ROX-35289: add post-upgrade script to skip init container evaluation

[AlexVulaj]

Description

Adds a post-upgrade script for customers upgrading to ACS 5.0+ who want to preserve the pre-5.0 behavior where init containers were not evaluated by policies.

Starting in 5.0, policies evaluate init containers by default. This script adds skipContainerTypes: ["INIT"] to all existing policies that don't already have an evaluation filter, effectively opting out of init container evaluation on a per-policy basis.

Features:

• Version check (5.0+ required)
• Skips build-only policies (container type filters don't apply at build time)
• Skips policies that already have an evaluation filter
• Confirmation prompt before making changes
• Summary of updated/skipped policies

Tested against a live ACS deployment.

Policy-as-Code users are directed to update their CRD manifests directly instead of running the script (see README).

Sample output of test run:

$ ./skip-init-container-evaluation.sh
ACS version: 4.12.x-325-gefd770a86c // I allowed 4.x when testing locally because 5.x doesn't exist yet
Found 89 policies

  Update "30-Day Scan Age"? (yes/no/all): no
  SKIP: "30-Day Scan Age" — skipped by user
  Update "90-Day Image Age"? (yes/no/all): yes
  UPDATED: "90-Day Image Age"
  Update "ADD Command used instead of COPY"? (yes/no/all): all
  UPDATED: "ADD Command used instead of COPY"
  UPDATED: "Alpine Linux Package Manager (apk) in Image"
  UPDATED: "Alpine Linux Package Manager Execution"
  UPDATED: "Apache Struts: CVE-2017-5638"
  UPDATED: "CAP_SYS_ADMIN capability added"
  UPDATED: "chkconfig Execution"
  UPDATED: "Compiler Tool Execution"
  UPDATED: "Container using read-write root filesystem"
  UPDATED: "Container with privilege escalation allowed"
  UPDATED: "crontab Execution"
  UPDATED: "Cryptocurrency Mining Process Execution"
  UPDATED: "Curl in Image"
  UPDATED: "Deployments should have at least one egress Network Policy"
  UPDATED: "Deployments should have at least one ingress Network Policy"
  UPDATED: "Deployments with externally exposed endpoints"
  UPDATED: "Docker CIS 4.1: Ensure That a User for the Container Has Been Created"
  SKIP: "Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches" — build-only policy
  UPDATED: "Docker CIS 4.7: Alert on Update Instruction"
  UPDATED: "Docker CIS 5.15: Ensure that the host's process namespace is not shared"
  UPDATED: "Docker CIS 5.16: Ensure that the host's IPC namespace is not shared"
  UPDATED: "Docker CIS 5.19: Ensure mount propagation mode is not enabled"
  UPDATED: "Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled"
  UPDATED: "Docker CIS 5.21: Ensure the default seccomp profile is not disabled"
  UPDATED: "Docker CIS 5.7: Ensure privileged ports are not mapped within containers"
  UPDATED: "Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared"
  UPDATED: "Drop All Capabilities"
  UPDATED: "Emergency Deployment Annotation"
  UPDATED: "Environment Variable Contains Secret"
  UPDATED: "Fixable CVSS >= 6 and Privileged"
  UPDATED: "Fixable CVSS >= 7"
  UPDATED: "Fixable Severity at least Important"
  UPDATED: "Images with no scans"
  UPDATED: "Improper Usage of Orchestrator Secrets Volume"
  UPDATED: "Insecure specified in CMD"
  UPDATED: "iptables Execution"
  UPDATED: "Iptables or nftables Executed in Privileged Container"
  UPDATED: "Kubernetes Actions: Attach to Pod"
  UPDATED: "Kubernetes Actions: Exec into Pod"
  UPDATED: "Kubernetes Actions: Port Forward to Pod"
  UPDATED: "Kubernetes Dashboard Deployed"
  UPDATED: "Latest tag"
  UPDATED: "Linux Group Add Execution"
  UPDATED: "Linux User Add Execution"
  UPDATED: "Log4Shell: log4j Remote Code Execution vulnerability"
  UPDATED: "Login Binaries"
  UPDATED: "Mount Container Runtime Socket"
  UPDATED: "Mounting Sensitive Host Directories"
  UPDATED: "Netcat Execution Detected"
  UPDATED: "Network Management Execution"
  UPDATED: "nmap Execution"
  UPDATED: "No CPU request or memory limit specified"
  SKIP: "OpenShift: Central Admin Secret Accessed" — audit log event policy
  SKIP: "OpenShift: Kubeadmin Secret Accessed" — audit log event policy
  SKIP: "OpenShift: Kubernetes Secret Accessed by an Impersonated User" — audit log event policy
  UPDATED: "Password Binaries"
  UPDATED: "Pod Service Account Token Automatically Mounted"
  UPDATED: "Privileged Container"
  UPDATED: "Privileged Containers with Important and Critical Fixable CVEs"
  UPDATED: "Process Targeting Cluster Kubelet Endpoint"
  UPDATED: "Process Targeting Cluster Kubernetes Docker Stats Endpoint"
  UPDATED: "Process Targeting Kubernetes Service Endpoint"
  UPDATED: "Process with UID 0"
  UPDATED: "Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol"
  UPDATED: "Red Hat images must be signed by a Red Hat release key"
  UPDATED: "Red Hat Package Manager Execution"
  UPDATED: "Red Hat Package Manager in Image"
  UPDATED: "Remote File Copy Binary Execution"
  UPDATED: "Required Annotation: Email"
  UPDATED: "Required Annotation: Owner/Team"
  UPDATED: "Required Image Label"
  UPDATED: "Required Label: Owner/Team"
  UPDATED: "Secret Mounted as Environment Variable"
  UPDATED: "Secure Shell Server (sshd) Execution"
  UPDATED: "Secure Shell (ssh) Port Exposed"
  UPDATED: "Secure Shell (ssh) Port Exposed in Image"
  UPDATED: "SetUID Processes"
  UPDATED: "Shadow File Modification"
  UPDATED: "Shell Management"
  UPDATED: "Shell Spawned by Java Application"
  UPDATED: "Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities"
  UPDATED: "systemctl Execution"
  UPDATED: "systemd Execution"
  UPDATED: "Ubuntu Package Manager Execution"
  UPDATED: "Ubuntu Package Manager in Image"
  UPDATED: "Unauthorized Network Flow"
  UPDATED: "Unauthorized Process Execution"
  UPDATED: "Wget in Image"

