policy - the CLI for managing authorization policies

policy

policy - the CLI for managing authorization policies

The policy CLI is a tool for building, versioning and publishing your authorization policies. It uses OCI standards to manage artifacts, and the Open Policy Agent (OPA) to compile and run.


Go Report Card ci codebeat badge GitHub all releases Apache 2.0 GitHub release (latest SemVer)

Documentation

Please refer to our documentation site for installation, usage, customization and tips.

Slack Channel

Wanna discuss features or show your support for this tool?


Installation

policy is available on Linux, macOS and Windows platforms.

  • Binaries for Linux, Windows and Mac are available as tarballs in the release page.

  • Via Homebrew for macOS or LinuxBrew for Linux

    brew tap opcr-io/tap && brew install opcr-io/tap/policy
  • Via a GO install

    # NOTE: The dev version will be in effect!
    go get -u github.com/opcr-io/policy

Building From Source

policy is currently using go v1.16 or above. In order to build policy from source you must:

  1. Install mage

  2. Clone the repo

  3. Build and run the executable

    mage build && ./dist/build_linux_amd64/policy

Running with Docker

Running the official Docker image

You can run as a Docker container:

docker run -it --rm ghcr.io/opcr-io/policy:latest --help

The Command Line

... Build policies. list List policies. push ... Push policies to a registry. pull ... Pull policies from a registry. login Login to a registry. save Save a policy to a local bundle tarball. tag Create a new tag for an existing policy. rm ... Removes a policy from the local registry. run Sets you up with a shell for running queries using an OPA instance with a policy loaded. version Prints version information. Run "policy --help" for more information on a command. ">
$ policy --help
Usage: policy <command>

Flags:
  -h, --help             Show context-sensitive help.
  -c, --config="/home/toaster/.config/policy/config.yaml"
                         Path to the policy CLI config file.
      --debug            Enable debug mode.
  -v, --verbosity=INT    Use to increase output verbosity.

Commands:
  build <path> ...
    Build policies.

  list
    List policies.

  push <policy> ...
    Push policies to a registry.

  pull <policy> ...
    Pull policies from a registry.

  login
    Login to a registry.

  save <policy>
    Save a policy to a local bundle tarball.

  tag <policy> <tag>
    Create a new tag for an existing policy.

  rm <policy> ...
    Removes a policy from the local registry.

  run <policy>
    Sets you up with a shell for running queries using an OPA instance with a policy loaded.

  version
    Prints version information.

Run "policy  --help" for more information on a command.

Logs

Logs are printed to stderr. You can increase detail using the verbosity flag (e.g. -vvv).

Demo Videos/Recordings

demo


Known Issues

This is still work in progress! If something is broken or there's a feature that you want, please file an issue and if so inclined submit a PR!


Credits

The policy CLI uses a lot of great and amazing open source projects and libraries. A big thank you to all of them!


Contributions Guideline

  • File an issue first prior to submitting a PR!
  • Ensure all exported items are properly commented
  • If applicable, submit a test suite against your PR
Owner
Open Policy Registry
Open Policy Registry
Open Policy Registry
Comments
  • CNCF TAG-Runtime Discussion/Presentation?

    CNCF TAG-Runtime Discussion/Presentation?

    Hello opcr team,

    I'm one of the co-chairs of the CNCF TAG-Runtime, I'm reaching out and I think it would be great for you to present/discuss the project at one of our meetings. For example, how the project uses OCI as a standard to manage OPA policies.

    Let me know if this something you'd be interested in doing. If yes, please feel free to add it to our agenda or reach out to me (raravena80 at gmail.com)

    Thanks!

  • installation instructions don't work with go1.18

    installation instructions don't work with go1.18

    Scratch/oci % go version
    go version go1.18.1 darwin/amd64
    Scratch/oci % go get -u github.com/opcr-io/policy
    go: go.mod file not found in current directory or any parent directory.
            'go get' is no longer supported outside a module.
            To build and install a command, use 'go install' with a version,
            like 'go install example.com/cmd@latest'
            For more information, see https://golang.org/doc/go-get-install-deprecation
            or run 'go help get' or 'go help install'.
    
  • login with custom server and pipe won't work without `-d`

    login with custom server and pipe won't work without `-d`

    With echo $GH_PAT | policy login -s ghcr.io -u srenatus --password-stdin:

    Since there's no TTY, it'll just loop forever:

    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [boolCmbool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
      input:
    > [bool] Do you want to set this server as your default domain?[yes/no]:
    Invalid value.
    
