From 3df04631a1b74674fc0b5d33de718a471be7f1cd Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 7 May 2026 09:04:03 +0900 Subject: [PATCH 1/4] fix: correct resource policies Signed-off-by: Chris Butler --- templates/resource-policy.yaml | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/templates/resource-policy.yaml b/templates/resource-policy.yaml index 56d8a47..70e8a99 100644 --- a/templates/resource-policy.yaml +++ b/templates/resource-policy.yaml @@ -8,19 +8,16 @@ metadata: data: policy.rego: | package policy - - import rego.v1 - - default allow := false - {{- if not .Values.kbs.gpu.enabled }} - - allow if { + default allow = false + allow { input["submods"]["cpu0"]["ear.status"] == "affirming" + gpu0_ok } - {{- else }} - allow if { - input["submods"]["cpu0"]["ear.status"] == "affirming" - input["submods"]["gpu0"]["ear.status"] == "affirming" + gpu0_ok { + not input["submods"]["gpu0"] } - {{- end }} \ No newline at end of file + + gpu0_ok { + input["submods"]["gpu0"]["ear.status"] == "affirming" + } \ No newline at end of file From 6f853e969d94aaac5e3053c146b168a46ca2d601 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 7 May 2026 09:13:18 +0900 Subject: [PATCH 2/4] chore: release bump Signed-off-by: Chris Butler --- Chart.yaml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 8f6cb49..188abf2 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -7,4 +7,4 @@ keywords: - confidential-containers name: trustee # DO NOT EDIT VERSION HERE, IT IS AUTO-GENERATED BY SEMANTIC-RELEASE -version: 0.3.3 +version: 0.3.4 diff --git a/README.md b/README.md index 83b21de..14423a3 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # trustee -![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square) +![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) A Helm chart to provide an opinionated deployment of Trustee in a validated pattern From f22ea6e40e95839507662a356cfd406fe092f354 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 7 May 2026 15:02:27 +0900 Subject: [PATCH 3/4] fix: recommended changes Signed-off-by: Chris Butler --- templates/resource-policy.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/templates/resource-policy.yaml b/templates/resource-policy.yaml index 70e8a99..837a6e9 100644 --- a/templates/resource-policy.yaml +++ b/templates/resource-policy.yaml @@ -9,15 +9,14 @@ data: policy.rego: | package policy default allow = false - allow { - input["submods"]["cpu0"]["ear.status"] == "affirming" + allow if { + input.submods.cpu0["ear.status"] == "affirming" gpu0_ok } + gpu0_ok if { + not input.submods.gpu0 + } - gpu0_ok { - not input["submods"]["gpu0"] - } - - gpu0_ok { - input["submods"]["gpu0"]["ear.status"] == "affirming" + gpu0_ok if { + input.submods.gpu0["ear.status"] == "affirming" } \ No newline at end of file From b1c1d70bf3cb9deae73b4a9f53c1ebd639c30273 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 7 May 2026 15:06:25 +0900 Subject: [PATCH 4/4] fix: use generalized solution Signed-off-by: Chris Butler --- templates/resource-policy.yaml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/templates/resource-policy.yaml b/templates/resource-policy.yaml index 837a6e9..47c7f2a 100644 --- a/templates/resource-policy.yaml +++ b/templates/resource-policy.yaml @@ -8,15 +8,17 @@ metadata: data: policy.rego: | package policy + import rego.v1 + default allow = false + allow if { - input.submods.cpu0["ear.status"] == "affirming" - gpu0_ok + not any_not_affirming + count(input.submods) > 0 + } - gpu0_ok if { - not input.submods.gpu0 - } - gpu0_ok if { - input.submods.gpu0["ear.status"] == "affirming" + any_not_affirming if { + some _, submod in input.submods + submod["ear.status"] != "affirming" } \ No newline at end of file