From 24c2d13fd3b85e601d0e6cb9c9855d528c0deeb6 Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Tue, 3 Sep 2024 19:09:13 -0700 Subject: [PATCH] genpolicy: support readonly emptyDir mount Set emptyDir access based on volume mount readOnly value Signed-off-by: Saul Paredes --- src/tools/genpolicy/src/mount_and_storage.rs | 10 +++++++++- .../runtimeclass_workloads/k8s-policy-rc.yaml | 3 +++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs index 69aee1e760..394c066585 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -181,6 +181,14 @@ fn get_empty_dir_mount_and_storage( &settings_empty_dir.mount_type }; + let access = match yaml_mount.readOnly { + Some(true) => { + debug!("setting read only access for emptyDir mount"); + "ro" + } + _ => "rw", + }; + p_mounts.push(policy::KataMount { destination: yaml_mount.mountPath.to_string(), type_: mount_type.to_string(), @@ -188,7 +196,7 @@ fn get_empty_dir_mount_and_storage( options: vec![ "rbind".to_string(), "rprivate".to_string(), - "rw".to_string(), + access.to_string(), ], }); } diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml index 8f5145479d..52c39ae31c 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml @@ -27,6 +27,9 @@ spec: volumeMounts: - name: host-empty-vol mountPath: "/host/cache" + - name: host-empty-vol + mountPath: "/host/cache-read-only" + readOnly: true - mountPath: /tmp/results name: hostpath-vol - mountPath: /tmp/results-read-only