  • Bump github.com/containerd/containerd from 1.5.9 to 1.5.10

    Bump github.com/containerd/containerd from 1.5.9 to 1.5.10

    ⚠️ Dependabot is rebasing this PR ⚠️

    Rebasing might not happen immediately, so don't worry if this takes some time.

    Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


    Bumps github.com/containerd/containerd from 1.5.9 to 1.5.10.

    Release notes

    Sourced from github.com/containerd/containerd's releases.

    containerd 1.5.10

    Welcome to the v1.5.10 release of containerd!

    The tenth patch release for containerd 1.5 includes a fix for CVE-2022-23648 and other issues.

    Notable Updates

    • Use fs.RootPath when mounting volumes (GHSA-crp2-qrr5-8pq7)
    • Return init pid when clean dead shim in runc.v1/v2 shims (#6570)
    • Handle sigint/sigterm in shimv2 (#6509)
    • Use readonly mount to read user/group info (#6503)

    See the changelog for complete list of changes

    Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

    Contributors

    • Derek McGowan
    • Wei Fu
    • Sebastiaan van Stijn
    • Phil Estes
    • Alexander Minbaev
    • Brian Goff
    • Daniel Canter
    • David Porter
    • Kazuyoshi Kato
    • Maksym Pavlenko
    • ruiwen-zhao

    Changes

    • [release/1.5] Prepare release notes for v1.5.10 (#6606)
      • Prepare release notes for v1.5.10
    • Github Security Advisory GHSA-crp2-qrr5-8pq7
      • Use fs.RootPath when mounting volumes
    • [release/1.5] runc.v1/v2: return init pid when clean dead shim (#6570)
      • runc.v1/v2: return init pid when clean dead shim
    • [release/1.5] Update Go to 1.16.14 (#6556)
      • [release/1.5] Update Go to 1.16.14
    • Wait for containerd installation in GCE scripts [1.5 backport] (#6552)
      • Wait for containerd installation in GCE scripts
    • [release/1.5] shimv2: handle sigint/sigterm (#6509)
      • shimv2: handle sigint/sigterm
    • [release/1.5] Update Go to 1.16.13 (#6526)

    ... (truncated)

    Changelog

    Sourced from github.com/containerd/containerd's changelog.

    Versioning and Release

    This document details the versioning and release plan for containerd. Stability is a top goal for this project and we hope that this document and the processes it entails will help to achieve that. It covers the release process, versioning numbering, backporting, API stability and support horizons.

    If you rely on containerd, it would be good to spend time understanding the areas of the API that are and are not supported and how they impact your project in the future.

    This document will be considered a living document. Supported timelines, backport targets and API stability guarantees will be updated here as they change.

    If there is something that you require or this document leaves out, please reach out by filing an issue.

    Releases

    Releases of containerd will be versioned using dotted triples, similar to Semantic Version. For the purposes of this document, we will refer to the respective components of this triple as <major>.<minor>.<patch>. The version number may have additional information, such as alpha, beta and release candidate qualifications. Such releases will be considered "pre-releases".

    Major and Minor Releases

    Major and minor releases of containerd will be made from main. Releases of containerd will be marked with GPG signed tags and announced at https://github.com/containerd/containerd/releases. The tag will be of the format v<major>.<minor>.<patch> and should be made with the command git tag -s v<major>.<minor>.<patch>.

    After a minor release, a branch will be created, with the format release/<major>.<minor> from the minor tag. All further patch releases will be done from that branch. For example, once we release v1.0.0, a branch release/1.0 will be created from that tag. All future patch releases will be done against that branch.

    Pre-releases

    Pre-releases, such as alphas, betas and release candidates will be conducted from their source branch. For major and minor releases, these releases will be done from main. For patch releases, these pre-releases should be done within the corresponding release branch.

    While pre-releases are done to assist in the stabilization process, no guarantees are provided.

    ... (truncated)

    Commits
    • 2a1d4db Merge pull request #6606 from dmcgowan/prepare-v1.5.10
    • c7085be Prepare release notes for v1.5.10
    • 5296045 Merge pull request from GHSA-crp2-qrr5-8pq7
    • 2cbf075 Merge pull request #6570 from fuweid/cp-6452
    • 6f45108 runc.v1/v2: return init pid when clean dead shim
    • d1d905b Use fs.RootPath when mounting volumes
    • 6ddbd47 Merge pull request #6556 from thaJeztah/1.5_bump_go_1.16.14
    • 24b9912 [release/1.5] Update Go to 1.16.14
    • f0f80cd Merge pull request #6552 from bobbypage/backport-6544-1-5
    • 2708d4a Wait for containerd installation in GCE scripts
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • update deps

    update deps

    This PR:

    • moves the mage target definitions to ./magefiles folder
    • bumps runtime to v0.45.0 that uses OPA version v0.45.0
    • First pass of removing the dependency to aserto-dev/go-utils
  • Bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.0

    Bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.0

    Bumps github.com/open-policy-agent/opa from 0.41.0 to 0.42.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.42.0

    This release contains a number of fixes and enhancements.

