Skip to content

ROX-35289: add post-upgrade script to skip init container evaluation #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AlexVulaj wants to merge 1 commit into
base: main
Choose a base branch
from
+122 −0
Open

ROX-35289: add post-upgrade script to skip init container evaluation #123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions util-scripts/skip-init-container-evaluation/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Skip Init Container Evaluation

Starting in ACS 5.0, policies evaluate init containers by default. This script adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated.

## Usage

```bash
export ROX_ENDPOINT="central.example.com:443"
export ROX_API_TOKEN="your-api-token"

./skip-init-container-evaluation.sh
```

## Requirements

- ACS 5.0 or later
- `curl` and `jq` installed
- An API token with policy read/write permissions

## What it does

1. Checks that Central is running ACS 5.0+
2. Lists all policies and prompts for confirmation before making changes
3. For each policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]`
4. Skips policies that already have a container type filter set
5. Skips build-only policies (container type filters are not applicable at build time)

## Policy-as-Code users

If you manage policies via SecurityPolicy CRDs and a GitOps workflow, update your policy manifests directly instead of running this script. Add the following to each policy spec:

```yaml
spec:
# ... existing policy fields ...
evaluationFilter:
skipContainerTypes:
- INIT
```
84 changes: 84 additions & 0 deletions util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
#!/bin/bash
# Adds skipContainerTypes: ["INIT"] to all existing policies that don't already have it.
# This is intended for customers upgrading to 5.0+ who want to preserve the pre-5.0 behavior
# where init containers were not evaluated by policies.

set -euo pipefail

if [[ -z "${ROX_ENDPOINT:-}" ]]; then
echo >&2 "ROX_ENDPOINT must be set"
exit 1
fi

if [[ -z "${ROX_API_TOKEN:-}" ]]; then
echo >&2 "ROX_API_TOKEN must be set"
exit 1
fi

API="https://${ROX_ENDPOINT}"
AUTH="Authorization: Bearer ${ROX_API_TOKEN}"

# Version check — require 5.0+
version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version')

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Bearer-token API calls disable TLS verification.

Using curl -k for authenticated requests allows MITM interception/tampering on the connection path. For a policy-mutation script, this is a significant security risk.

Suggested fix 
-version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version')
+version=$(curl -sS --fail -H "$AUTH" "$API/v1/metadata" | jq -r '.version')
@@
-policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id')
+policies=$(curl -sS --fail -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id')
@@
-  policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id")
+  policy=$(curl -sS --fail -H "$AUTH" "$API/v1/policies/$id")
@@
-  result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \
+  result=$(curl -sS --fail -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \
     "$API/v1/policies/$id" --data "$updated_policy")

If insecure TLS is required for some environments, gate it behind an explicit opt-in env var instead of defaulting to -k. As per path instructions, this is a major security issue to prioritize.

Also applies to: 33-33, 50-50, 72-73

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh`
at line 22, The curl command uses the -k flag to disable TLS verification with
bearer token authentication, creating a significant security vulnerability that
allows MITM attacks. Replace all instances where curl is invoked with the -k
flag (appearing in the version assignment, and subsequent API calls throughout
the script) by gating the -k flag behind an explicit environment variable
opt-in. Create a conditional that only includes -k in the curl command when an
environment variable like SKIP_TLS_VERIFICATION is explicitly set to true or
similar value, ensuring TLS verification remains enabled by default while
allowing users to explicitly opt-in to insecure mode if required for their
environment.

Source: Path instructions

major=$(echo "$version" | cut -d. -f1)

if [[ "$major" -lt 5 ]]; then
echo >&2 "This script requires ACS 5.0 or later (detected: $version)"
exit 1
fi

echo "ACS version: $version"

# List all policies
policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id')
total=$(echo "$policies" | wc -l | tr -d ' ')
updated=0
skipped=0

echo "Found $total policies"
echo ""
echo "This will add skipContainerTypes: [\"INIT\"] to all policies without an existing evaluation filter."
echo "This action is not easily reversible."
read -rp "Continue? (yes/no): " confirm
if [[ "$confirm" != "yes" ]]; then
echo "Aborted."
exit 0
fi
echo ""

for id in $policies; do
policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id")
name=$(echo "$policy" | jq -r '.name')

# Skip if any evaluation filter is already configured
existing_filter=$(echo "$policy" | jq -e '.evaluationFilter // empty' 2>/dev/null)
if [[ -n "$existing_filter" && "$existing_filter" != "{}" ]]; then
echo " SKIP: \"$name\" — already has evaluation filter"
skipped=$((skipped + 1))
continue
fi

# Skip build-only policies — container type filters don't apply at build time
lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]')
if [[ "$lifecycle_stages" == "BUILD" ]]; then
echo " SKIP: \"$name\" — build-only policy"
skipped=$((skipped + 1))
continue
fi

# Add skipContainerTypes: ["INIT"] to the evaluation filter
updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}')

result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \
"$API/v1/policies/$id" --data "$updated_policy")

if [[ "$result" == "200" ]]; then
echo " UPDATED: \"$name\""
updated=$((updated + 1))
else
echo >&2 " ERROR: \"$name\" — HTTP $result"
fi
done

echo ""
echo "Done. Updated: $updated, Skipped: $skipped, Total: $total"