policy_engine was removed right?
Yes. E.g. removing the allow if block from operator/src/resource.rego still gives a pass for me.
Do you need the updates from Trustee v0.20.0 here? If yes, you'd either need to first go back to v0.17.0 compatibility or set the policies using kbs-client too, which is now the only supported way AFAICT. If no, we should bump Trustee in a later PR.
Also not for this PR but if we were being pedantic we'd ensure that the policies get picked up…
Originally posted by @Jakob-Naucke in #248 (comment)
Separately test that attestation fails if attestation policy or resource policy becomes overly restrictive.
Should only be worked on after #248 because the logic will change a lot
Yes. E.g. removing the
allow ifblock fromoperator/src/resource.regostill gives a pass for me.Do you need the updates from Trustee v0.20.0 here? If yes, you'd either need to first go back to v0.17.0 compatibility or set the policies using kbs-client too, which is now the only supported way AFAICT. If no, we should bump Trustee in a later PR.
Also not for this PR but if we were being pedantic we'd ensure that the policies get picked up…
Originally posted by @Jakob-Naucke in #248 (comment)
Separately test that attestation fails if attestation policy or resource policy becomes overly restrictive.
Should only be worked on after #248 because the logic will change a lot