From 52dd31f80734f1048828d4bd052bc2d88101f884 Mon Sep 17 00:00:00 2001 From: Alex Vulaj Date: Tue, 23 Jun 2026 14:13:39 -0400 Subject: [PATCH] ROX-35289: add post-upgrade script to skip init container evaluation --- .../skip-init-container-evaluation/README.md | 38 +++++++++ .../skip-init-container-evaluation.sh | 84 +++++++++++++++++++ 2 files changed, 122 insertions(+) create mode 100644 util-scripts/skip-init-container-evaluation/README.md create mode 100755 util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh diff --git a/util-scripts/skip-init-container-evaluation/README.md b/util-scripts/skip-init-container-evaluation/README.md new file mode 100644 index 0000000..3a085e1 --- /dev/null +++ b/util-scripts/skip-init-container-evaluation/README.md @@ -0,0 +1,38 @@ +# Skip Init Container Evaluation + +Starting in ACS 5.0, policies evaluate init containers by default. This script adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated. + +## Usage + +```bash +export ROX_ENDPOINT="central.example.com:443" +export ROX_API_TOKEN="your-api-token" + +./skip-init-container-evaluation.sh +``` + +## Requirements + +- ACS 5.0 or later +- `curl` and `jq` installed +- An API token with policy read/write permissions + +## What it does + +1. Checks that Central is running ACS 5.0+ +2. Lists all policies and prompts for confirmation before making changes +3. For each policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]` +4. Skips policies that already have a container type filter set +5. Skips build-only policies (container type filters are not applicable at build time) + +## Policy-as-Code users + +If you manage policies via SecurityPolicy CRDs and a GitOps workflow, update your policy manifests directly instead of running this script. Add the following to each policy spec: + +```yaml +spec: + # ... existing policy fields ... + evaluationFilter: + skipContainerTypes: + - INIT +``` diff --git a/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh new file mode 100755 index 0000000..1be2632 --- /dev/null +++ b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh @@ -0,0 +1,84 @@ +#!/bin/bash +# Adds skipContainerTypes: ["INIT"] to all existing policies that don't already have it. +# This is intended for customers upgrading to 5.0+ who want to preserve the pre-5.0 behavior +# where init containers were not evaluated by policies. + +set -euo pipefail + +if [[ -z "${ROX_ENDPOINT:-}" ]]; then + echo >&2 "ROX_ENDPOINT must be set" + exit 1 +fi + +if [[ -z "${ROX_API_TOKEN:-}" ]]; then + echo >&2 "ROX_API_TOKEN must be set" + exit 1 +fi + +API="https://${ROX_ENDPOINT}" +AUTH="Authorization: Bearer ${ROX_API_TOKEN}" + +# Version check — require 5.0+ +version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version') +major=$(echo "$version" | cut -d. -f1) + +if [[ "$major" -lt 5 ]]; then + echo >&2 "This script requires ACS 5.0 or later (detected: $version)" + exit 1 +fi + +echo "ACS version: $version" + +# List all policies +policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id') +total=$(echo "$policies" | wc -l | tr -d ' ') +updated=0 +skipped=0 + +echo "Found $total policies" +echo "" +echo "This will add skipContainerTypes: [\"INIT\"] to all policies without an existing evaluation filter." +echo "This action is not easily reversible." +read -rp "Continue? (yes/no): " confirm +if [[ "$confirm" != "yes" ]]; then + echo "Aborted." + exit 0 +fi +echo "" + +for id in $policies; do + policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id") + name=$(echo "$policy" | jq -r '.name') + + # Skip if any evaluation filter is already configured + existing_filter=$(echo "$policy" | jq -e '.evaluationFilter // empty' 2>/dev/null) + if [[ -n "$existing_filter" && "$existing_filter" != "{}" ]]; then + echo " SKIP: \"$name\" — already has evaluation filter" + skipped=$((skipped + 1)) + continue + fi + + # Skip build-only policies — container type filters don't apply at build time + lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]') + if [[ "$lifecycle_stages" == "BUILD" ]]; then + echo " SKIP: \"$name\" — build-only policy" + skipped=$((skipped + 1)) + continue + fi + + # Add skipContainerTypes: ["INIT"] to the evaluation filter + updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}') + + result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \ + "$API/v1/policies/$id" --data "$updated_policy") + + if [[ "$result" == "200" ]]; then + echo " UPDATED: \"$name\"" + updated=$((updated + 1)) + else + echo >&2 " ERROR: \"$name\" — HTTP $result" + fi +done + +echo "" +echo "Done. Updated: $updated, Skipped: $skipped, Total: $total"