Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of multiple modules possible? #36

Open
Silvanoc opened this issue Jan 31, 2020 · 4 comments
Open

Usage of multiple modules possible? #36

Silvanoc opened this issue Jan 31, 2020 · 4 comments

Comments

@Silvanoc
Copy link

Does the current implementation of the plugin allow splitting the policy in multiple modules? It doesn't look to me as it would be possible.

If this possibility is missing, is it planned to add it?
@ashutosh-narkar
Copy link
Member

You're right. From the code https://github.com/open-policy-agent/opa-docker-authz/blob/master/main.go#L162 it looks like a single policy file can be loaded. Can you expand on your use-case and the kind of policies you want to enforce ?

@Silvanoc
Copy link
Author

Silvanoc commented Feb 3, 2020
edited

Use-case:

  • Docker host where docker-compose is being "occasionally" used to manage the containers.
  • Policy to control the configuration of the containers.
  • Rules should be enforced on Docker using this plugin, but it should be also possible to tell on advanced if a docker-compose configuration will be executable or not.
  • Rules reuse desired as much as possible.

The idea is having common rules in modules being used by Docker and docker-compose:

allow {
    privileged
    grant_privileges
}

And the specific rules like grant_privileged come from different modules depending on the tool (Docker-authorization plugin or docker-compose configuration check).

This use-case as an ugly work-around for this limitation: finding out the Docker REST request that would result of a docker-compose configuration and pass it to the opa-docker-authz policy. But don't really like it and the question is also if being able to have multiple modules is a feature desired by other users.

@ashutosh-narkar
Copy link
Member

Maybe something like conftest could help with this ?

Rules should be enforced on Docker using this plugin, but it should be also possible to tell on
advanced if a docker-compose configuration will be executable or not.

I can imagine the plugin leveraging the load api to load all the *.rego files in a directory.

@tsandall
Copy link
Member

tsandall commented Feb 5, 2020

As @ashutosh-narkar mentioned, the implementation could be improved by using the rego.Load(path) option when preparing for evaluation here. The rego.Load(path) option accepts a path to a file or directory. If a directory is given, the option will load all files and directories, recursively.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tsandall @ashutosh-narkar @Silvanoc