github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-20 00:07:55 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #10251 from microsoft/saulparedes/support_readonly_hostpath

Browse Source 
genpolicy: support readonly hostpath
This commit is contained in:
Dan Mihai
2024-09-05 09:27:15 -07:00
committed by GitHub
parent deb6d12ff6 24c2d13fd3
commit 7ab95b56f1
2 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/tools/genpolicy/src/mount_and_storage.rs
View File

@@ -181,6 +181,14 @@ fn get_empty_dir_mount_and_storage(
&settings_empty_dir.mount_type &settings_empty_dir.mount_type
}; };
let access = match yaml_mount.readOnly {
Some(true) => {
debug!("setting read only access for emptyDir mount");
"ro"
}
_ => "rw",
};
p_mounts.push(policy::KataMount { p_mounts.push(policy::KataMount {
destination: yaml_mount.mountPath.to_string(), destination: yaml_mount.mountPath.to_string(),
type_: mount_type.to_string(), type_: mount_type.to_string(),
@@ -188,7 +196,7 @@ fn get_empty_dir_mount_and_storage(
options: vec![ options: vec![
"rbind".to_string(), "rbind".to_string(),
"rprivate".to_string(), "rprivate".to_string(),
"rw".to_string(), access.to_string(),
], ],
}); });
} }
@@ -209,6 +217,13 @@ fn get_host_path_mount(
} }
} }
let access = match yaml_mount.readOnly {
Some(true) => {
debug!("setting read only access for host path mount");
"ro"
}
_ => "rw",
};
// TODO: // TODO:
// //
// - When volume.hostPath.path: /dev/ttyS0 // - When volume.hostPath.path: /dev/ttyS0
@@ -220,7 +235,7 @@ fn get_host_path_mount(
if !path.starts_with("/dev/") && !path.starts_with("/sys/") { if !path.starts_with("/dev/") && !path.starts_with("/sys/") {
debug!("get_host_path_mount: calling get_shared_bind_mount"); debug!("get_host_path_mount: calling get_shared_bind_mount");
let propagation = if biderectional { "rshared" } else { "rprivate" }; let propagation = if biderectional { "rshared" } else { "rprivate" };
get_shared_bind_mount(yaml_mount, p_mounts, propagation, "rw"); get_shared_bind_mount(yaml_mount, p_mounts, propagation, access);
} else { } else {
let dest = yaml_mount.mountPath.clone(); let dest = yaml_mount.mountPath.clone();
let type_ = "bind".to_string(); let type_ = "bind".to_string();
@@ -228,7 +243,7 @@ fn get_host_path_mount(
let options = vec![ let options = vec![
"rbind".to_string(), "rbind".to_string(),
mount_option.to_string(), mount_option.to_string(),
"rw".to_string(), access.to_string(),
]; ];
if let Some(policy_mount) = p_mounts.iter_mut().find(|m| m.destination.eq(&dest)) { if let Some(policy_mount) = p_mounts.iter_mut().find(|m| m.destination.eq(&dest)) {

14
tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
View File

@@ -27,6 +27,20 @@ spec:
volumeMounts: volumeMounts:
- name: host-empty-vol - name: host-empty-vol
mountPath: "/host/cache" mountPath: "/host/cache"
- name: host-empty-vol
mountPath: "/host/cache-read-only"
readOnly: true
- mountPath: /tmp/results
name: hostpath-vol
- mountPath: /tmp/results-read-only
name: hostpath-vol-read-only
readOnly: true
volumes: volumes:
- name: host-empty-vol - name: host-empty-vol
emptyDir: {} emptyDir: {}
- name: hostpath-vol
hostPath:
path: /tmp/results
- name: hostpath-vol-read-only
hostPath:
path: /tmp/results-read-only