genpolicy: tests: add test for config_map volumes

This patch adds test for config_map volumes.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>

src/tools/genpolicy/tests/policy/main.rs

@@ -284,4 +284,9 @@ mod tests {
     async fn test_create_container_mounts() {
         runtests("createcontainer/volumes/emptydir").await;
     }
+
+    #[tokio::test]
+    async fn test_create_container_volumes_config_map() {
+        runtests("createcontainer/volumes/config_map").await;
+    }
 }

src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/config_map.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-map1
+data:
+  simple_value1: value1

src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/pod.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dummy
+spec:
+  runtimeClassName: kata-cc-isolation
+  containers:
+    - name: dummy
+      image: "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db"
+      volumeMounts:
+        - name: config
+          mountPath: /config
+          readOnly: true
+  volumes:
+    - name: config
+      configMap:
+        name: config-map1
+        items:
+          - key: simple_value1
+            path: simple_value1

src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json

@@ -0,0 +1,151 @@
+[
+  {
+    "description": "CreateContainer with config map volume",
+    "allowed": true,
+    "request": {
+      "type": "CreateContainer",
+      "OCI": {
+        "Version": "1.1.0",
+        "Annotations": {
+          "io.kubernetes.cri.sandbox-name": "dummy",
+          "io.kubernetes.cri.sandbox-namespace": "default",
+          "io.kubernetes.cri.container-type": "container",
+          "io.katacontainers.pkg.oci.container_type": "pod_container",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
+          "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000",
+          "io.kubernetes.cri.container-name": "dummy"
+        },
+        "Linux": {
+          "GIDMappings": [],
+          "MountLabel": "",
+          "Resources": {
+            "Devices": []
+          },
+          "RootfsPropagation": "",
+          "Namespaces": [
+            {
+              "Path": "",
+              "Type": "ipc"
+            },
+            {
+              "Path": "",
+              "Type": "uts"
+            },
+            {
+              "Path": "",
+              "Type": "mount"
+            },
+            {
+              "Path": "/run/netns/podns",
+              "Type": "network"
+            }
+          ],
+          "MaskedPaths": [
+            "/proc/acpi",
+            "/proc/asound",
+            "/proc/kcore",
+            "/proc/keys",
+            "/proc/latency_stats",
+            "/proc/timer_list",
+            "/proc/timer_stats",
+            "/proc/sched_debug",
+            "/sys/firmware",
+            "/proc/scsi"
+          ],
+          "ReadonlyPaths": [
+            "/proc/bus",
+            "/proc/fs",
+            "/proc/irq",
+            "/proc/sys",
+            "/proc/sysrq-trigger"
+          ]
+        },
+        "Process": {
+          "SelinuxLabel": "",
+          "User": {
+            "Username": "",
+            "UID": 65535,
+            "AdditionalGids": [
+              0
+            ]
+          },
+          "Args": [
+            "/pause"
+          ],
+          "Cwd": "/",
+          "NoNewPrivileges": false,
+          "Capabilities": {
+            "Ambient": [],
+            "Bounding": [
+              "CAP_CHOWN",
+              "CAP_DAC_OVERRIDE",
+              "CAP_FSETID",
+              "CAP_FOWNER",
+              "CAP_MKNOD",
+              "CAP_NET_RAW",
+              "CAP_SETGID",
+              "CAP_SETUID",
+              "CAP_SETFCAP",
+              "CAP_SETPCAP",
+              "CAP_NET_BIND_SERVICE",
+              "CAP_SYS_CHROOT",
+              "CAP_KILL",
+              "CAP_AUDIT_WRITE"
+            ],
+            "Effective": [
+              "CAP_CHOWN",
+              "CAP_DAC_OVERRIDE",
+              "CAP_FSETID",
+              "CAP_FOWNER",
+              "CAP_MKNOD",
+              "CAP_NET_RAW",
+              "CAP_SETGID",
+              "CAP_SETUID",
+              "CAP_SETFCAP",
+              "CAP_SETPCAP",
+              "CAP_NET_BIND_SERVICE",
+              "CAP_SYS_CHROOT",
+              "CAP_KILL",
+              "CAP_AUDIT_WRITE"
+            ],
+            "Permitted": [
+              "CAP_CHOWN",
+              "CAP_DAC_OVERRIDE",
+              "CAP_FSETID",
+              "CAP_FOWNER",
+              "CAP_MKNOD",
+              "CAP_NET_RAW",
+              "CAP_SETGID",
+              "CAP_SETUID",
+              "CAP_SETFCAP",
+              "CAP_SETPCAP",
+              "CAP_NET_BIND_SERVICE",
+              "CAP_SYS_CHROOT",
+              "CAP_KILL",
+              "CAP_AUDIT_WRITE"
+            ]
+          }
+        },
+        "Root": {
+          "Readonly": false,
+          "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs"
+        }
+      },
+      "storages": [
+        {
+          "driver": "watchable-bind",
+          "driver_options": [],
+          "source": "/run/kata-containers/shared/containers/bundle-id-a1b2c3d4e5f6g7h8-config",
+          "fstype": "bind",
+          "options": [
+            "rbind",
+            "rprivate",
+            "ro"
+          ],
+          "mount_point": "/run/kata-containers/shared/containers/watchable/bundle-id-a1b2c3d4e5f6g7h8-config",
+          "fs_group": null
+        }
+      ]
+    }
+  }
+]