-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
40 additions
and
0 deletions.
There are no files selected for viewing
35 changes: 35 additions & 0 deletions
35
packages/by-name/kata/kata-runtime/0017-genpolicy-allow-non-watchable-ConfigMaps.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
| From: Markus Rudy <[email protected]> | ||
| Date: Thu, 21 Nov 2024 19:54:09 +0100 | ||
| Subject: [PATCH] genpolicy: allow non-watchable ConfigMaps | ||
|
|
||
| If a ConfigMap has more than 8 files it will not be mounted watchable | ||
| [1]. However, genpolicy assumes that ConfigMaps are always mounted at a | ||
| watchable path, so containers with large ConfigMap mounts fail | ||
| verification. | ||
|
|
||
| This commit allows mounting ConfigMaps from watchable and non-watchable | ||
| directories. ConfigMap mounts can't be meaningfully verified anyway, so | ||
| the exact location of the data does not matter, except that we stay in | ||
| the sandbox data dirs. | ||
|
|
||
| [1]: https://github.com/kata-containers/kata-containers/blob/0ce3f5fc6fd86c53d8b5e197d12887b712ce57d4/docs/design/inotify.md?plain=1#L11-L21 | ||
|
|
||
| Signed-off-by: Markus Rudy <[email protected]> | ||
| --- | ||
| src/tools/genpolicy/genpolicy-settings.json | 2 +- | ||
| 1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
|
||
| diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json | ||
| index e3b36a6555a646ffefc7733c807d6b0da9967dea..e854a79f149307b92914cb2b2880e710bf44eab2 100644 | ||
| --- a/src/tools/genpolicy/genpolicy-settings.json | ||
| +++ b/src/tools/genpolicy/genpolicy-settings.json | ||
| @@ -179,7 +179,7 @@ | ||
| "configMap": { | ||
| "mount_type": "bind", | ||
| "mount_source": "$(sfprefix)", | ||
| - "mount_point": "^$(cpath)/watchable/$(bundle-id)-[a-z0-9]{16}-", | ||
| + "mount_point": "^$(cpath)/(watchable/)?$(bundle-id)-[a-z0-9]{16}-", | ||
| "driver": "watchable-bind", | ||
| "fstype": "bind", | ||
| "options": [ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters