Merge pull request #9029 from microsoft/danmihai1/k8s-empty-dirs

genpolicy: mount source for non-confidential guest
2025-07-31 23:36:12 +00:00 · 2024-02-07 11:26:16 -08:00 · 2024-02-07 11:26:16 -08:00 · 01745689e1
commit 01745689e1
parent 934d8dca0f 473efc2149
3 changed files with 32 additions and 14 deletions
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@ -136,6 +136,17 @@
    },
    "volumes": {
        "emptyDir": {
+            "mount_type": "local",
+            "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/",
+            "mount_point": "^$(cpath)/$(sandbox-id)/local/",
+            "driver": "local",
+            "source": "local",
+            "fstype": "local",
+            "options": [
+                "mode=0777"
+            ]
+        },
+        "confidential_emptyDir": {
            "mount_type": "local",
            "mount_source": "^$(cpath)/$(sandbox-id)/local/",
            "mount_point": "^$(cpath)/$(sandbox-id)/local/",
--- a/src/tools/genpolicy/src/mount_and_storage.rs
+++ b/src/tools/genpolicy/src/mount_and_storage.rs
@ -99,12 +99,24 @@ pub fn get_mount_and_storage(
    yaml_mount: &pod::VolumeMount,
 ) {
    if let Some(emptyDir) = &yaml_volume.emptyDir {
-        let memory_medium = if let Some(medium) = &emptyDir.medium {
-            medium == "Memory"
-        } else {
-            false
-        };
-        get_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount, memory_medium);
+        let settings_volumes = &settings.volumes;
+        let mut volume: Option<&settings::EmptyDirVolume> = None;
+
+        if let Some(medium) = &emptyDir.medium {
+            if medium == "Memory" {
+                volume = Some(&settings_volumes.emptyDir_memory);
+            }
+        }
+
+        if volume.is_none() {
+            volume = if settings.kata_config.confidential_guest {
+                Some(&settings_volumes.confidential_emptyDir)
+            } else {
+                Some(&settings_volumes.emptyDir)
+            }
+        }
+
+        get_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount, volume.unwrap());
    } else if yaml_volume.persistentVolumeClaim.is_some() || yaml_volume.azureFile.is_some() {
        get_shared_bind_mount(yaml_mount, p_mounts, "rprivate", "rw");
    } else if yaml_volume.hostPath.is_some() {
@ -125,14 +137,8 @@ fn get_empty_dir_mount_and_storage(
    p_mounts: &mut Vec<policy::KataMount>,
    storages: &mut Vec<agent::Storage>,
    yaml_mount: &pod::VolumeMount,
-    memory_medium: bool,
+    settings_empty_dir: &settings::EmptyDirVolume,
 ) {
-    let settings_volumes = &settings.volumes;
-    let settings_empty_dir = if memory_medium {
-        &settings_volumes.emptyDir_memory
-    } else {
-        &settings_volumes.emptyDir
-    };
    debug!("Settings emptyDir: {:?}", settings_empty_dir);

    if yaml_mount.subPathExpr.is_none() {
@ -151,7 +157,7 @@ fn get_empty_dir_mount_and_storage(
    let source = if yaml_mount.subPathExpr.is_some() {
        let file_name = Path::new(&yaml_mount.mountPath).file_name().unwrap();
        let name = OsString::from(file_name).into_string().unwrap();
-        format!("{}{name}$", &settings_volumes.configMap.mount_source)
+        format!("{}{name}$", &settings.volumes.configMap.mount_source)
    } else {
        format!("{}{}$", &settings_empty_dir.mount_source, &yaml_mount.name)
    };
--- a/src/tools/genpolicy/src/settings.rs
+++ b/src/tools/genpolicy/src/settings.rs
@ -30,6 +30,7 @@ pub struct Settings {
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Volumes {
    pub emptyDir: EmptyDirVolume,
+    pub confidential_emptyDir: EmptyDirVolume,
    pub emptyDir_memory: EmptyDirVolume,
    pub configMap: ConfigMapVolume,
    pub confidential_configMap: ConfigMapVolume,