ROX-35289: add post-upgrade script to skip init container evaluation

util-scripts/skip-init-container-evaluation/README.md

@@ -0,0 +1,44 @@
+# Skip Init Container Evaluation
+
+Starting in ACS 5.0, policies evaluate init containers by default. This script is a **one-time post-upgrade tool** that adds `skipContainerTypes: ["INIT"]` to all existing policies that don't already have an evaluation filter, preserving the pre-5.0 behavior where init containers were not evaluated.
+
+This script is not intended to be run repeatedly or as a long-term maintenance tool.
+
+## Usage
+
+```bash
+export ROX_ENDPOINT="central.example.com:443"
+export ROX_API_TOKEN="your-api-token"
+
+./skip-init-container-evaluation.sh
+```
+
+Each policy is presented for confirmation with options: `yes` (update this policy), `no` (skip this policy), or `all` (update this and all remaining policies without further prompts).
+
+## Requirements
+
+- ACS 5.0 or later
+- `curl` and `jq` installed
+- An API token with policy read/write permissions
+
+## What it does
+
+1. Checks that Central is running ACS 5.0+
+2. Lists all policies and prompts for confirmation before making changes
+3. For each applicable policy without an existing evaluation filter, adds `skipContainerTypes: ["INIT"]`
+4. Skips policies that already have an evaluation filter
+5. Skips build-only policies (container type filters are not applicable at build time)
+6. Skips declarative (CRD-managed) policies
+7. Skips audit log and node event policies (they don't evaluate containers)
+
+## Policy-as-Code users
+
+If you manage policies via SecurityPolicy CRDs and a GitOps workflow, update your policy manifests directly instead of running this script. Add the following to each policy spec:
+
+```yaml
+spec:
+  # ... existing policy fields ...
+  evaluationFilter:
+    skipContainerTypes:
+      - INIT
+```

util-scripts/skip-init-container-evaluation/skip-init-container-evaluation.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+# Adds skipContainerTypes: ["INIT"] to all existing policies that don't already have it.
+# This is intended for customers upgrading to 5.0+ who want to preserve the pre-5.0 behavior
+# where init containers were not evaluated by policies.
+
+set -euo pipefail
+
+CONFIRM_EACH=true
+
+if [[ -z "${ROX_ENDPOINT:-}" ]]; then
+  echo >&2 "ROX_ENDPOINT must be set"
+  exit 1
+fi
+
+if [[ -z "${ROX_API_TOKEN:-}" ]]; then
+  echo >&2 "ROX_API_TOKEN must be set"
+  exit 1
+fi
+
+API="https://${ROX_ENDPOINT}"
+AUTH="Authorization: Bearer ${ROX_API_TOKEN}"
+
+# Version check — require 5.0+
+version=$(curl -sk -H "$AUTH" "$API/v1/metadata" | jq -r '.version')
+major=$(echo "$version" | cut -d. -f1)
+
+if [[ "$major" -lt 5 ]]; then
+  echo >&2 "This script requires ACS 5.0 or later (detected: $version)"
+  exit 1
+fi
+
+echo "ACS version: $version"
+
+# List all policies
+policies=$(curl -sk -H "$AUTH" "$API/v1/policies" | jq -r '.policies[].id')
+total=$(echo "$policies" | wc -l | tr -d ' ')
+updated=0
+skipped=0
+failed=0
+
+echo "Found $total policies"
+echo ""
+
+for id in $policies; do
+  policy=$(curl -sk -H "$AUTH" "$API/v1/policies/$id")
+  name=$(echo "$policy" | jq -r '.name')
+
+  # Skip if any evaluation filter is already configured
+  existing_filter=$(echo "$policy" | jq '.evaluationFilter // empty' 2>/dev/null)
+  if [[ -n "$existing_filter" && "$existing_filter" != "{}" && "$existing_filter" != "null" ]]; then
+    echo "  SKIP: \"$name\" — already has evaluation filter"
+    skipped=$((skipped + 1))
+    continue
+  fi
+
+  # Skip build-only policies — container type filters don't apply at build time
+  lifecycle_stages=$(echo "$policy" | jq -r '.lifecycleStages[]')
+  if [[ "$lifecycle_stages" == "BUILD" ]]; then
+    echo "  SKIP: \"$name\" — build-only policy"
+    skipped=$((skipped + 1))
+    continue
+  fi
+
+  # Skip declarative (CRD-managed) policies — customers should update their CRD manifests directly
+  source=$(echo "$policy" | jq -r '.source')
+  if [[ "$source" == "DECLARATIVE" ]]; then
+    echo "  SKIP: \"$name\" — declarative policy (update CRD directly)"
+    skipped=$((skipped + 1))
+    continue
+  fi
+
+  # Skip audit log and node event policies — they don't evaluate containers
+  event_source=$(echo "$policy" | jq -r '.eventSource')
+  if [[ "$event_source" == "AUDIT_LOG_EVENT" ]]; then
+    echo "  SKIP: \"$name\" — audit log event policy"
+    skipped=$((skipped + 1))
+    continue
+  fi
+  if [[ "$event_source" == "NODE_EVENT" ]]; then
+    echo "  SKIP: \"$name\" — node event policy"
+    skipped=$((skipped + 1))
+    continue
+  fi
+
+  if [[ "$CONFIRM_EACH" == "true" ]]; then
+    read -rp "  Update \"$name\"? (yes/no/all): " answer
+    case "$answer" in
+      all) CONFIRM_EACH=false ;;
+      yes) ;;
+      *) echo "  SKIP: \"$name\" — skipped by user"; skipped=$((skipped + 1)); continue ;;
+    esac
+  fi
+
+  # Add skipContainerTypes: ["INIT"] to the evaluation filter
+  updated_policy=$(echo "$policy" | jq '.evaluationFilter = {"skipContainerTypes": ["INIT"]}')
+
+  result=$(curl -sk -o /dev/null -w "%{http_code}" -XPUT -H "$AUTH" -H "Content-Type: application/json" \
+    "$API/v1/policies/$id" --data "$updated_policy")
+
+  if [[ "$result" == "200" ]]; then
+    echo "  UPDATED: \"$name\""
+    updated=$((updated + 1))
+  else
+    echo >&2 "  ERROR: \"$name\" — HTTP $result"
+    failed=$((failed + 1))
+  fi
+done
+
+echo ""
+echo "Done. Updated: $updated, Skipped: $skipped, Failed: $failed, Total: $total"
+
+if [[ "$failed" -gt 0 ]]; then
+  exit 1
+fi