|
| 1 | +#!/bin/bash |
| 2 | +# Adds skipContainerTypes: ["INIT"] to all existing policies that don't already have it. |
| 3 | +# This is intended for customers upgrading to 5.0+ who want to preserve the pre-5.0 behavior |
| 4 | +# where init containers were not evaluated by policies. |
| 5 | + |
| 6 | +set -euo pipefail |
| 7 | + |
| 8 | +if [[ -z "${ROX_ENDPOINT:-}" ]]; then |
| 9 | + echo >&2 "ROX_ENDPOINT must be set" |
| 10 | + exit 1 |
| 11 | +fi |
| 12 | + |
| 13 | +if [[ -z "${ROX_API_TOKEN:-}" ]]; then |
| 14 | + echo >&2 "ROX_API_TOKEN must be set" |
| 15 | + exit 1 |
| 16 | +fi |
| 17 | + |
| 18 | +API="https://${ROX_ENDPOINT}" |
| 19 | +AUTH="Authorization: Bearer ${ROX_API_TOKEN}" |
| 20 | + |
| 21 | +# Version check — require 5.0+ |
| 22 | +version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version') |
| 23 | +major=$(echo "$version" | cut -d. -f1) |
| 24 | + |
| 25 | +if [[ "$major" -lt 5 ]]; then |
| 26 | + echo >&2 "This script requires ACS 5.0 or later (detected: $version)" |
| 27 | + exit 1 |
| 28 | +fi |
| 29 | + |
| 30 | +echo "ACS version: $version" |
| 31 | + |
| 32 | +# List all policies |
| 33 | +policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id') |
| 34 | +total=$(echo "$policies" | wc -l | tr -d ' ') |
| 35 | +updated=0 |
| 36 | +skipped=0 |
| 37 | + |
| 38 | +echo "Found $total policies" |
| 39 | +echo "" |
| 40 | +echo "This will add skipContainerTypes: [\"INIT\"] to all policies without an existing evaluation filter." |
| 41 | +echo "This action is not easily reversible." |
| 42 | +read -rp "Continue? (yes/no): " confirm |
| 43 | +if [[ "$confirm" != "yes" ]]; then |
| 44 | + echo "Aborted." |
| 45 | + exit 0 |
| 46 | +fi |
| 47 | +echo "" |
| 48 | + |
| 49 | +for id in $policies; do |
| 50 | + policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id") |
| 51 | + name=$(echo "$policy" | jq -r '.name') |
| 52 | + |
| 53 | + # Skip if any evaluation filter is already configured |
| 54 | + existing_filter=$(echo "$policy" | jq -e '.evaluationFilter // empty' 2>/dev/null) |
| 55 | + if [[ -n "$existing_filter" && "$existing_filter" != "{}" ]]; then |
| 56 | + echo " SKIP: \"$name\" — already has evaluation filter" |
| 57 | + skipped=$((skipped + 1)) |
| 58 | + continue |
| 59 | + fi |
| 60 | + |
| 61 | + # Skip build-only policies — container type filters don't apply at build time |
| 62 | + lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]') |
| 63 | + if [[ "$lifecycle_stages" == "BUILD" ]]; then |
| 64 | + echo " SKIP: \"$name\" — build-only policy" |
| 65 | + skipped=$((skipped + 1)) |
| 66 | + continue |
| 67 | + fi |
| 68 | + |
| 69 | + # Add skipContainerTypes: ["INIT"] to the evaluation filter |
| 70 | + updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}') |
| 71 | + |
| 72 | + result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \ |
| 73 | + "$API/v1/policies/$id" --data "$updated_policy") |
| 74 | + |
| 75 | + if [[ "$result" == "200" ]]; then |
| 76 | + echo " UPDATED: \"$name\"" |
| 77 | + updated=$((updated + 1)) |
| 78 | + else |
| 79 | + echo >&2 " ERROR: \"$name\" — HTTP $result" |
| 80 | + fi |
| 81 | +done |
| 82 | + |
| 83 | +echo "" |
| 84 | +echo "Done. Updated: $updated, Skipped: $skipped, Total: $total" |
0 commit comments