genpolicy: panic when we see a volume mount subpath

Based on https://github.com/kata-containers/runtime/issues/2812 Fixes: #9145 Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-08-02 00:02:01 +00:00 · 2024-02-22 17:53:33 -08:00 · 2024-02-22 17:53:33 -08:00 · 9b7bd376eb
commit 9b7bd376eb
parent e342a9adc4
2 changed files with 11 additions and 0 deletions
--- a/src/tools/genpolicy/src/mount_and_storage.rs
+++ b/src/tools/genpolicy/src/mount_and_storage.rs
@ -23,6 +23,14 @@ pub fn get_policy_mounts(
    yaml_container: &pod::Container,
    is_pause_container: bool,
 ) {
+    if let Some(volumeMounts) = &yaml_container.volumeMounts {
+        for volumeMount in volumeMounts {
+            if volumeMount.subPath.is_some() {
+                panic!("Kata Containers doesn't support volumeMounts.subPath - see https://github.com/kata-containers/runtime/issues/2812");
+            }
+        }
+    }
+
    let c_settings = settings.get_container_settings(is_pause_container);
    let settings_mounts = &c_settings.Mounts;
    let rootfs_access = if yaml_container.read_only_root_filesystem() {
--- a/src/tools/genpolicy/src/pod.rs
+++ b/src/tools/genpolicy/src/pod.rs
@ -412,6 +412,9 @@ pub struct VolumeMount {

    #[serde(skip_serializing_if = "Option::is_none")]
    pub readOnly: Option<bool>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub subPath: Option<String>,
    // TODO: additional fields.
 }