    New built-in function: object.subset

    This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

    If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

    See the built-in functions docs for all details

    This implementation fixes #4358 and was authored by @​charlesdaniels.

    New keywords: "contains" and "if"

    These new keywords let you increase the expressiveness of your policy code:

    Before

    package authz
    allow { not denied } # `denied` left out for presentation purposes
    

    deny[msg] { count(violations) > 0 msg := sprintf("there are %d violations", [count(violations)]) }

    After

    package authz
    import future.keywords
    

    allow if not denied # one expression only => no { ... } needed!

    deny contains msg if { count(violations) > 0 msg := sprintf("there are %d violations", [count(violations)]) }

    Note that rule bodies containing only one expression can be abbreviated when using if.

    To use the new keywords, use import future.keywords.contains and import future.keywords.if; or import all of them at once via import future.keywords. When these future imports are present, the pretty printer (opa fmt) will introduce contains and if where applicable.

    if is allowed in all places to separate the rule head from the body, like

    </tr></table> 
    

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.42.0

    This release contains a number of fixes and enhancements.

    New built-in function: object.subset

    This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.

    If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}.

    See the built-in functions docs for all details

    This implementation fixes #4358 and was authored by @​charlesdaniels.

    New keywords: "contains" and "if"

    These new keywords let you increase the expressiveness of your policy code:

    Before

    package authz
    allow { not denied } # `denied` left out for presentation purposes
    

    deny[msg] { count(violations) > 0 msg := sprintf("there are %d violations", [count(violations)]) }

    After

    package authz
    import future.keywords
    

    allow if not denied # one expression only => no { ... } needed!

    deny contains msg if { count(violations) > 0 msg := sprintf("there are %d violations", [count(violations)]) }

    Note that rule bodies containing only one expression can be abbreviated when using if.

    To use the new keywords, use import future.keywords.contains and import future.keywords.if; or import all of them at once via import future.keywords. When these future imports are present, the

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • Bump github.com/containerd/containerd from 1.5.10 to 1.5.13

    Bump github.com/containerd/containerd from 1.5.10 to 1.5.13

    Bumps github.com/containerd/containerd from 1.5.10 to 1.5.13.

    Release notes

    Sourced from github.com/containerd/containerd's releases.

    containerd 1.5.13

    Welcome to the v1.5.13 release of containerd!

    The thirteenth patch release for containerd 1.5 includes a fix for CVE-2022-31030.

    Notable Updates

    See the changelog for complete list of changes

    Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

    Contributors

    • Derek McGowan
    • Kazuyoshi Kato

    Changes

    Dependency Changes

    This release has no dependency changes

    Previous release can be found at v1.5.12

    containerd 1.5.12

    Welcome to the v1.5.12 release of containerd!

    The twelfth patch release for containerd 1.5 includes various fixes and updates along with an updated version of runc.

    Notable Updates

    • Fix inotify fd leak when cgroup is deleted (#6961)
    • Close fifos when container is deleted in CRI plugin (#6857)
    • Update unpack to to respect MaxConcurrentDownloads (#6774)
    • Monitor OOMKill instead of OOM in cgroupv2 (#6735)
    • Make the temp mount as ready only in container WithVolumes (#6729)

    ... (truncated)

    Commits
    • a17ec49 Merge pull request from GHSA-5ffw-gxpp-mxpf
    • 1ab0431 Prepare release notes for v1.5.13
    • b40a356 Implicitly discard the input to drain the reader
    • 943588b [release/1.5] Limit the response size of ExecSync
    • a4014bc Merge pull request #7019 from dmcgowan/prepare-1.5.12
    • 5a55f1e Prepare release notes for v1.5.12
    • 6b8cb51 Merge pull request #7014 from thaJeztah/1.5_bump_golang_1.17.11
    • 3f61d5e [release/1.5] update golang to 1.17.11
    • ae4ec1f Merge pull request #6986 from AkihiroSuda/cherrypick-6982-1.5
    • f67de00 archive: add human-readable hint to Lchown error
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • Bump github.com/open-policy-agent/opa from 0.37.2 to 0.40.0

    Bump github.com/open-policy-agent/opa from 0.37.2 to 0.40.0

    Bumps github.com/open-policy-agent/opa from 0.37.2 to 0.40.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.40.0

    This release contains a number of fixes and enhancements.

