Add prefix directories in CRI-O mounts

[FabienGhd]

Hi,

This PR addresses a TODO in policy.py, enhancing the handling of CRI-O mounts by adding support for a prefix directory:

TODO(jaosorior): Add prefix-dir to path. This way we could call this from a container in kubernetes.

I basically updated the file to handle CRI-O mounts with or without a prefix directory for Kubernetes container calls.

Cheers,
Fabien

[vmojzis]

Hi, sorry for the delay. Thank you for the contribution, looks good, just please fix the formatting so that "black" does not complain

#make test
pyflakes udica
black --check --diff *.py udica/*.py tests/*.py
--- udica/policy.py	2025-03-07 18:12:31.626910+00:00
+++ udica/policy.py	2025-03-07 18:12:35.691182+00:00
@@ -104,11 +104,18 @@
         if low <= port_number <= high and port_proto == proto_str:
             return ctype
 
 
 def create_policy(
-    opts, capabilities, devices, mounts, ports, append_rules, inspect_format, prefix_dir=""
+    opts,
+    capabilities,
+    devices,
+    mounts,
+    ports,
+    append_rules,
+    inspect_format,
+    prefix_dir="",
 ):
     policy = open(opts["ContainerName"] + ".cil", "w")
     policy.write("(block " + opts["ContainerName"] + "\n")
     policy.write("    (blockinherit container)\n")
     add_template("base_container")
@@ -212,11 +219,11 @@
     contexts_readonly = []
 
     for item in mounts:
         # Include prefix_dir in the path for Kubernetes container calls.
         host_path = prefix_dir + item["hostPath"]
-        
+
         if host_path.startswith("/var/lib/kubelet"):
             # These should already have the right context
             continue
         if host_path == LOG_CONTAINER:
             if item["readonly"]:
would reformat udica/policy.py

Oh no! 💥 💔 💥
1 file would be reformatted, 12 files would be left unchanged.
make: *** [Makefile:19: format-check] Error 1

[vmojzis]

Also please add "Sign off" to your commits ("git commit -s --amend").

[vmojzis]

@JAORMX Hi, could you please take a look and confirm this will work with your workflow (as this was implemented based on your TODO)?

[FabienGhd]

No worries about the delay! I had a small branch mix-up - sorry about that - but everything should be fine now.
Thanks!

[vmojzis]

This does not seem right. The "renovate[bot]" commits are already merged and should not contain your Sing-off (they should not show up in https://github.com/containers/udica/pull/146/commits). Also, please merge 5bf62a6 with the first commit (git rebase -i origin/main -> drop both "renovate" commits and fixup 5bf62a6).