genpolicy: check requested devices

CreateContainerRequest objects can specify devices to be created inside
the guest VM. This change ensures that requested devices have a
corresponding entry in the PodSpec.

Devices that are added to the pod dynamically, for example via the
Device Plugin architecture, can be allowlisted globally by adding their
definition to the settings file.

Fixes: #9651
Signed-off-by: Markus Rudy <mr@edgeless.systems>

tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod-pvc.yaml

@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2024 Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: policy-pod-pvc
+spec:
+  terminationGracePeriodSeconds: 0
+  runtimeClassName: kata
+  containers:
+    - name: busybox
+      image: "quay.io/prometheus/busybox:latest"
+      volumeDevices:
+        - name: dev
+          devicePath: /dev/csi0
+  volumes:
+    - name: dev
+      persistentVolumeClaim:
+        claimName: policy-dev

tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pvc.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2024 Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: policy-dev
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Block
+  resources:
+    requests:
+      storage: 1Mi