Disallow subpath for ephemeral container mounts

2021-10-16 07:02:10 -07:00
parent d1d7882186
commit f81c48cd0a
4 changed files with 50 additions and 1 deletions
--- a/pkg/apis/core/validation/validation_test.go
+++ b/pkg/apis/core/validation/validation_test.go
@@ -6360,6 +6360,42 @@ func TestValidateEphemeralContainers(t *testing.T) {
 			},
 			field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].resources"},
 		},
+		{
+			"Container uses disallowed field: VolumeMount.SubPath",
+			[]core.EphemeralContainer{
+				{
+					EphemeralContainerCommon: core.EphemeralContainerCommon{
+						Name:                     "debug",
+						Image:                    "image",
+						ImagePullPolicy:          "IfNotPresent",
+						TerminationMessagePolicy: "File",
+						VolumeMounts: []core.VolumeMount{
+							{Name: "vol", MountPath: "/vol"},
+							{Name: "vol", MountPath: "/volsub", SubPath: "foo"},
+						},
+					},
+				},
+			},
+			field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].volumeMounts[1].subPath"},
+		},
+		{
+			"Container uses disallowed field: VolumeMount.SubPathExpr",
+			[]core.EphemeralContainer{
+				{
+					EphemeralContainerCommon: core.EphemeralContainerCommon{
+						Name:                     "debug",
+						Image:                    "image",
+						ImagePullPolicy:          "IfNotPresent",
+						TerminationMessagePolicy: "File",
+						VolumeMounts: []core.VolumeMount{
+							{Name: "vol", MountPath: "/vol"},
+							{Name: "vol", MountPath: "/volsub", SubPathExpr: "$(POD_NAME)"},
+						},
+					},
+				},
+			},
+			field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].volumeMounts[1].subPathExpr"},
+		},
 	}

 	for _, tc := range tcs {