From 52dd31f80734f1048828d4bd052bc2d88101f884 Mon Sep 17 00:00:00 2001 From: Alex Vulaj Date: Tue, 23 Jun 2026 14:13:39 -0400 Subject: [PATCH 1/4] ROX-35289: add post-upgrade script to skip init container evaluation --- .../skip-init-container-evaluation/README.md | 38 +++++++++ .../skip-init-container-evaluation.sh | 84 +++++++++++++++++++ 2 files changed, 122 insertions(+) create mode 100644 util-scripts/skip-init-container-evaluation/README.md create mode 100755 util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh diff --git a/util-scripts/skip-init-container-evaluation/README.md b/util-scripts/skip-init-container-evaluation/README.md new file mode 100644 index 0000000..3a085e1 --- /dev/null +++ b/util-scripts/skip-init-container-evaluation/README.md @@ -0,0 +1,38 @@ +# Skip Init Container Evaluation + +Starting in ACS 5.0, policies evaluate init containers by default. This script adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated. + +## Usage + +```bash +export ROX_ENDPOINT="central.example.com:443" +export ROX_API_TOKEN="your-api-token" + +./skip-init-container-evaluation.sh +``` + +## Requirements + +- ACS 5.0 or later +- `curl` and `jq` installed +- An API token with policy read/write permissions + +## What it does + +1. Checks that Central is running ACS 5.0+ +2. Lists all policies and prompts for confirmation before making changes +3. For each policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]` +4. Skips policies that already have a container type filter set +5. Skips build-only policies (container type filters are not applicable at build time) + +## Policy-as-Code users + +If you manage policies via SecurityPolicy CRDs and a GitOps workflow, update your policy manifests directly instead of running this script. Add the following to each policy spec: + +```yaml +spec: + # ... existing policy fields ... + evaluationFilter: + skipContainerTypes: + - INIT +``` diff --git a/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh new file mode 100755 index 0000000..1be2632 --- /dev/null +++ b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh @@ -0,0 +1,84 @@ +#!/bin/bash +# Adds skipContainerTypes: ["INIT"] to all existing policies that don't already have it. +# This is intended for customers upgrading to 5.0+ who want to preserve the pre-5.0 behavior +# where init containers were not evaluated by policies. + +set -euo pipefail + +if [[ -z "${ROX_ENDPOINT:-}" ]]; then + echo >&2 "ROX_ENDPOINT must be set" + exit 1 +fi + +if [[ -z "${ROX_API_TOKEN:-}" ]]; then + echo >&2 "ROX_API_TOKEN must be set" + exit 1 +fi + +API="https://${ROX_ENDPOINT}" +AUTH="Authorization: Bearer ${ROX_API_TOKEN}" + +# Version check — require 5.0+ +version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version') +major=$(echo "$version" | cut -d. -f1) + +if [[ "$major" -lt 5 ]]; then + echo >&2 "This script requires ACS 5.0 or later (detected: $version)" + exit 1 +fi + +echo "ACS version: $version" + +# List all policies +policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id') +total=$(echo "$policies" | wc -l | tr -d ' ') +updated=0 +skipped=0 + +echo "Found $total policies" +echo "" +echo "This will add skipContainerTypes: [\"INIT\"] to all policies without an existing evaluation filter." +echo "This action is not easily reversible." +read -rp "Continue? (yes/no): " confirm +if [[ "$confirm" != "yes" ]]; then + echo "Aborted." + exit 0 +fi +echo "" + +for id in $policies; do + policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id") + name=$(echo "$policy" | jq -r '.name') + + # Skip if any evaluation filter is already configured + existing_filter=$(echo "$policy" | jq -e '.evaluationFilter // empty' 2>/dev/null) + if [[ -n "$existing_filter" && "$existing_filter" != "{}" ]]; then + echo " SKIP: \"$name\" — already has evaluation filter" + skipped=$((skipped + 1)) + continue + fi + + # Skip build-only policies — container type filters don't apply at build time + lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]') + if [[ "$lifecycle_stages" == "BUILD" ]]; then + echo " SKIP: \"$name\" — build-only policy" + skipped=$((skipped + 1)) + continue + fi + + # Add skipContainerTypes: ["INIT"] to the evaluation filter + updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}') + + result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \ + "$API/v1/policies/$id" --data "$updated_policy") + + if [[ "$result" == "200" ]]; then + echo " UPDATED: \"$name\"" + updated=$((updated + 1)) + else + echo >&2 " ERROR: \"$name\" — HTTP $result" + fi +done + +echo "" +echo "Done. Updated: $updated, Skipped: $skipped, Total: $total" From 4c67286f8b56f9ae08fd9a9e14fca93491a31fa7 Mon Sep 17 00:00:00 2001 From: Alex Vulaj Date: Fri, 26 Jun 2026 11:04:12 -0400 Subject: [PATCH 2/4] ROX-35289: skip declarative, audit log, and node event policies --- .../skip-init-container-evaluation.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh index 1be2632..9cfc633 100755 --- a/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh +++ b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh @@ -66,6 +66,22 @@ for id in $policies; do continue fi + # Skip declarative (CRD-managed) policies — customers should update their CRD manifests directly + source=$(echo "$policy" | jq -r '.source') + if [[ "$source" == "DECLARATIVE" ]]; then + echo " SKIP: \"$name\" — declarative policy (update CRD directly)" + skipped=$((skipped + 1)) + continue + fi + + # Skip audit log and node event policies — they don't evaluate containers + event_source=$(echo "$policy" | jq -r '.eventSource') + if [[ "$event_source" == "AUDIT_LOG_EVENT" || "$event_source" == "NODE_EVENT" ]]; then + echo " SKIP: \"$name\" — $event_source policy (no container evaluation)" + skipped=$((skipped + 1)) + continue + fi + # Add skipContainerTypes: ["INIT"] to the evaluation filter updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}') From 6cc34fb86578693f580e345fa6b1706c92e35c10 Mon Sep 17 00:00:00 2001 From: Alex Vulaj Date: Fri, 26 Jun 2026 11:38:02 -0400 Subject: [PATCH 3/4] ROX-35289: fix jq -e under set -e, add failure counter and non-zero exit --- .../skip-init-container-evaluation.