Default to deny all security policy.

[anmaxvl]

When bringing up the UVM default to closed door security policy
to reject any modification requests prior to security policy is set
inside GCS.
When security policy is empty, default to open door policy.

Signed-off-by: Maksim An maksiman@microsoft.com

[anmaxvl]

@SeanTAllen , I don't remember why we didn't do this to start with? Is there something obvious I'm missing?

[SeanTAllen]

@anmaxvl yes, because otherwise it would break existing deployments that need to be updated to have an allow all security policy.

[anmaxvl]

@SeanTAllen would the approach in this PR work?

[SeanTAllen]

@anmaxvl I dont see what this PR accomplishes. Its not really defaulting to closed as the absence of a policy then switches it to open so... its the same thing as it is now.

[anmaxvl]

@SeanTAllen , I updated the commit and PR description a bit. So what this PR is making sure that GCS won't accept any supported requests before the policy is set. Also we make an assumption in this PR, that if no security policy is set, that it means that everything is allowed.

[SeanTAllen]

Got it.

[kevpar]

All I can think of is we'll need to make sure we don't try to do any operations that policy would deny between UVM startup and when we set the policy to open. But assuming you've tested creating a pod and it still works I think we are good.

[kevpar]

@anmaxvl I see you assigned me to this, was there something specific you're looking for me to do? I already approved so unless something changes it's good to go from my perspective. We would just need another reviewer in that case.

[anmaxvl]

@anmaxvl I see you assigned me to this, was there something specific you're looking for me to do? I already approved so unless something changes it's good to go from my perspective. We would just need another reviewer in that case.

no, nothing. I think we usually self-assign when doing a review, so I just did that. agree, that we need another pair of eyes here. @microsoft/containerplat