Merge pull request #10251 from microsoft/saulparedes/support_readonly_hostpath

genpolicy: support readonly hostpath
2025-09-18 15:28:10 +00:00 · 2024-09-05 09:27:15 -07:00
parent deb6d12ff6 24c2d13fd3
commit 7ab95b56f1
2 changed files with 32 additions and 3 deletions
--- a/src/tools/genpolicy/src/mount_and_storage.rs
+++ b/src/tools/genpolicy/src/mount_and_storage.rs
@@ -181,6 +181,14 @@ fn get_empty_dir_mount_and_storage(
        &settings_empty_dir.mount_type
    };

+    let access = match yaml_mount.readOnly {
+        Some(true) => {
+            debug!("setting read only access for emptyDir mount");
+            "ro"
+        }
+        _ => "rw",
+    };
+
    p_mounts.push(policy::KataMount {
        destination: yaml_mount.mountPath.to_string(),
        type_: mount_type.to_string(),
@@ -188,7 +196,7 @@ fn get_empty_dir_mount_and_storage(
        options: vec![
            "rbind".to_string(),
            "rprivate".to_string(),
-            "rw".to_string(),
+            access.to_string(),
        ],
    });
 }
@@ -209,6 +217,13 @@ fn get_host_path_mount(
        }
    }

+    let access = match yaml_mount.readOnly {
+        Some(true) => {
+            debug!("setting read only access for host path mount");
+            "ro"
+        }
+        _ => "rw",
+    };
    // TODO:
    //
    // - When volume.hostPath.path: /dev/ttyS0
@@ -220,7 +235,7 @@ fn get_host_path_mount(
    if !path.starts_with("/dev/") && !path.starts_with("/sys/") {
        debug!("get_host_path_mount: calling get_shared_bind_mount");
        let propagation = if biderectional { "rshared" } else { "rprivate" };
-        get_shared_bind_mount(yaml_mount, p_mounts, propagation, "rw");
+        get_shared_bind_mount(yaml_mount, p_mounts, propagation, access);
    } else {
        let dest = yaml_mount.mountPath.clone();
        let type_ = "bind".to_string();
@@ -228,7 +243,7 @@ fn get_host_path_mount(
        let options = vec![
            "rbind".to_string(),
            mount_option.to_string(),
-            "rw".to_string(),
+            access.to_string(),
        ];

        if let Some(policy_mount) = p_mounts.iter_mut().find(|m| m.destination.eq(&dest)) {
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
@@ -27,6 +27,20 @@ spec:
        volumeMounts:
          - name: host-empty-vol
            mountPath: "/host/cache"
+          - name: host-empty-vol
+            mountPath: "/host/cache-read-only"
+            readOnly: true
+          - mountPath: /tmp/results
+            name: hostpath-vol
+          - mountPath: /tmp/results-read-only
+            name: hostpath-vol-read-only
+            readOnly: true
      volumes:
      - name: host-empty-vol
        emptyDir: {}
+      - name: hostpath-vol
+        hostPath:
+          path: /tmp/results
+      - name: hostpath-vol-read-only
+        hostPath:
+          path: /tmp/results-read-only