCJDQVBfTkVUX0JJTkRfU0VSVklDRSIsIkNBUF9TWVNfQ0hST09UIiwiQ0FQX0tJTEwiLCJDQVBfQVVESVRfV1JJVEUiXSwiaW5oZXJpdGFibGUiOltdLCJwZXJtaXR0ZWQiOlsiQ0FQX0NIT1dOIiwiQ0FQX0RBQ19PVkVSUklERSIsIkNBUF9GU0VUSUQiLCJDQVBfRk9XTkVSIiwiQ0FQX01LTk9EIiwiQ0FQX05FVF9SQVciLCJDQVBfU0VUR0lEIiwiQ0FQX1NFVFVJRCIsIkNBUF9TRVRGQ0FQIiwiQ0FQX1NFVFBDQVAiLCJDQVBfTkVUX0JJTkRfU0VSVklDRSIsIkNBUF9TWVNfQ0hST09UIiwiQ0FQX0tJTEwiLCJDQVBfQVVESVRfV1JJVEUiXX0sImNvbW1hbmQiOlsiL3BhdXNlIl0sImVudl9ydWxlcyI6W3sicGF0dGVybiI6IlBBVEg9L3Vzci9sb2NhbC9zYmluOi91c3IvbG9jYWwvYmluOi91c3Ivc2JpbjovdXNyL2Jpbjovc2JpbjovYmluIiwicmVxdWlyZWQiOnRydWUsInN0cmF0ZWd5Ijoic3RyaW5nIn0seyJwYXR0ZXJuIjoiVEVSTT14dGVybSIsInJlcXVpcmVkIjpmYWxzZSwic3RyYXRlZ3kiOiJzdHJpbmcifV0sImV4ZWNfcHJvY2Vzc2VzIjpbXSwibGF5ZXJzIjpbIjE2YjUxNDA1N2EwNmFkNjY1ZjkyYzAyODYzYWNhMDc0ZmQ1OTc2Yzc1NWQyNmJmZjE2MzY1Mjk5MTY5ZTg0MTUiXSwibW91bnRzIjpbXSwibmFtZSI6InBhdXNlLWNvbnRhaW5lciIsIm5vX25ld19wcml2aWxlZ2VzIjpmYWxzZSwic2VjY29tcF9wcm9maWxlX3NoYTI1NiI6IiIsInNpZ25hbHMiOltdLCJ1c2VyIjp7Imdyb3VwX2lkbmFtZXMiOlt7InBhdHRlcm4iOiIiLCJzdHJhdGVneSI6ImFueSJ9XSwidW1hc2siOiIwMDIyIiwidXNlcl9pZG5hbWUiOnsicGF0dGVybiI6IiIsInN0cmF0ZWd5IjoiYW55In19LCJ3b3JraW5nX2RpciI6Ii8ifV0KCmFsbG93X3Byb3BlcnRpZXNfYWNjZXNzIDo9IHRydWUKYWxsb3dfZHVtcF9zdGFja3MgOj0gZmFsc2UKYWxsb3dfcnVudGltZV9sb2dnaW5nIDo9IGZhbHNlCmFsbG93X2Vudmlyb25tZW50X3ZhcmlhYmxlX2Ryb3BwaW5nIDo9IHRydWUKYWxsb3dfdW5lbmNyeXB0ZWRfc2NyYXRjaCA6PSBmYWxzZQphbGxvd19jYXBhYmlsaXR5X2Ryb3BwaW5nIDo9IHRydWUKCm1vdW50X2RldmljZSA6PSBkYXRhLmZyYW1ld29yay5tb3VudF9kZXZpY2UKdW5tb3VudF9kZXZpY2UgOj0gZGF0YS5mcmFtZXdvcmsudW5tb3VudF9kZXZpY2UKbW91bnRfb3ZlcmxheSA6PSBkYXRhLmZyYW1ld29yay5tb3VudF9vdmVybGF5CnVubW91bnRfb3ZlcmxheSA6PSBkYXRhLmZyYW1ld29yay51bm1vdW50X292ZXJsYXkKY3JlYXRlX2NvbnRhaW5lciA6PSBkYXRhLmZyYW1ld29yay5jcmVhdGVfY29udGFpbmVyCmV4ZWNfaW5fY29udGFpbmVyIDo9IGRhdGEuZnJhbWV3b3JrLmV4ZWNfaW5fY29udGFpbmVyCmV4ZWNfZXh0ZXJuYWwgOj0gZGF0YS5mcmFtZXdvcmsuZXhlY19leHRlcm5hbApzaHV0ZG93bl9jb250YWluZXIgOj0gZGF0YS5mcmFtZXdvcmsuc2h1dGRvd25fY29udGFpbmVyCnNpZ25hbF9jb250YWluZXJfcHJvY2VzcyA6PSBkYXRhLmZyYW1ld29yay5zaWduYWxfY29udGFpbmVyX3Byb2Nlc3MKcGxhbjlfbW91bnQgOj0gZGF0YS5mcmFtZXdvcmsucGxhbjlfbW91bnQKcGxhbjlfdW5tb3VudCA6PSBkYXRhLmZyYW1ld29yay5wbGFuOV91bm1vdW50CmdldF9wcm9wZXJ0aWVzIDo9IGRhdGEuZnJhbWV3b3JrLmdldF9wcm9wZXJ0aWVzCmR1bXBfc3RhY2tzIDo9IGRhdGEuZnJhbWV3b3JrLmR1bXBfc3RhY2tzCnJ1bnRpbWVfbG9nZ2luZyA6PSBkYXRhLmZyYW1ld29yay5ydW50aW1lX2xvZ2dpbmcKbG9hZF9mcmFnbWVudCA6PSBkYXRhLmZyYW1ld29yay5sb2FkX2ZyYWdtZW50CnNjcmF0Y2hfbW91bnQgOj0gZGF0YS5mcmFtZXdvcmsuc2NyYXRjaF9tb3VudApzY3JhdGNoX3VubW91bnQgOj0gZGF0YS5mcmFtZXdvcmsuc2NyYXRjaF91bm1vdW50CnJ3X21vdW50X2RldmljZSA6PSBkYXRhLmZyYW1ld29yay5yd19tb3VudF9kZXZpY2UKCnJlYXNvbiA6PSB7ImVycm9ycyI6IGRhdGEuZnJhbWV3b3JrLmVycm9yc30=" }, "containers": [ { diff --git a/src/confcom/samples/aci/minimal/policy.rego b/src/confcom/samples/aci/minimal/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/minimal/policy.rego +++ b/src/confcom/samples/aci/minimal/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_debug.rego b/src/confcom/samples/aci/minimal/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/minimal/policy_debug.rego +++ b/src/confcom/samples/aci/minimal/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_disable_stdio.rego b/src/confcom/samples/aci/minimal/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/minimal/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/minimal/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_fragment.rego b/src/confcom/samples/aci/minimal/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/minimal/policy_fragment.rego +++ b/src/confcom/samples/aci/minimal/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego b/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy.rego b/src/confcom/samples/aci/multi_container_groups/policy.rego index 67de04a0285..b7f1e64d3cc 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_debug.rego b/src/confcom/samples/aci/multi_container_groups/policy_debug.rego index 7ddb75b3742..5b5785dd530 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_debug.