Done. Updated: 84, Skipped: 5, Failed: 0, Total: 89

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added a one-time utility to update existing policies so container evaluation skips init containers where needed.
  • The utility checks compatibility, walks through policies interactively, and reports updated, skipped, and failed items.

• Documentation

  • Added setup and usage guidance, including required environment variables, prerequisites, and the interactive confirmation flow.
  • Documented which policies are skipped and how policy-as-code users can apply the same setting in manifests.

Walkthrough

Adds a Bash script and README under util-scripts/skip-init-container-evaluation/ for updating eligible ACS policies to set evaluationFilter.skipContainerTypes: ["INIT"].

Changes

Skip Init Container Evaluation Utility

Layer / File(s)	Summary
Script flow and policy updates util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh	Validates required environment variables, checks ACS major version via /v1/metadata, lists policies from /v1/policies, prompts for confirmation, applies skip conditions, PUTs updated policy JSON, and reports updated, skipped, and failed counts.
Usage and CRD guidance util-scripts/skip-init-container-evaluation/README.md	Describes the script purpose, required environment variables, prerequisites, interactive flow, skip conditions, and the SecurityPolicy CRD YAML needed for Policy-as-Code or GitOps users.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: a post-upgrade script to skip init container evaluation.
Description check	✅ Passed	The description matches the changeset and explains the script’s purpose, behavior, and constraints.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch AlexVulaj/ROX-35289-skip-init-container-script

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh`:
- Line 22: The curl command uses the -k flag to disable TLS verification with
bearer token authentication, creating a significant security vulnerability that
allows MITM attacks. Replace all instances where curl is invoked with the -k
flag (appearing in the version assignment, and subsequent API calls throughout
the script) by gating the -k flag behind an explicit environment variable
opt-in. Create a conditional that only includes -k in the curl command when an
environment variable like SKIP_TLS_VERIFICATION is explicitly set to true or
similar value, ensuring TLS verification remains enabled by default while
allowing users to explicitly opt-in to insecure mode if required for their
environment.
- Around line 54-55: The script checks if skipContainerTypes already exists in
evaluationFilter to skip processing, but when updating the policy around line
70, it replaces the entire evaluationFilter object instead of merging with
existing fields. This causes loss of other filter fields in policies that
already have a different evaluationFilter. Modify the jq update operation to
merge the new skipContainerTypes with the existing evaluationFilter object using
jq's merge operator instead of replacing the entire evaluationFilter, ensuring
existing filter fields are preserved when the policy is updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3f06df2e-4cba-4b89-9015-3569fb144fd3

📥 Commits

Reviewing files that changed from the base of the PR and between 5cb27fe and 9d37eb4.

