Skip to content

ROX-34071: Add Evaluation Filter to Policy Engine#20760

Open
c-du wants to merge 11 commits into
masterfrom
cong/eval-filter
Open

ROX-34071: Add Evaluation Filter to Policy Engine#20760
c-du wants to merge 11 commits into
masterfrom
cong/eval-filter

Conversation

@c-du
Copy link
Copy Markdown
Contributor

@c-du c-du commented May 21, 2026
edited
Loading

Description

Adds EvaluationFilter to policy engine that allows policies to pre-filter entities before policy evaluation.
This PR introduces the policy engine change only — concrete filter implementations will follow in a separate PR.

Key decisions:

  • EvaluationFilter defines a interface: Create EvaluationFilter for each feature which is a struct with isNonDefault and apply function fields, composed via slices. T
  • Filters compiled once at policy compilation:
    CompileEvaluationFilter is called
    in newCompiledPolicy and the result is stored on compiledPolicy.
    Matchers are filter-unaware — filtering happens in MatchAgainst* methods before
    delegating.
  • Feature-flagged: Gated by ROX_EVALUATION_FILTER (disabled by
    default).
  • Empty proto: The EvaluationFilter message has no fields yet.
    Fields for base image and container types will be added in the
    follow-up PR.

User-facing documentation

Testing and quality

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

How I validated my change

  • Unit tests in pkg/booleanpolicy/filter/
  • Integration tests in pkg/booleanpolicy/ exercise filters end-to-end through
    the matcher
  • Existing runtime_criteria_test.go updated for MatchKubeEvent signature change
  • Feature flag disabled by default
  • We have another branch cong/boo/eval-filter-detection that have the proto type implementation of base image and container type filters with tests and benchmark tests which is on top of this PR. We keep running these tests to make sure there are no regressions from our tests results in design review.

change me!

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 21, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@c-du c-du marked this pull request as ready for review May 21, 2026 16:56
@c-du c-du requested review from a team as code owners May 21, 2026 16:56
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 21, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit 648fb7b. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.12.x-87-g648fb7b1be

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 3, 2026
edited
Loading

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 21.05% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically summarizes the main change: introducing an evaluation filter mechanism to the policy engine, matching the PR's core objective.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The PR description covers key implementation details, design decisions, testing approach, and feature-flag gating comprehensively.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cong/eval-filter

Comment @coderabbitai help to get the list of available commands and usage tips.

@c-du c-du force-pushed the cong/eval-filter branch from daf801b to 2419efd Compare June 3, 2026 18:18
@c-du c-du added the ai-review label Jun 3, 2026
coderabbitai[bot]
coderabbitai Bot reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/booleanpolicy/filter/filter.go`:
- Around line 19-20: The Apply method should guard against a nil callback to
avoid panics: in EvaluationFilter.Apply, check if f.apply is nil and if so
return the original dep and imgs unchanged; otherwise call and return
f.apply(dep, imgs). Update the Apply implementation (referencing
EvaluationFilter.Apply and the underlying f.apply callback) so a
zero-value/partially built filter becomes a no-op instead of panicking.

In `@pkg/detection/compiled_policy.go`:
- Around line 311-332: applyFilters currently returns changed=true whenever
cp.filters is non-empty; change it to compute whether outputs actually differ by
comparing the resulting dep and imgs to the inputs (e.g., check pointer/identity
or deep-equality on deployment and images slice contents) and only return true
when dep or imgs differ; in applyImageFilters, when ed.Images is empty treat
that as the image being removed and return (nil, true) instead of returning the
original image so image-exclusion filters are honored; keep
NetworkPoliciesApplied copied from the original ed and ensure equality
comparison logic handles both length and element differences so cache
invalidation only happens on real changes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 0683b4b2-39db-4e59-a567-a286a0e5800b

📥 Commits

Reviewing files that changed from the base of the PR and between df1303a and ee5b976.

⛔ Files ignored due to path filters (7)
  • central/graphql/resolvers/gen/main.go is excluded by !**/gen/**
  • generated/api/v1/alert_service.swagger.json is excluded by !**/generated/**
  • generated/api/v1/detection_service.swagger.json is excluded by !**/generated/**
  • generated/api/v1/policy_service.swagger.json is excluded by !**/generated/**
  • generated/storage/policy.pb.go is excluded by !**/*.pb.go, !**/generated/**
  • generated/storage/policy_vtproto.pb.go is excluded by !**/*.pb.go, !**/generated/**
  • proto/storage/proto.lock is excluded by !**/*.lock
📒 Files selected for processing (17)
  • central/policy/customresource/policy.go
  • central/policy/handlers/handler.go
  • central/policy/service/service_impl.go
  • pkg/booleanpolicy/filter/compile.go
  • pkg/booleanpolicy/filter/compile_test.go
  • pkg/booleanpolicy/filter/filter.go
  • pkg/booleanpolicy/filter/filter_test.go
  • pkg/booleanpolicy/filter/testutils.go
  • pkg/booleanpolicy/image_criteria_test.go
  • pkg/booleanpolicy/matcher.go
  • pkg/booleanpolicy/matcher_impl.go
  • pkg/booleanpolicy/runtime_criteria_test.go
  • pkg/booleanpolicy/workload_criteria_test.go
  • pkg/detection/compiled_policy.go
  • pkg/detection/runtime/detector.go
  • pkg/features/list.go
  • proto/storage/policy.proto

Comment thread pkg/booleanpolicy/filter/filter.go
Comment thread pkg/detection/compiled_policy.go
@c-du c-du requested review from AlexVulaj, clickboo and ksurabhi91 June 8, 2026 17:27
dashrews78
dashrews78 reviewed Jun 8, 2026
View reviewed changes
Comment thread pkg/booleanpolicy/filter/testutils.go
import "github.com/stackrox/rox/generated/storage"

// NewTestFilter creates an EvaluationFilter from a callback for use in tests.
func NewTestFilter(fn func(*storage.Deployment, []*storage.Image) (*storage.Deployment, []*storage.Image)) EvaluationFilter {
Copy link
Copy Markdown
Contributor

@dashrews78 dashrews78 Jun 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we require a test context? Or move it to a test package?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dashrews78 dashrews78 dashrews78 left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@AlexVulaj AlexVulaj AlexVulaj approved these changes

@ksurabhi91 ksurabhi91 Awaiting requested review from ksurabhi91

@clickboo clickboo Awaiting requested review from clickboo

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ai-review area/central

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@c-du @AlexVulaj @dashrews78