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego b/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego index c7e0650713b..f0be599e6f3 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego index 32fd29e3336..f0400d3787b 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -43,7 +44,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -74,6 +75,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego index bcc5f638768..5a30c600142 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -62,7 +63,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -103,6 +104,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego b/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego index 1aa2ad14c23..7ce66ecc801 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy.rego b/src/confcom/samples/aci/multi_containers/policy.rego index e9ea916e0a8..0c7a66163f2 100644 --- a/src/confcom/samples/aci/multi_containers/policy.rego +++ b/src/confcom/samples/aci/multi_containers/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_debug.rego b/src/confcom/samples/aci/multi_containers/policy_debug.rego index 36217c9ac09..420880febae 100644 --- a/src/confcom/samples/aci/multi_containers/policy_debug.rego +++ b/src/confcom/samples/aci/multi_containers/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego b/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego index 19c2177c1ce..b3738f06aee 100644 --- a/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego index fbddd782d71..eb04d2704b2 100644 --- a/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_fragment.rego b/src/confcom/samples/aci/multi_containers/policy_fragment.rego index e1d6b484c42..2cdb596e63f 100644 --- a/src/confcom/samples/aci/multi_containers/policy_fragment.rego +++ b/src/confcom/samples/aci/multi_containers/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego index 3965d5eac5e..47e9d18e546 100644 --- a/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego b/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego index 4486204c204..2b189640808 100644 --- a/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy.rego index e17f515f228..8436ca3cd2a 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego index be2655f5834..c9558c91aec 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego index a5188b24c04..cb795ea8edc 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego index 043e9959354..509e2273696 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego index 38027274a76..81c9ab609ae 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego index 1ff9e9c9ec6..0ff47fc21e4 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego index e379d8e23b7..a0df6d7664f 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego index db0eb992c57..5d6be1de831 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego index cbfd9699780..6ae3b72378c 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego index 285be86a07d..238acfe3606 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego index 26f34bf1b3b..456c930d07a 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego index 27ccf902d93..1ba40238b9a 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego index 249001d4245..3e157bca9a8 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego index 1676fad3709..131d29a2a0d 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego index c9e88f85555..4c8901e8742 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego index bd1c6052a14..d7c303dad28 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego index 34425ff5777..0ad603292d3 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego index 0ea9ef76af4..e444c0d3310 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego index 580ae543b37..df284d7cde4 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego index 0b993218415..49c1b7580a6 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego index 26c2ff93c1e..b893b1a1c42 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy.rego b/src/confcom/samples/aci/security_context_run_as_group/policy.rego index 93f30fa1e74..691be96db02 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego index 9a618bafc91..128b9782018 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego index 23fac5e69db..35ae6f34217 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego index 39446b7c586..067f2f6c175 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego index 43322bb43ac..b7c1a3febe0 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego index 3a94a9e1816..cc8cffa6d1e 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego index f08ba39228b..5357a5f5020 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy.rego b/src/confcom/samples/aci/security_context_run_as_user/policy.rego index e16fb4563d0..fb511fecd82 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego index 6e31e8f99ef..02f5ad5cfd0 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego index 28c1efee0c1..004bb814ecb 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego index fa985532527..59b11e97ba8 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego index e7098c289ce..3ac73b1aefb 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego index 103a6785acb..218d6af6e6b 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego index 3a6ef775944..07a5f3a9895 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy.rego b/src/confcom/samples/aci/variables/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/variables/policy.rego +++ b/src/confcom/samples/aci/variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_debug.rego b/src/confcom/samples/aci/variables/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/variables/policy_debug.rego +++ b/src/confcom/samples/aci/variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_disable_stdio.rego b/src/confcom/samples/aci/variables/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_fragment.rego b/src/confcom/samples/aci/variables/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/variables/policy_fragment.rego +++ b/src/confcom/samples/aci/variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy.rego b/src/confcom/samples/aci/volume_mount_secret/policy.rego index b5a639bb912..c020e197dcb 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego b/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego index 24215106d3f..9fa628f95b5 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego b/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego index 3f5ce0efda4..c31890df1a6 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego index 2a8c79a1d5a..983094135f2 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego b/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego index bb5bf4e1743..55068234edf 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego index 1f8cb708fa8..9fec748e4b0 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego index 29ffb26aee3..ba42aa2c23a 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy.rego b/src/confcom/samples/aci/volume_mounts/policy.rego index 273b195b4d9..a62cbc24e13 100644 --- a/src/confcom/samples/aci/volume_mounts/policy.rego +++ b/src/confcom/samples/aci/volume_mounts/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_debug.rego b/src/confcom/samples/aci/volume_mounts/policy_debug.rego index ebe8d8cff89..a86c8007074 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_debug.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego b/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego index 71223a5d727..50c2543fe4b 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego index 40c79ea7359..40daa187696 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_fragment.rego b/src/confcom/samples/aci/volume_mounts/policy_fragment.rego index 80286bf873a..78dca65c36c 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_fragment.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego index f73bc72b9cd..08a6e871afa 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego index caf93e6b04f..d15814f95d1 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/policies/allow_all.rego b/src/confcom/samples/policies/allow_all.rego index cfa50f39e5e..a8a4a9d6916 100644 --- a/src/confcom/samples/policies/allow_all.rego +++ b/src/confcom/samples/policies/allow_all.rego @@ -1,6 +1,6 @@ package policy -api_version := "0.10.0" +api_version := "0.11.0" mount_device := {"allowed": true} mount_overlay := {"allowed": true} diff --git a/src/confcom/samples/sample-policy-output.rego b/src/confcom/samples/sample-policy-output.rego index 060e19d6845..0261d9c69fa 100644 Binary files a/src/confcom/samples/sample-policy-output.rego and b/src/confcom/samples/sample-policy-output.rego differ diff --git a/src/confcom/samples/vn2/basic_command_args/policy.rego b/src/confcom/samples/vn2/basic_command_args/policy.rego index 836d9cdca23..0a98ec2aa07 100644 --- a/src/confcom/samples/vn2/basic_command_args/policy.rego +++ b/src/confcom/samples/vn2/basic_command_args/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -377,6 +377,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/configmap_secret_env/policy.rego b/src/confcom/samples/vn2/configmap_secret_env/policy.rego index 3c4ff5e9de8..96b1e11c011 100644 --- a/src/confcom/samples/vn2/configmap_secret_env/policy.rego +++ b/src/confcom/samples/vn2/configmap_secret_env/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -388,6 +388,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/fieldref_env/policy.rego b/src/confcom/samples/vn2/fieldref_env/policy.rego