github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-12 20:39:30 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9911 from microsoft/saulparedes/mounts

Browse Source 
genpolicy: deny UpdateEphemeralMountsRequest
This commit is contained in:
Dan Mihai
2024-08-21 10:12:28 -07:00
committed by GitHub
parent 09a13da8ec 6654491cc3
commit 8ccc8a8d0b
4 changed files with 23 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tests/integration/kubernetes/tests_common.sh
View File

@@ -153,6 +153,14 @@ adapt_common_policy_settings_for_sev() {
jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
}
# adapt common policy settings for CBL-Mariner https://github.com/kata-containers/kata-containers/issues/10189
adapt_common_policy_settings_for_cbl_mariner() {
local settings_dir=$1
info "Adapting common policy settings for CBL-Mariner"
jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
}
# adapt common policy settings for various platforms
adapt_common_policy_settings() {
@@ -166,6 +174,12 @@ adapt_common_policy_settings() {
adapt_common_policy_settings_for_sev "${settings_dir}"
;;
esac
case "${KATA_HOST_OS}" in
"cbl-mariner")
adapt_common_policy_settings_for_cbl_mariner "${settings_dir}"
;;
esac
}
# If auto-generated policy testing is enabled, make a copy of the genpolicy settings,