kata-msft: support images with VOLUME directives

e2e/regression/testdata/mongodb.yml

@@ -18,11 +18,6 @@ spec:
           securityContext:
             runAsUser: 101
           image: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11
-          volumeMounts:
-            - mountPath: /data/db
-              name: db
-            - mountPath: /data/configdb
-              name: configdb
           ports:
             - containerPort: 27017
           # The memory limit is chosen to allow guest pull of the image (1.2G).
@@ -31,12 +26,4 @@ spec:
               memory: 1500Mi
             requests:
               memory: 1500Mi
-      # TODO(miampf): Remove this after https://github.com/kata-containers/kata-containers/pull/10136/files is merged
-      volumes:
-        - name: db
-          emptyDir:
-            sizeLimit: 350Mi
-        - name: configdb
-          emptyDir:
-            sizeLimit: 10Mi
       runtimeClassName: contrast-cc

e2e/regression/testdata/prometheus.yml

@@ -16,16 +16,8 @@ spec:
       containers:
         - name: prometheus
           image: quay.io/prometheus/prometheus@sha256:f20d3127bf2876f4a1df76246fca576b41ddf1125ed1c546fbd8b16ea55117e6
-          volumeMounts:
-            - mountPath: /prometheus
-              name: prometheus
           ports:
             - containerPort: 9090
           securityContext:
             runAsUser: 65534
-      # TODO(miampf): Remove this after https://github.com/kata-containers/kata-containers/pull/10136/files is merged
-      volumes:
-        - name: prometheus
-          emptyDir:
-            sizeLimit: 10Mi
       runtimeClassName: contrast-cc

e2e/regression/testdata/redis.yml

@@ -16,14 +16,6 @@ spec:
       containers:
         - name: redis
           image: ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d
-          volumeMounts:
-            - mountPath: /data
-              name: data
           ports:
             - containerPort: 6379
-      # TODO(miampf): Remove this after https://github.com/kata-containers/kata-containers/pull/10136/files is merged
-      volumes:
-        - name: data
-          emptyDir:
-            sizeLimit: 10Mi
       runtimeClassName: contrast-cc

packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch

@@ -1,7 +1,7 @@
-From 41f26a5803fa50abf3bd0d6cfebc8106ae9dcbc8 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Thu, 23 May 2024 09:20:20 +0200
-Subject: [PATCH 1/6] genpolicy: add rules and types for volumeDevices
+Subject: [PATCH] genpolicy: add rules and types for volumeDevices
 