index ea59ff93085..6d786a7c94d 100644 --- a/src/confcom/samples/vn2/fieldref_env/policy.rego +++ b/src/confcom/samples/vn2/fieldref_env/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -373,6 +373,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/init_and_lifecycle/policy.rego b/src/confcom/samples/vn2/init_and_lifecycle/policy.rego index 1a28591eeb5..456cefc3958 100644 --- a/src/confcom/samples/vn2/init_and_lifecycle/policy.rego +++ b/src/confcom/samples/vn2/init_and_lifecycle/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -641,6 +641,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/multi_container/policy.rego b/src/confcom/samples/vn2/multi_container/policy.rego index 8defcef2dbf..0eaa1545bf4 100644 --- a/src/confcom/samples/vn2/multi_container/policy.rego +++ b/src/confcom/samples/vn2/multi_container/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -606,6 +606,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/privileged_container/policy.rego b/src/confcom/samples/vn2/privileged_container/policy.rego index 2463cffceeb..4e58d768e09 100644 --- a/src/confcom/samples/vn2/privileged_container/policy.rego +++ b/src/confcom/samples/vn2/privileged_container/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -511,6 +511,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/read_only_mounts/policy.rego b/src/confcom/samples/vn2/read_only_mounts/policy.rego index ae1c0fa9e80..97e45441e42 100644 --- a/src/confcom/samples/vn2/read_only_mounts/policy.rego +++ b/src/confcom/samples/vn2/read_only_mounts/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -388,6 +388,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/resourcefieldref_env/policy.rego b/src/confcom/samples/vn2/resourcefieldref_env/policy.rego index e616027f4ea..85335ff3366 100644 --- a/src/confcom/samples/vn2/resourcefieldref_env/policy.rego +++ b/src/confcom/samples/vn2/resourcefieldref_env/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -378,6 +378,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/seccomp_profile/policy.rego b/src/confcom/samples/vn2/seccomp_profile/policy.rego index aa2561c5174..6f134a716b5 100644 --- a/src/confcom/samples/vn2/seccomp_profile/policy.rego +++ b/src/confcom/samples/vn2/seccomp_profile/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -377,6 +377,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/security_context_merge/policy.rego b/src/confcom/samples/vn2/security_context_merge/policy.rego index fce047783cf..95604690b71 100644 --- a/src/confcom/samples/vn2/security_context_merge/policy.rego +++ b/src/confcom/samples/vn2/security_context_merge/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -368,6 +368,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/signals/policy.rego b/src/confcom/samples/vn2/signals/policy.rego index 9ad7c523839..892d06418bd 100644 --- a/src/confcom/samples/vn2/signals/policy.rego +++ b/src/confcom/samples/vn2/signals/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -383,6 +383,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/special_env_regex/policy.rego b/src/confcom/samples/vn2/special_env_regex/policy.rego index b35c8e8c9b7..7606a4a35d9 100644 --- a/src/confcom/samples/vn2/special_env_regex/policy.rego +++ b/src/confcom/samples/vn2/special_env_regex/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -378,6 +378,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/volume_claim_templates/policy.rego b/src/confcom/samples/vn2/volume_claim_templates/policy.rego index 07e15b4a62c..eb6f5fdb046 100644 --- a/src/confcom/samples/vn2/volume_claim_templates/policy.rego +++ b/src/confcom/samples/vn2/volume_claim_templates/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -378,6 +378,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/workload_identity/policy.rego b/src/confcom/samples/vn2/workload_identity/policy.rego index 7b3bd75f50e..3152c3b497c 100644 --- a/src/confcom/samples/vn2/workload_identity/policy.rego +++ b/src/confcom/samples/vn2/workload_identity/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -398,6 +398,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/setup.py b/src/confcom/setup.py index a4cbb850a58..619dc9c9ce3 100644 --- a/src/confcom/setup.py +++ b/src/confcom/setup.py @@ -19,7 +19,7 @@ logger.warn("Wheel is not available, disabling bdist_wheel hook") -VERSION = "1.8.0" +VERSION = "2.0.0b1" # The full list of classifiers is available at # https://pypi.python.org/pypi?%3Aaction=list_classifiers