Merge pull request #9139 from microsoft/saulparedes/genolicy_panic_subpath

genpolicy: panic when we see a volume mount subpath
2025-06-26 07:22:20 +00:00 · 2024-02-29 12:18:56 -08:00 · 2024-02-29 12:18:56 -08:00 · 11b603e5f1
commit 11b603e5f1
parent a4f5815f6b 9b7bd376eb
2 changed files with 11 additions and 0 deletions
--- a/src/tools/genpolicy/src/mount_and_storage.rs
+++ b/src/tools/genpolicy/src/mount_and_storage.rs
@ -23,6 +23,14 @@ pub fn get_policy_mounts(
    yaml_container: &pod::Container,
    is_pause_container: bool,
 ) {
+    if let Some(volumeMounts) = &yaml_container.volumeMounts {
+        for volumeMount in volumeMounts {
+            if volumeMount.subPath.is_some() {
+                panic!("Kata Containers doesn't support volumeMounts.subPath - see https://github.com/kata-containers/runtime/issues/2812");
+            }
+        }
+    }
+
    let c_settings = settings.get_container_settings(is_pause_container);
    let settings_mounts = &c_settings.Mounts;
    let rootfs_access = if yaml_container.read_only_root_filesystem() {
--- a/src/tools/genpolicy/src/pod.rs
+++ b/src/tools/genpolicy/src/pod.rs
@ -412,6 +412,9 @@ pub struct VolumeMount {

    #[serde(skip_serializing_if = "Option::is_none")]
    pub readOnly: Option<bool>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub subPath: Option<String>,
    // TODO: additional fields.
 }