 Signed-off-by: Markus Rudy <[email protected]>
 ---
@@ -14,7 +14,7 @@ Signed-off-by: Markus Rudy <[email protected]>
  6 files changed, 85 insertions(+)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index c3eb33461..25c16bada 100644
+index c3eb334612fc0ff05c49031e7b305fd10297896a..25c16badaddea436539c9ec8b8bd210461cda615 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
 @@ -54,6 +54,7 @@ default AllowRequestsFailingPolicy := false
@@ -75,7 +75,7 @@ index c3eb33461..25c16bada 100644
  # and io.kubernetes.cri.sandbox-id" values with other fields.
  allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
 diff --git a/src/tools/genpolicy/src/agent.rs b/src/tools/genpolicy/src/agent.rs
-index 19a934d81..f3f398b0e 100644
+index 19a934d81995ece42a148e733b41e96474921b3a..f3f398b0ee052ba02a3b5ecae884fed646b38cc3 100644
 --- a/src/tools/genpolicy/src/agent.rs
 +++ b/src/tools/genpolicy/src/agent.rs
 @@ -16,3 +16,12 @@ pub struct SerializedFsGroup {
@@ -92,7 +92,7 @@ index 19a934d81..f3f398b0e 100644
 +    pub options: Vec<String>,
 +}  
 diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs
-index 2b826a51a..075fced5b 100644
+index 2b826a51a4f587e2ca45f0b304b0eed29046b104..075fced5bfec11b27e529f0b1d2dba5e6271ba82 100644
 --- a/src/tools/genpolicy/src/containerd.rs
 +++ b/src/tools/genpolicy/src/containerd.rs
 @@ -152,12 +152,14 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux {
@@ -111,7 +111,7 @@ index 2b826a51a..075fced5b 100644
      }
  }
 diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
-index 2ea8fdb9b..da2a47ee2 100644
+index 2ea8fdb9be848c8c00f634ec813475ebaf3d55bb..da2a47ee2d6affc43dc9246670675e3367d73bfe 100644
 --- a/src/tools/genpolicy/src/pod.rs
 +++ b/src/tools/genpolicy/src/pod.rs
 @@ -120,6 +120,9 @@ pub struct Container {
@@ -139,7 +139,7 @@ index 2ea8fdb9b..da2a47ee2 100644
  #[derive(Clone, Debug, Serialize, Deserialize)]
  struct ResourceRequirements {
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index baa382b76..7c1479d57 100644
+index baa382b7646a11cd1fa18274801616eb36f04db6..7c1479d571dc163e4fe0bacef15cf60e8dd85920 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -198,6 +198,10 @@ pub struct KataLinux {
@@ -217,7 +217,7 @@ index baa382b76..7c1479d57 100644
              exec_commands,
          }
 diff --git a/src/tools/genpolicy/src/pvc.rs b/src/tools/genpolicy/src/pvc.rs
-index 0a768ed8e..61d0ce3f0 100644
+index 0a768ed8e0e16965270be44f94b8d60d0eb4381c..61d0ce3f08686843ce1095e7e108636e5bd34ad9 100644
 --- a/src/tools/genpolicy/src/pvc.rs
 +++ b/src/tools/genpolicy/src/pvc.rs
 @@ -34,6 +34,9 @@ pub struct PersistentVolumeClaimSpec {
@@ -230,6 +230,3 @@ index 0a768ed8e..61d0ce3f0 100644
      // TODO: additional fields.
  }
 
--- 
-2.34.1
-

packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch

@@ -1,7 +1,7 @@
-From c890911981a072a14c69d92f82ece28e5d55d7fa Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <[email protected]>
 Date: Tue, 9 Jul 2024 16:07:09 +0200
-Subject: [PATCH 2/6] genpolicy: add ability to filter for runtimeClassName
+Subject: [PATCH] genpolicy: add ability to filter for runtimeClassName
 
 Signed-off-by: Paul Meyer <[email protected]>
 ---
@@ -15,7 +15,7 @@ Signed-off-by: Paul Meyer <[email protected]>
  7 files changed, 59 insertions(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs
-index 5b18d96d9..90ea48597 100644
+index 5b18d96d9415a99556226b50bf67b1106b393d70..90ea48597605f056250424ff0d8758017d20220f 100644
 --- a/src/tools/genpolicy/src/daemon_set.rs
 +++ b/src/tools/genpolicy/src/daemon_set.rs
 @@ -143,4 +143,13 @@ impl yaml::K8sResource for DaemonSet {
@@ -33,7 +33,7 @@ index 5b18d96d9..90ea48597 100644
 +    }
  }
 diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs
-index f1b8e8d80..890579cdf 100644
+index f1b8e8d80f497d275a571125374fd77fa5490f24..890579cdfbd67cd7f5949c817dbd9391043b1cf0 100644
 --- a/src/tools/genpolicy/src/deployment.rs
 +++ b/src/tools/genpolicy/src/deployment.rs
 @@ -141,4 +141,13 @@ impl yaml::K8sResource for Deployment {
@@ -51,7 +51,7 @@ index f1b8e8d80..890579cdf 100644
 +    }
  }
 diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
-index da2a47ee2..4a40c9570 100644
+index da2a47ee2d6affc43dc9246670675e3367d73bfe..4a40c957042e73ba584b66bc681469458a7f18f4 100644
 --- a/src/tools/genpolicy/src/pod.rs
 +++ b/src/tools/genpolicy/src/pod.rs
 @@ -47,7 +47,7 @@ pub struct PodSpec {
@@ -78,7 +78,7 @@ index da2a47ee2..4a40c9570 100644
          if let Some(context) = &self.spec.securityContext {
              if let Some(uid) = context.runAsUser {
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index 7c1479d57..a1affda77 100644
+index 7c1479d571dc163e4fe0bacef15cf60e8dd85920..a1affda77ef87fb7fd09d875ec8779324b47e3fb 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -10,6 +10,7 @@ use crate::agent;
@@ -108,10 +108,10 @@ index 7c1479d57..a1affda77 100644
 
