genpolicy: add bind mounts for image volumes #10136
Conversation
|
Thanks Dan, that's an issue I recently ran into. Afaik containerd will try to mount a tmpfs in case the the volume isn't specified in the YAML. I was wondering if we could allow this mount of a tmpfs at that location in case the volume isn't specified instead of requiring the volume to be explicitly defined. It should be safe as the tmpfs is in the guest, so whatever we write there won't be accessible by the host. Also, I think is quite a common case (the redis image defines such |
danmihai1
force-pushed
the
danmihai1/docker-image-volume2
branch
from
8d3f01b to
d8c035f
Compare
danmihai1
changed the title
Good to know - thanks @katexochen ! I made that genpolicy change and added a test for redis. |
danmihai1
force-pushed
the
danmihai1/docker-image-volume2
branch
from
d8c035f to
ce32a03
Compare
danmihai1
force-pushed
the
danmihai1/docker-image-volume2
branch
2 times, most recently
from
f2c13e7 to
e337976
Compare
Add bind mounts for volumes defined by docker container images, unless those mounts have been defined in the input K8s YAML file too. For example, quay.io/opstree/redis defines two mounts: /data /node-conf Before these changes, if these mounts were not defined in the YAML file too, the auto-generated policy did not allow this container image to start. Signed-off-by: Dan Mihai <[email protected]>
danmihai1
force-pushed
the
danmihai1/docker-image-volume2
branch
from
e337976 to
c22ac4f
Compare
Add bind mounts for volumes defined by docker container images, unless those mounts have been defined in the input K8s YAML file too.
For example, quay.io/opstree/redis defines two mounts:
/data
/node-conf
Before these changes, if these mounts were not defined in the YAML file too, the auto-generated policy did not allow this container image to start.