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh index 9cfc633..216029d 100755 --- a/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh +++ b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh @@ -34,6 +34,7 @@ policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id') total=$(echo "$policies" | wc -l | tr -d ' ') updated=0 skipped=0 +failed=0 echo "Found $total policies" echo "" @@ -51,8 +52,8 @@ for id in $policies; do name=$(echo "$policy" | jq -r '.name') # Skip if any evaluation filter is already configured - existing_filter=$(echo "$policy" | jq -e '.evaluationFilter // empty' 2>/dev/null) - if [[ -n "$existing_filter" && "$existing_filter" != "{}" ]]; then + existing_filter=$(echo "$policy" | jq '.evaluationFilter // empty' 2>/dev/null) + if [[ -n "$existing_filter" && "$existing_filter" != "{}" && "$existing_filter" != "null" ]]; then echo " SKIP: \"$name\" — already has evaluation filter" skipped=$((skipped + 1)) continue @@ -93,8 +94,13 @@ for id in $policies; do updated=$((updated + 1)) else echo >&2 " ERROR: \"$name\" — HTTP $result" + failed=$((failed + 1)) fi done echo "" -echo "Done. Updated: $updated, Skipped: $skipped, Total: $total" +echo "Done. Updated: $updated, Skipped: $skipped, Failed: $failed, Total: $total" + +if [[ "$failed" -gt 0 ]]; then + exit 1 +fi From 38b4e47e0733ac38e9898cc81de2ee629b6cb116 Mon Sep 17 00:00:00 2001 From: Alex Vulaj Date: Fri, 26 Jun 2026 14:23:49 -0400 Subject: [PATCH 4/4] ROX-35289: per-policy confirmation by default, clean up skip messages --- .../skip-init-container-evaluation/README.md | 12 ++++++-- .../skip-init-container-evaluation.sh | 28 ++++++++++++------- 2 files changed, 27 insertions(+), 13 deletions(-) diff --git a/util-scripts/skip-init-container-evaluation/README.md b/util-scripts/skip-init-container-evaluation/README.md index 3a085e1..32953cd 100644 --- a/util-scripts/skip-init-container-evaluation/README.md +++ b/util-scripts/skip-init-container-evaluation/README.md @@ -1,6 +1,8 @@ # Skip Init Container Evaluation -Starting in ACS 5.0, policies evaluate init containers by default. This script adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated. +Starting in ACS 5.0, policies evaluate init containers by default. This script is a **one-time post-upgrade tool** that adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated. + +This script is not intended to be run repeatedly or as a long-term maintenance tool. ## Usage @@ -11,6 +13,8 @@ export ROX_API_TOKEN="your-api-token" ./skip-init-container-evaluation.sh ``` +Each policy is presented for confirmation with options: `yes` (update this policy), `no` (skip this policy), or `all` (update this and all remaining policies without further prompts). + ## Requirements - ACS 5.0 or later @@ -21,9 +25,11 @@ export ROX_API_TOKEN="your-api-token" 1. Checks that Central is running ACS 5.0+ 2. Lists all policies and prompts for confirmation before making changes -3. For each policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]` -4. Skips policies that already have a container type filter set +3. For each applicable policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]` +4. Skips policies that already have an evaluation filter 5. Skips build-only policies (container type filters are not applicable at build time) +6. Skips declarative (CRD-managed) policies +7. Skips audit log and node event policies (they don't evaluate containers) ## Policy-as-Code users diff --git a/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh index 216029d..19d71c6 100755 --- a/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh +++ b/util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh @@ -5,6 +5,8 @@ set -euo pipefail +CONFIRM_EACH=true + if [[ -z "${ROX_ENDPOINT:-}" ]]; then echo >&2 "ROX_ENDPOINT must be set" exit 1 @@ -38,14 +40,6 @@ failed=0 echo "Found $total policies" echo "" -echo "This will add skipContainerTypes: [\"INIT\"] to all policies without an existing evaluation filter." -echo "This action is not easily reversible." -read -rp "Continue? (yes/no): " confirm -if [[ "$confirm" != "yes" ]]; then - echo "Aborted." - exit 0 -fi -echo "" for id in $policies; do policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id") @@ -77,12 +71,26 @@ for id in $policies; do # Skip audit log and node event policies — they don't evaluate containers event_source=$(echo "$policy" | jq -r '.eventSource') - if [[ "$event_source" == "AUDIT_LOG_EVENT" || "$event_source" == "NODE_EVENT" ]]; then - echo " SKIP: \"$name\" — $event_source policy (no container evaluation)" + if [[ "$event_source" == "AUDIT_LOG_EVENT" ]]; then + echo " SKIP: \"$name\" — audit log event policy" + skipped=$((skipped + 1)) + continue + fi + if [[ "$event_source" == "NODE_EVENT" ]]; then + echo " SKIP: \"$name\" — node event policy" skipped=$((skipped + 1)) continue fi + if [[ "$CONFIRM_EACH" == "true" ]]; then + read -rp " Update \"$name\"? (yes/no/all): " answer + case "$answer" in + all) CONFIRM_EACH=false ;; + yes) ;; + *) echo " SKIP: \"$name\" — skipped by user"; skipped=$((skipped + 1)); continue ;; + esac + fi + # Add skipContainerTypes: ["INIT"] to the evaluation filter updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}')