    Metadata introspection

    The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

    package example
    

    METADATA

    title: Edits by owner only

    description: |

    Only the owner is allowed to edit their data.

    deny[{"allowed": false, "message": rego.metadata.rule().description}] { input.user != input.owner }

    This snippet will evaluate to

    [{
      "allowed": false,
      "message": "Only the owner is allowed to edit their data.\n"
    }]
    

    Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

    All the details can be found in the documentation of these new built-in functions.

    Function mocking

    It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

    package authz
    import data.jwks.cert
    import data.helpers.extract_token
    

    allow { [true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"}) }

    test_allow { allow with input.headers as [] with data.jwks.cert as "mock-cert" with io.jwt.decode_verify as [true, {}, {}] # mocked built-in with extract_token as "my-jwt" # mocked non-built-in }

    For further information about policy testing with data and function mock, see the Policy Testing docs. All details about with can be found in its Policy Language section.

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.40.0

    This release contains a number of fixes and enhancements.

    Metadata introspection

    The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

    package example
    

    METADATA

    title: Edits by owner only

    description: |

    Only the owner is allowed to edit their data.

    deny[{"allowed": false, "message": rego.metadata.rule().description}] { input.user != input.owner }

    This snippet will evaluate to

    [{
      "allowed": false,
      "message": "Only the owner is allowed to edit their data.\n"
    }]
    

    Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

    All the details can be found in the documentation of these new built-in functions.

    Function mocking

    It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

    package authz
    import data.jwks.cert
    import data.helpers.extract_token
    

    allow { [true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"}) }

    test_allow { allow with input.headers as [] with data.jwks.cert as "mock-cert" with io.jwt.decode_verify as [true, {}, {}] # mocked built-in

    ... (truncated)

    Commits
    • b3c8d80 Prepare v0.40.0 Release (#4631)
    • 39125a0 downloader: support for downloading bundles from an OCI registry (#4558)
    • 2f6b417 format: keep whitespaces for multiple indented same-line withs (#4635)
    • 7e50293 ast+topdown+planner: replacement of non-built-in functions via 'with' (#4616)
    • 02c1c1e bundle/status: Include bundle type in status information
    • 654b245 docs: update version in kubernetes examples (#4627)
    • 8e79fc9 build(deps): bump github.com/fsnotify/fsnotify v1.5.2 -> v1.5.4 (#4628)
    • 4154d99 Dockerfile: add source annotation (#4626)
    • b481f00 topdown/net: require prefix length for IPv6 in net.cidr_merge (#4613)
    • eb94b73 website: add playground button to navbar (#4622)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • Bump github.com/containerd/containerd from 1.6.10 to 1.6.12

    Bump github.com/containerd/containerd from 1.6.10 to 1.6.12

    Bumps github.com/containerd/containerd from 1.6.10 to 1.6.12.

    Release notes

    Sourced from github.com/containerd/containerd's releases.

    containerd 1.6.12

    Welcome to the v1.6.12 release of containerd!

    The twelfth patch release for containerd 1.6 contains a fix for CVE-2022-23471.

    Notable Updates

    See the changelog for complete list of changes

    Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

    Contributors

    • Derek McGowan
    • Danny Canter
    • Phil Estes
    • Sebastiaan van Stijn

    Changes

    • Github Security Advisory GHSA-2qjp-425j-52j9
      • Prepare release notes for v1.6.12
      • CRI stream server: Fix goroutine leak in Exec
    • [release/1.6] update to go1.18.9 (#7766)
      • [release/1.6] update to go1.18.9

    Dependency Changes

    This release has no dependency changes

    Previous release can be found at v1.6.11

    containerd 1.6.11

    Welcome to the v1.6.11 release of containerd!

    The eleventh patch release for containerd 1.6 contains a various fixes and updates.

    Notable Updates

    • Add pod UID annotation in CRI plugin (#7735)
    • Fix nil pointer deference for Windows containers in CRI plugin (#7737)
    • Fix lease labels unexpectedly overwriting expiration (#7745)
    • Fix for simultaneous diff creation using the same parent snapshot (#7756)

    See the changelog for complete list of changes

    ... (truncated)

    Commits
    • a05d175 Merge pull request from GHSA-2qjp-425j-52j9
    • 1899ebc Prepare release notes for v1.6.12
    • ec5acd4 CRI stream server: Fix goroutine leak in Exec
    • 52a4492 Merge pull request #7766 from thaJeztah/1.6_update_go_1.18.9
    • 9743dba [release/1.6] update to go1.18.9
    • d986545 Merge pull request #7760 from dmcgowan/prepare-1.6.11
    • 3d24d97 Prepare release notes for v1.6.11
    • 864cce9 Merge pull request #7756 from vvoland/rootfs-diff-multiple
    • bb96b21 fix: support simultaneous create diff for same parent snapshot
    • 92ee926 Merge pull request #7745 from austinvazquez/cherry-pick-c4dee237f57a7f7895aaa...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • Documented `go install` method fails with 0.1.43 due to `replace` directive.

