Skip to content

Updates and fixes to policy support #3611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tonistiigi merged 9 commits into from
Jan 16, 2026
Merged

Updates and fixes to policy support #3611

tonistiigi merged 9 commits into from
Jan 16, 2026
+391 −36

Conversation

@tonistiigi
Copy link
Member

@tonistiigi tonistiigi commented Jan 16, 2026
edited
Loading

@crazy-max @dvdksn

Review per commit.

fixes #3613
fixes #3567 (comment)

@tonistiigi tonistiigi added this to the v0.31.0 milestone Jan 16, 2026
@tonistiigi tonistiigi requested a review from crazy-max January 16, 2026 06:50
crazy-max
crazy-max reviewed Jan 16, 2026
View reviewed changes
crazy-max
crazy-max reviewed Jan 16, 2026
View reviewed changes
policy/validate.go
func sourceName(req *policysession.CheckPolicyRequest) string {
name := req.Source.Source.Identifier
if p, _ := platformFromReq(req); p != nil {
name += " (" + platforms.Format(*p) + ")"
Copy link
Member

@crazy-max crazy-max Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

#11 [linux/arm64 stage-1 1/3] FROM docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62
#11 resolve docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 0.1s done
#11 DONE 0.1s

#12 [linux/arm64 stage-1 2/3] COPY --from=xx / /
#12 CACHED

#13 [linux/arm64 stage-1 3/3] RUN touch foo
#13 CACHED

#1 loading policies 10-xx-external.Dockerfile.rego
#1 0.626 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.627 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.627 policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 (linux/amd64): ALLOW
#1 0.627 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.627 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.627 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.627 policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 (linux/amd64): ALLOW
#1 0.627 policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 (linux/arm64): ALLOW
#1 0.628 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.628 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.628 policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 (linux/amd64): ALLOW

It would be better as prefix imo to be consistent with build stages, WDYT?

#11 [linux/arm64 stage-1 1/3] FROM docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62
#11 resolve docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 0.1s done
#11 DONE 0.1s

#12 [linux/arm64 stage-1 2/3] COPY --from=xx / /
#12 CACHED

#13 [linux/arm64 stage-1 3/3] RUN touch foo
#13 CACHED

#1 loading policies 10-xx-external.Dockerfile.rego
#1 0.626 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.627 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.627 [linux/amd64] policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62: ALLOW
#1 0.627 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.627 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.627 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.627 [linux/amd64] policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6: ALLOW
#1 0.627 [linux/arm64] policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62: ALLOW
#1 0.628 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.628 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.628 [linux/amd64] policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6: ALLOW

Copy link
Member Author

@tonistiigi tonistiigi Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we can improve this further in other follow-ups. The platform is specific to the image source, not like the build output where the step is part of a build request to a specific platform. Maybe putting the source name at the beginning of the text would improve.

crazy-max
crazy-max reviewed Jan 16, 2026
View reviewed changes
policy/validate.go
platform = &pl
platform = pl
} else {
platform = p.opt.DefaultPlatform
Copy link
Member

@crazy-max crazy-max Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

#7 [xx 1/1] FROM docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#7 resolve docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 0.0s done
#7 DONE 0.0s

#8 [stage-1 2/3] COPY --from=xx / /
#8 CACHED

#9 [stage-1 3/3] RUN touch foo
#9 CACHED

#1 loading policies 10-xx-external.Dockerfile.rego
#1 0.813 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.813 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.813 policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 (linux/amd64): ALLOW
#1 0.813 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.813 policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 (linux/amd64): ALLOW
#1 DONE 1.1s

If no platform set I guess we should not display the default platform in progress output to be consistent with build stages:

#7 [xx 1/1] FROM docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#7 resolve docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 0.0s done
#7 DONE 0.0s

#8 [stage-1 2/3] COPY --from=xx / /
#8 CACHED

#9 [stage-1 3/3] RUN touch foo
#9 CACHED

#1 loading policies 10-xx-external.Dockerfile.rego
#1 0.813 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.813 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.813 policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6: ALLOW
#1 0.813 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.813 policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62: ALLOW
#1 DONE 1.1s

@tonistiigi tonistiigi force-pushed the policy-update-v0.31-rc2 branch from b9c68ed to d8af18a Compare January 16, 2026 16:39
@tonistiigi tonistiigi requested a review from crazy-max January 16, 2026 18:07
@tonistiigi
policy: fix exposing signature kind and type
eaee667 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
policy: allow image source without set platform
2040511 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
policy: update policy progress logic
73f5b1f 
Fix the policy logger being open for the whole build.

In new logic logger is opened on-demand if there are logs,
remains open until timeout and is restarted if new logs
come after.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
policy: improve policy logging
30260ec 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
policy: add docker_github_builder builtin helper
1d19f3e 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
policy: add docker_github_builder_tag builtin helper
86885cd 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
policy: update unknown collection
db9c0c2 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
policy: build policy deny messages with error
535da79 
Supported from Buildkit v0.27.0-rc1

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
policy: fixes for image source handling
89fdef1 
- Make sure tag is added to image reference as
containerd reference parser refuses to parse otherwise.

- When attestation is asked from non-index, return
nil instead of error. This is for consistency as likely
to fail in BuildKit before that is fixed separately.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi tonistiigi force-pushed the policy-update-v0.31-rc2 branch from d8af18a to 89fdef1 Compare January 16, 2026 20:15
jsternberg
jsternberg approved these changes Jan 16, 2026
View reviewed changes
Copy link
Collaborator

@jsternberg jsternberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving since this has already been reviewed by @crazy-max and he's out for the week. It LGTM but I don't have the most detailed understanding of this domain.

@tonistiigi tonistiigi merged commit 819ae5d into docker:master Jan 16, 2026
159 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsternberg jsternberg jsternberg approved these changes

@crazy-max crazy-max Awaiting requested review from crazy-max

Assignees

@tonistiigi tonistiigi

Labels

area/build area/cli area/tests

Projects

None yet

Milestone

v0.31.0

Development

Successfully merging this pull request may close these issues.

policy eval fails with "object required" when checking attestation fields on v2 manifest images Rego source policy additional UX

3 participants

@tonistiigi @jsternberg @crazy-max