github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-03 18:04:16 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: support readonly emptyDir mount

Browse Source 
Set emptyDir access based on volume mount readOnly value

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
This commit is contained in:
Saul Paredes
2024-09-03 19:09:13 -07:00
parent 36a4104753
commit 24c2d13fd3
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/tools/genpolicy/src/mount_and_storage.rs
View File

@@ -181,6 +181,14 @@ fn get_empty_dir_mount_and_storage(
&settings_empty_dir.mount_type &settings_empty_dir.mount_type
}; };
let access = match yaml_mount.readOnly {
Some(true) => {
debug!("setting read only access for emptyDir mount");
"ro"
}
_ => "rw",
};
p_mounts.push(policy::KataMount { p_mounts.push(policy::KataMount {
destination: yaml_mount.mountPath.to_string(), destination: yaml_mount.mountPath.to_string(),
type_: mount_type.to_string(), type_: mount_type.to_string(),
@@ -188,7 +196,7 @@ fn get_empty_dir_mount_and_storage(
options: vec![ options: vec![
"rbind".to_string(), "rbind".to_string(),
"rprivate".to_string(), "rprivate".to_string(),
"rw".to_string(), access.to_string(),
], ],
}); });
} }

3
tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
View File

@@ -27,6 +27,9 @@ spec:
volumeMounts: volumeMounts:
- name: host-empty-vol - name: host-empty-vol
mountPath: "/host/cache" mountPath: "/host/cache"
- name: host-empty-vol
mountPath: "/host/cache-read-only"
readOnly: true
- mountPath: /tmp/results - mountPath: /tmp/results
name: hostpath-vol name: hostpath-vol
- mountPath: /tmp/results-read-only - mountPath: /tmp/results-read-only