    Documented `go install` method fails with 0.1.43 due to `replace` directive.

    This is the same bug as https://github.com/opcr-io/policy/issues/61 - but recently another replace directive was added in go.mod and the issue resurfaced, meaning people cannot install this CLI tool in the documented fashion.

    Suggestion: Add a CI step that tests go install

  • Failed to push policy

    Failed to push policy

    I created a policy images and try to push and I received this error:

    Failed to push policy: pac-book/project:v0.1.0
    oras push tarball failed: unexpected status: 500 Internal Server Error
    
    failed to push one or more policies
    
  • Consider renaming the cli tool?

    Consider renaming the cli tool?

    policy is a very generic name and could clash with other projects such as selinux/policy or policyd and is quite non-descript/generic I'm not aware of any specific popular binaries that go by the name policy but it is a possibility

    Maybe opcr or opolicyctl?

Generate K8s RBAC policies based on e2e test runs

rbac-audit Have you ever wondered whether your controller actually needs all the permissions it has granted to it? Wonder no more! This repo contains

Aug 2, 2021
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Jan 2, 2023
⛩️ Go library for protecting HTTP handlers with authorization bearer token.

G8, pronounced Gate, is a simple Go library for protecting HTTP handlers with tokens. Tired of constantly re-implementing a security layer for each

Nov 14, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Jan 4, 2023
Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider

dispans Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider. The name comes from the Swedish word dispen

Dec 22, 2021
ACL, RBAC, ABAC authorization middleware for KubeSphere

casbin-kubesphere-auth Casbin-kubesphere-auth is a plugin which apply several security authentication check on kubesphere via casbin. This plugin supp

Jun 9, 2022
an stateless OpenID Connect authorization server that mints ID Tokens from Webauthn challenges

Webauthn-oidc Webauthn-oidc is a very minimal OIDC authorization server that only supports webauthn for authentication. This can be used to bootstrap

Nov 6, 2022
telegram authorization in telegram without using a widget

TGAH - telegram Authorization Example of authorization in telegram without using a widget Installation go get -d github.com/tioffs/tgah@master Setti

Jun 6, 2022
Authorization As A Service

a3s NOTE: this is a work in progress and this software is not usable yet a3s (stands for Auth As A Service) is an authentication and ABAC authorizatio

Dec 14, 2022
A demo of authentication and authorization using jwt
A demo of authentication and authorization using jwt

Nogopy Hi, this a demo of how to use jwt for authentication in microservices Keep in mind that this is a demo of how to authenticate using jwt, we don

Nov 1, 2021
Backend Development Rest Api Project for book management system. Used Features like redis, jwt token,validation and authorization.

Golang-restapi-project Simple Rest Api Project with Authentication, Autherization,Validation and Connection with redis File Structure ├── cache │ ├──

May 25, 2022
A library for Go client applications that need to perform OAuth authorization against a server
A library for Go client applications that need to perform OAuth authorization against a server

oauth-0.8.0.zip oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditiona

Oct 13, 2021
Mini-framework for multiple authentication and authorization schemes
Mini-framework for multiple authentication and authorization schemes

Go authorization pattern This repository demonstrates an authorization pattern that allows multiple schemes. Demo To start the demo run the following

Dec 30, 2021
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Jan 4, 2022
Authelia: an open-source authentication and authorization server providing two-factor authentication
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Jan 5, 2022
🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role.
🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role.

Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role. URLs and Roles are managed as YAML-based

Dec 20, 2022
Goauth: Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login

goauth Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login. Currently supports Google, Facebook and Microsoft "out of the bo

Jan 28, 2022
Go-auth - An authorization project using mongoDB, JWT and Go
Go-auth - An authorization project using mongoDB, JWT and Go

Ssibrahimbas Go-Auth An authorization project using mongoDB, JWT and Go. API Typ

Mar 10, 2022
Oso is a batteries-included framework for building authorization in your application.

Oso What is Oso? Oso is a batteries-included framework for building authorization in your application. With Oso, you can: Model: Set up common permiss

Jan 1, 2023