📒 Files selected for processing (2)

• util-scripts/skip-init-container-evaluation/README.md
• util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh

[c-du]

that don't already have an container type evaluation filter

[AlexVulaj]

After discussion, we intentionally skip policies with any evaluation filter (not just container type). This avoids the risk of overwriting other filter configurations like a future base image filter.

[c-du]

Would you suggest a version especially for "jq"? It behaves quite different for different versions.

[AlexVulaj]

I don't think we need anything special here - we're using very basic jq features that I believe are standard across versions (.evaluationFilter, -r, -e)

[c-du]

We could have other evaluation filters, so, "container type filter" should be better.

[AlexVulaj]

Same as above comment.

[c-du]

We could add base image filter later. Please look deeper into this structure.

[AlexVulaj]

After discussion, we've agreed that skipping any policy with an existing evaluation filter is the safest approach so as to not overwrite other filter types in the future.

[c-du]

In readme, you mentioned that the customer needs to change the PAC policies themselves. So do we want to skip declarative policies here?

[AlexVulaj]

Nice catch - I've added a check here to skip Declarative sourced policies.

[c-du]

I am afraid there are more to skip.
LIke Audit log policies and node event policies.

[AlexVulaj]

This is a great catch - I've added "AUDIT_LOG_EVENT" and "NODE_EVENT" checks here as well.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh`:
- Around line 35-36: The skip-init-container-evaluation.sh summary currently
tracks only updated/skipped counts and still exits successfully even when a
policy PUT fails, so add a failure counter and propagate a non-zero exit status
when any update fails. Update the policy update loop and summary handling so
failed PUTs are counted, reflected in the final status/output, and the script
exits as failure whenever any update attempt does not succeed; use the existing
updated and skipped variables and the policy update logic to locate the fix.
- Around line 54-55: The `skip-init-container-evaluation.sh` flow is exiting
early because `jq -e` in the `existing_filter` assignment returns a failure when
`.evaluationFilter` is missing under `set -euo pipefail`. Update that `jq` call
to avoid non-zero exit on absent keys by using a non-failing extract mode and
defaulting to `{}` so the later `if [[ -n "$existing_filter" &&
"$existing_filter" != "{}" ]]` check still works. Keep the fix localized to the
`existing_filter` logic in the policy-processing block and preserve the current
behavior when a real filter is present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fadc83fe-60fc-413a-86b5-fabc3fa8ae2f

📥 Commits

Reviewing files that changed from the base of the PR and between 9d37eb4 and 4c67286.

📒 Files selected for processing (2)

• util-scripts/skip-init-container-evaluation/README.md
• util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh

✅ Files skipped from review due to trivial changes (1)

• util-scripts/skip-init-container-evaluation/README.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh (1)

57-62: 🩺 Stability & Availability | 🟡 Minor

jq '.lifecycleStages[]' risks script termination under set -euo pipefail if the field is missing or null.

When processing policy input where lifecycleStages is absent or explicitly null, the command jq -r '.lifecycleStages[]' fails with "Cannot iterate over null". Due to pipefail and set -e, this error propagates and terminates the script immediately, skipping summary reporting and exit code logic.

Use the alternative // operator to default to an empty array, ensuring the loop handles missing data gracefully:

Diff

  lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]')
+ lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages // [] | .[]')

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh`
around lines 57 - 62, The lifecycle stage parsing in the policy-processing flow
can fail when `lifecycleStages` is missing or null, causing `jq` to abort under
`set -euo pipefail`. Update the `lifecycle_stages` assignment in
`skip-init-container-evaluation.sh` to safely default absent values to an empty
array before iterating, so the `BUILD` check and the rest of the summary/exit
logic in this script continue to run. Use the existing
`policy`/`lifecycle_stages` handling block as the place to make this change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh`:
- Around line 57-62: The lifecycle stage parsing in the policy-processing flow
can fail when `lifecycleStages` is missing or null, causing `jq` to abort under
`set -euo pipefail`. Update the `lifecycle_stages` assignment in
`skip-init-container-evaluation.sh` to safely default absent values to an empty
array before iterating, so the `BUILD` check and the rest of the summary/exit
logic in this script continue to run. Use the existing
`policy`/`lifecycle_stages` handling block as the place to make this change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d97f72f7-74c4-42ff-88a6-e483dbcdd385

📥 Commits

Reviewing files that changed from the base of the PR and between 4c67286 and 38b4e47.

📒 Files selected for processing (2)

• util-scripts/skip-init-container-evaluation/README.md
• util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh

✅ Files skipped from review due to trivial changes (1)

• util-scripts/skip-init-container-evaluation/README.md