wassette/crates/policy/testdata/docker.yaml at 2d0858269ac23c261671a4c1835b98aa48e8f6ae · microsoft/wassette · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
version: "1.0"
description: "Permission policy for docker container"
permissions:
  storage:
    allow:
    - uri: "fs://work/agent/**"
      access: ["read", "write"]
    - uri: "fs://work/agent/config.yaml"
      access: ["read"]

  network:
    allow:
      - host: "api.openai.com"
      - host: "*.internal.myorg.com"
      - cidr: "10.0.0.0/8"

  environment:
    allow:
      - key: "PATH"
      - key: "HOME"

  runtime:
    docker:
      security:
        privileged: false
        no_new_privileges: true
        capabilities:
          drop: ["ALL"]
          add: ["NET_BIND_SERVICE"]
    hyperlight:
      # future


  # resources:
  # cpu (percentage), memory (mb), io (iops)

  # ipc:
  #   allow:
  #   - uri: "pipe://myservice"