Add CSI Volume Sentinel Policy scaffolding (#26438)

* Add ent policy enforcement stubs to CSI Volume create/register * Wire policy override/warnings through CSI volume register/create * Add new scope to sentinel apply * Sanitize CSISecrets & CSIMountOptions * Add sentinel policy scope to ui * Update docs for new sentinel scope/policy * Create new api funcs for CSI endpoints * fix sentinel csi ui test * Update sentinel-policy docs * Add changelog * Update docs from feedback
2026-01-01 16:05:42 +03:00 · 2025-08-07 12:03:18 -07:00
parent 79bf619833
commit e16a3339ad
24 changed files with 396 additions and 48 deletions
--- a/ui/app/components/sentinel-policy-editor.hbs
+++ b/ui/app/components/sentinel-policy-editor.hbs
@@ -85,6 +85,9 @@
      </G.RadioField>
      <G.RadioField @id="submit-host-volume" checked={{eq @policy.scope "submit-host-volume"}} data-test-scope="submit-host-volume" as |F|>
        <F.Label>Submit Host Volume</F.Label>
+      </G.RadioField>
+	  <G.RadioField @id="submit-csi-volume" checked={{eq @policy.scope "submit-csi-volume"}} data-test-scope="submit-csi-volume" as |F|>
+        <F.Label>Submit CSI Volume</F.Label>
      </G.RadioField>
    </Hds::Form::Radio::Group>
  </div>
--- a/ui/mirage/factories/sentinel-policy.js
+++ b/ui/mirage/factories/sentinel-policy.js
@@ -22,6 +22,6 @@ export default Factory.extend({

  main = rule { false }`,

-  scope: pickOne(['submit-job', 'submit-host-volume']),
+  scope: pickOne(['submit-job', 'submit-host-volume', 'submit-csi-volume']),
  enforcementLevel: pickOne(['advisory', 'soft-mandatory', 'hard-mandatory']),
 });
--- a/ui/mirage/scenarios/default.js
+++ b/ui/mirage/scenarios/default.js
@@ -718,6 +718,23 @@ main = rule { has_tag() }
      scope: 'submit-host-volume',
    });
    server.createList('sentinel-policy', 5);
+
+    server.create('sentinel-policy', {
+      id: 'csi-volume-policy',
+      name: 'csi-volume-policy',
+      description: 'A sentinel policy generated by Mirage',
+      enforcementLevel: 'soft-mandatory',
+      policy: `
+has_tag = func() {
+print("volume is missing tag")
+tag = volume.parameters["tag"] else 0
+return tag is not 0
+}
+main = rule { has_tag() }
+      `,
+      scope: 'submit-csi-volume',
+    });
+    server.createList('sentinel-policy', 5);
  }

  faker.seed(1);
--- a/ui/tests/acceptance/sentinel-policies-test.js
+++ b/ui/tests/acceptance/sentinel-policies-test.js
@@ -128,6 +128,28 @@ module('Acceptance | sentinel policies', function (hooks) {
    assert
      .dom(policyRow.querySelector('[data-test-sentinel-policy-scope]'))
      .hasText('submit-host-volume');
+
+    const policyCsi = server.db.sentinelPolicies.findBy(
+      (sp) => sp.name === 'csi-volume-policy'
+    );
+    await click('[data-test-sentinel-policy-name="csi-volume-policy"]');
+    assert.equal(
+      currentURL(),
+      `/administration/sentinel-policies/${policyCsi.id}`
+    );
+
+    await click('[data-test-scope="submit-csi-volume"]');
+    await click('button[data-test-save-policy]');
+    assert.dom('.flash-message.alert-success').exists();
+
+    await Administration.visitSentinelPolicies();
+    const policyRowCsi = find(
+      '[data-test-sentinel-policy-name="csi-volume-policy"]'
+    ).closest('[data-test-sentinel-policy-row]');
+    assert.dom(policyRowCsi).exists();
+    assert
+      .dom(policyRowCsi.querySelector('[data-test-sentinel-policy-scope]'))
+      .hasText('submit-csi-volume');
  });

  test('New Sentinel Policy from Scratch', async function (assert) {