                  // ConfigMap and Secret documents contain additional input for policy generation.
 diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs
-index 096cafbeb..73f0b0a30 100644
+index 4c55f59ec3e88b324c25c5065d5b4c898a0db804..d25398358f526116f5b766ffba6db2e287e0f8e9 100644
 --- a/src/tools/genpolicy/src/stateful_set.rs
 +++ b/src/tools/genpolicy/src/stateful_set.rs
-@@ -187,6 +187,15 @@ impl yaml::K8sResource for StatefulSet {
+@@ -194,6 +194,15 @@ impl yaml::K8sResource for StatefulSet {
          }
          false
      }
@@ -128,7 +128,7 @@ index 096cafbeb..73f0b0a30 100644
 
  impl StatefulSet {
 diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs
-index e45b188d4..2402c2ed2 100644
+index e45b188d40a82a32547290ccdfd4a263e193e1c2..2402c2ed213e45b89c47b2b6a94d54f8d200edb1 100644
 --- a/src/tools/genpolicy/src/utils.rs
 +++ b/src/tools/genpolicy/src/utils.rs
 @@ -72,6 +72,12 @@ struct CommandLineOptions {
@@ -161,7 +161,7 @@ index e45b188d4..2402c2ed2 100644
              rego_rules_path: args.rego_rules_path,
              json_settings_path: args.json_settings_path,
 diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
-index 8f06d291e..c898240af 100644
+index 8f06d291e97b6955f2970b05c5987678362602eb..c898240af337f3cb7cfc34fa1398cb5a6bd828a5 100644
 --- a/src/tools/genpolicy/src/yaml.rs
 +++ b/src/tools/genpolicy/src/yaml.rs
 @@ -75,6 +75,10 @@ pub trait K8sResource {
@@ -175,6 +175,3 @@ index 8f06d291e..c898240af 100644
  }
 
  /// See Reference / Kubernetes API / Common Definitions / LabelSelector.
--- 
-2.34.1
-

packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch

@@ -1,7 +1,7 @@
-From cf495b76fe64e56b3c18a7175cb4e01d27d02dc7 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <[email protected]>
 Date: Tue, 9 Jul 2024 16:14:46 +0200
-Subject: [PATCH 3/6] genpolicy: allow specifying layer cache file
+Subject: [PATCH] genpolicy: allow specifying layer cache file
 
 Add --layers-cache-file-path flag to allow the user to
 specify where the cache file for the container layers
@@ -23,7 +23,7 @@ Signed-off-by: Paul Meyer <[email protected]>
  3 files changed, 52 insertions(+), 26 deletions(-)
 
 diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
-index 97e35ee60..b212eeb8b 100644
+index 97e35ee601beed99929e36661dadfd6ed15dfc5f..b212eeb8bca209d9916249fe8e01351f5943823c 100644
 --- a/src/tools/genpolicy/src/registry.rs
 +++ b/src/tools/genpolicy/src/registry.rs
 @@ -66,7 +66,7 @@ pub struct ImageLayer {
@@ -130,7 +130,7 @@ index 97e35ee60..b212eeb8b 100644
 
