github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-26 23:38:31 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9139 from microsoft/saulparedes/genolicy_panic_subpath

Browse Source 
genpolicy: panic when we see a volume mount subpath
This commit is contained in:
Dan Mihai 2024-02-29 12:18:56 -08:00 committed by GitHub
commit 11b603e5f1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/tools/genpolicy/src/mount_and_storage.rs
View File

@ -23,6 +23,14 @@ pub fn get_policy_mounts(
yaml_container: &pod::Container, yaml_container: &pod::Container,
is_pause_container: bool, is_pause_container: bool,
) { ) {
if let Some(volumeMounts) = &yaml_container.volumeMounts {
for volumeMount in volumeMounts {
if volumeMount.subPath.is_some() {
panic!("Kata Containers doesn't support volumeMounts.subPath - see https://github.com/kata-containers/runtime/issues/2812");
}
}
}
let c_settings = settings.get_container_settings(is_pause_container); let c_settings = settings.get_container_settings(is_pause_container);
let settings_mounts = &c_settings.Mounts; let settings_mounts = &c_settings.Mounts;
let rootfs_access = if yaml_container.read_only_root_filesystem() { let rootfs_access = if yaml_container.read_only_root_filesystem() {

3
src/tools/genpolicy/src/pod.rs
View File

@ -412,6 +412,9 @@ pub struct VolumeMount {
#[serde(skip_serializing_if = "Option::is_none")] #[serde(skip_serializing_if = "Option::is_none")]
pub readOnly: Option<bool>, pub readOnly: Option<bool>,
#[serde(skip_serializing_if = "Option::is_none")]
pub subPath: Option<String>,
// TODO: additional fields. // TODO: additional fields.
} }