Updates and fixes to policy support#3611
Merged
tonistiigi merged 9 commits intodocker:masterfrom Jan 16, 2026
Merged
Conversation
crazy-max
reviewed
Jan 16, 2026
crazy-max
reviewed
Jan 16, 2026
| func sourceName(req *policysession.CheckPolicyRequest) string { | ||
| name := req.Source.Source.Identifier | ||
| if p, _ := platformFromReq(req); p != nil { | ||
| name += " (" + platforms.Format(*p) + ")" |
Member
There was a problem hiding this comment.
#11 [linux/arm64 stage-1 1/3] FROM docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62
#11 resolve docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 0.1s done
#11 DONE 0.1s
#12 [linux/arm64 stage-1 2/3] COPY --from=xx / /
#12 CACHED
#13 [linux/arm64 stage-1 3/3] RUN touch foo
#13 CACHED
#1 loading policies 10-xx-external.Dockerfile.rego
#1 0.626 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.627 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.627 policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 (linux/amd64): ALLOW
#1 0.627 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.627 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.627 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.627 policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 (linux/amd64): ALLOW
#1 0.627 policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 (linux/arm64): ALLOW
#1 0.628 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.628 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.628 policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 (linux/amd64): ALLOW
It would be better as prefix imo to be consistent with build stages, WDYT?
#11 [linux/arm64 stage-1 1/3] FROM docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62
#11 resolve docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 0.1s done
#11 DONE 0.1s
#12 [linux/arm64 stage-1 2/3] COPY --from=xx / /
#12 CACHED
#13 [linux/arm64 stage-1 3/3] RUN touch foo
#13 CACHED
#1 loading policies 10-xx-external.Dockerfile.rego
#1 0.626 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.627 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.627 [linux/amd64] policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62: ALLOW
#1 0.627 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.627 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.627 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.627 [linux/amd64] policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6: ALLOW
#1 0.627 [linux/arm64] policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62: ALLOW
#1 0.628 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.628 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.628 [linux/amd64] policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6: ALLOW
Member
Author
There was a problem hiding this comment.
I guess we can improve this further in other follow-ups. The platform is specific to the image source, not like the build output where the step is part of a build request to a specific platform. Maybe putting the source name at the beginning of the text would improve.
crazy-max
reviewed
Jan 16, 2026
| platform = &pl | ||
| platform = pl | ||
| } else { | ||
| platform = p.opt.DefaultPlatform |
Member
There was a problem hiding this comment.
#7 [xx 1/1] FROM docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#7 resolve docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 0.0s done
#7 DONE 0.0s
#8 [stage-1 2/3] COPY --from=xx / /
#8 CACHED
#9 [stage-1 3/3] RUN touch foo
#9 CACHED
#1 loading policies 10-xx-external.Dockerfile.rego
#1 0.813 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.813 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.813 policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 (linux/amd64): ALLOW
#1 0.813 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.813 policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 (linux/amd64): ALLOW
#1 DONE 1.1s
If no platform set I guess we should not display the default platform in progress output to be consistent with build stages:
#7 [xx 1/1] FROM docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#7 resolve docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 0.0s done
#7 DONE 0.0s
#8 [stage-1 2/3] COPY --from=xx / /
#8 CACHED
#9 [stage-1 3/3] RUN touch foo
#9 CACHED
#1 loading policies 10-xx-external.Dockerfile.rego
#1 0.813 10-xx-external.Dockerfile.rego:12: tonistiigi/xx true
#1 0.813 hack/utils.rego:4: compare sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6
#1 0.813 policy decision for source docker-image://docker.io/tonistiigi/xx:1.8.0@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6: ALLOW
#1 0.813 10-xx-external.Dockerfile.rego:12: alpine false
#1 0.813 policy decision for source docker-image://docker.io/library/alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62: ALLOW
#1 DONE 1.1s
tonistiigi
force-pushed
the
policy-update-v0.31-rc2
branch
from
b9c68ed to
d8af18a
Compare
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Fix the policy logger being open for the whole build. In new logic logger is opened on-demand if there are logs, remains open until timeout and is restarted if new logs come after. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Supported from Buildkit v0.27.0-rc1 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
- Make sure tag is added to image reference as containerd reference parser refuses to parse otherwise. - When attestation is asked from non-index, return nil instead of error. This is for consistency as likely to fail in BuildKit before that is fixed separately. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
tonistiigi
force-pushed
the
policy-update-v0.31-rc2
branch
from
d8af18a to
89fdef1
Compare
jsternberg
approved these changes
Jan 16, 2026
Collaborator
jsternberg
left a comment
jsternberg
left a comment
There was a problem hiding this comment.
Approving since this has already been reviewed by @crazy-max and he's out for the week. It LGTM but I don't have the most detailed understanding of this domain.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@crazy-max @dvdksn
Review per commit.
fixes #3613
fixes #3567 (comment)