genpolicy: panic when we see a volume mount subpath

Based on kata-containers/runtime#2812 Fixes: #9145 Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
kata-containers · Feb 23, 2024 · 9b7bd37 · 9b7bd37
1 parent e342a9a
commit 9b7bd37
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
@@ -23,6 +23,14 @@ pub fn get_policy_mounts(
     yaml_container: &pod::Container,
     is_pause_container: bool,
 ) {
+    if let Some(volumeMounts) = &yaml_container.volumeMounts {
+        for volumeMount in volumeMounts {
+            if volumeMount.subPath.is_some() {
+                panic!("Kata Containers doesn't support volumeMounts.subPath - see https://github.com/kata-containers/runtime/issues/2812");
+            }
+        }
+    }
+
     let c_settings = settings.get_container_settings(is_pause_container);
     let settings_mounts = &c_settings.Mounts;
     let rootfs_access = if yaml_container.read_only_root_filesystem() {

diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
@@ -412,6 +412,9 @@ pub struct VolumeMount {
 
     #[serde(skip_serializing_if = "Option::is_none")]
     pub readOnly: Option<bool>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub subPath: Option<String>,
     // TODO: additional fields.
 }