  #[cfg(target_os = "windows")]
 diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs
-index fcc51ad78..333a4dd33 100644
+index fcc51ad783afb392e706e92a63efed0fe3f416a1..333a4dd33032c4842e70d5e618b4660fa2ffb6c5 100644
 --- a/src/tools/genpolicy/src/registry_containerd.rs
 +++ b/src/tools/genpolicy/src/registry_containerd.rs
 @@ -28,7 +28,7 @@ use tower::service_fn;
@@ -219,7 +219,7 @@ index fcc51ad78..333a4dd33 100644
          warn!("{error_message}");
      }
 diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs
-index 2402c2ed2..7579d74bf 100644
+index 2402c2ed213e45b89c47b2b6a94d54f8d200edb1..7579d74bf5a488bf6f577949862e6f976fa14ac5 100644
 --- a/src/tools/genpolicy/src/utils.rs
 +++ b/src/tools/genpolicy/src/utils.rs
 @@ -78,6 +78,14 @@ struct CommandLineOptions {
@@ -266,6 +266,3 @@ index 2402c2ed2..7579d74bf 100644
              version: args.version,
          }
      }
--- 
-2.34.1
-

packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch

@@ -1,15 +1,15 @@
-From 3b444c242de3bc130f0cf73d1a89ab540690c9f0 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <[email protected]>
 Date: Thu, 11 Jul 2024 12:05:00 +0200
-Subject: [PATCH 4/6] genpolicy: regex check contrast specific layer-src-prefix
+Subject: [PATCH] genpolicy: regex check contrast specific layer-src-prefix
 
 Signed-off-by: Paul Meyer <[email protected]>
 ---
  src/tools/genpolicy/rules.rego | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 25c16bada..d933b928d 100644
+index 25c16badaddea436539c9ec8b8bd210461cda615..d933b928d21b549ef7c315a9e0c5cbb4bbbe88b3 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
 @@ -887,7 +887,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
@@ -21,6 +21,3 @@ index 25c16bada..d933b928d 100644
 
      print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2])
      i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw"
--- 
-2.34.1
-

packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch

@@ -1,15 +1,15 @@
-From e60354b386c9b50ee5f3a0804be66152fe0849d7 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Leonard Cohnen <[email protected]>
 Date: Thu, 29 Aug 2024 03:45:24 +0200
-Subject: [PATCH 5/6] genpolicy: propagate mount_options for empty dirs
+Subject: [PATCH] genpolicy: propagate mount_options for empty dirs
 
 In order to mount empty dirs e.g., with mount propagation "Bidirectional", we need the yaml value to the policy
 ---
  src/tools/genpolicy/src/mount_and_storage.rs | 16 +++++++++++++---
  1 file changed, 13 insertions(+), 3 deletions(-)
 
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index 520d3a8cb..05a4521f0 100644
+index ecb8bf5776ffb946bdab3b594a1f5bcb43799e84..327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
 @@ -127,7 +127,14 @@ pub fn get_mount_and_storage(
@@ -55,6 +55,3 @@ index 520d3a8cb..05a4521f0 100644
          ],
      });
  }
--- 
-2.34.1
-

packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch

@@ -1,14 +1,14 @@
-From 8255b303a8d1c21ed22f2d9f7166101de151a9f4 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Leonard Cohnen <[email protected]>
 Date: Fri, 30 Aug 2024 00:30:57 +0200
-Subject: [PATCH 6/6] genpolicy: support HostToContainer mount propagation
+Subject: [PATCH] genpolicy: support HostToContainer mount propagation
 
 ---
  src/tools/genpolicy/src/mount_and_storage.rs | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)
 
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index 05a4521f0..c81dc0c52 100644
+index 327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e..09bc89fdf7e6eb239428adbb093c9cb5962da8a7 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
 @@ -108,8 +108,9 @@ pub fn get_mount_and_storage(
@@ -23,6 +23,3 @@ index 05a4521f0..c81dc0c52 100644
          _ => "rprivate",
      };
 
--- 
-2.34.1
-