genpolicy: check requested devices

CreateContainerRequest objects can specify devices to be created inside
the guest VM. This change ensures that requested devices have a
corresponding entry in the PodSpec.

Devices that are added to the pod dynamically, for example via the
Device Plugin architecture, can be allowlisted globally by adding their
definition to the settings file.

Fixes: #9651
Signed-off-by: Markus Rudy <mr@edgeless.systems>

tests/integration/kubernetes/k8s-policy-pvc.bats

@@ -0,0 +1,66 @@
+#!/usr/bin/env bats
+#
+# Copyright (c) 2024 Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+load "${BATS_TEST_DIRNAME}/../../common.bash"
+load "${BATS_TEST_DIRNAME}/tests_common.sh"
+
+setup() {
+	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
+
+	pod_name="policy-pod-pvc"
+	pvc_name="policy-dev"
+
+	get_pod_config_dir
+
+	correct_pod_yaml="${pod_config_dir}/k8s-policy-pod-pvc.yaml"
+	incorrect_pod_yaml="${pod_config_dir}/k8s-policy-pod-pvc-incorrect.yaml"
+	pvc_yaml="${pod_config_dir}/k8s-policy-pvc.yaml"
+
+	# Save some time by executing genpolicy a single time.
+	if [ "${BATS_TEST_NUMBER}" == "1" ]; then
+		# Add policy to the correct pod yaml file
+		auto_generate_policy "${pod_config_dir}" "${correct_pod_yaml}"
+	fi
+
+    # Start each test case with a copy of the correct yaml files.
+	cp "${correct_pod_yaml}" "${incorrect_pod_yaml}"
+}
+
+@test "Successful pod with auto-generated policy" {
+	kubectl create -f "${correct_pod_yaml}"
+	kubectl create -f "${pvc_yaml}"
+	kubectl wait --for=condition=Ready "--timeout=${timeout}" pod "${pod_name}"
+}
+
+# Common function for several test cases from this bats script.
+test_pod_policy_error() {
+	kubectl create -f "${incorrect_pod_yaml}"
+	kubectl create -f "${pvc_yaml}"
+	wait_for_blocked_request "CreateContainerRequest" "${pod_name}"
+}
+
+@test "Policy failure: unexpected device mount" {
+	# Changing the location of a mounted device after policy generation should fail the policy check.
+	yq write -i \
+		"${incorrect_pod_yaml}" \
+		"spec.containers[0].volumeDevices.[0].devicePath" \
+		"/dev/unexpected"
+
+	test_pod_policy_error
+}
+
+teardown() {
+	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
+
+	# Debugging information. Don't print the "Message:" line because it contains a truncated policy log.
+	kubectl describe pod "${pod_name}" | grep -v "Message:"
+
+	# Clean-up
+	kubectl delete -f "${correct_pod_yaml}"
+	kubectl delete -f "${pvc_yaml}"
+	rm -f "${incorrect_pod_yaml}"
+}

tests/integration/kubernetes/run_kubernetes_tests.sh

@@ -55,6 +55,7 @@ else
 		"k8s-pod-quota.bats" \
 		"k8s-policy-job.bats" \
 		"k8s-policy-pod.bats" \
+		"k8s-policy-pvc.bats" \
 		"k8s-policy-rc.bats" \
 		"k8s-port-forward.bats" \
 		"k8s-projected-volume.bats" \

tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod-pvc.yaml

@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2024 Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: policy-pod-pvc
+spec:
+  terminationGracePeriodSeconds: 0
+  runtimeClassName: kata
+  containers:
+    - name: busybox
+      image: "quay.io/prometheus/busybox:latest"
+      volumeDevices:
+        - name: dev
+          devicePath: /dev/csi0
+  volumes:
+    - name: dev
+      persistentVolumeClaim:
+        claimName: policy-dev

tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pvc.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2024 Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: policy-dev
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Block
+  resources:
+    requests:
+      storage: 1Mi