Allow image scanner to read write /tmp directory (#424)

image-analyzer library used by the scanner creates temporary directories as part of the layer analysis and emptyDir volume is required when read only filesystem setting is enabled
castai · Dec 5, 2024 · b97b592 · b97b592
1 parent 7b61e8b
commit b97b592
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/cmd/controller/state/imagescan/scanner.go b/cmd/controller/state/imagescan/scanner.go
@@ -89,7 +89,19 @@ func (s *Scanner) ScanImage(ctx context.Context, params ScanImageParams) (rerr e
 	}
 
 	jobName := genJobName(params.ImageName)
-	vols := volumesAndMounts{}
+	vols := volumesAndMounts{
+		volumes: []corev1.Volume{{ // required by image-analyzer during layer tar walking
+			Name: "tmp",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		}},
+		mounts: []corev1.VolumeMount{{
+			Name:      "tmp",
+			ReadOnly:  false,
+			MountPath: "/tmp",
+		}},
+	}
 	mode := imagescanconfig.Mode(params.Mode)
 	containerRuntime := params.ContainerRuntime
 

diff --git a/cmd/controller/state/imagescan/scanner_test.go b/cmd/controller/state/imagescan/scanner_test.go
@@ -220,6 +220,11 @@ func TestScanner(t *testing.T) {
 											},
 										},
 										VolumeMounts: []corev1.VolumeMount{
+											{
+												Name:      "tmp",
+												ReadOnly:  false,
+												MountPath: "/tmp",
+											},
 											{
 												Name:      "containerd-content",
 												ReadOnly:  true,
@@ -245,6 +250,12 @@ func TestScanner(t *testing.T) {
 									},
 								},
 								Volumes: []corev1.Volume{
+									{
+										Name: "tmp",
+										VolumeSource: corev1.VolumeSource{
+											EmptyDir: &corev1.EmptyDirVolumeSource{},
+										},
+									},
 									{
 										Name: "containerd-content",
 										VolumeSource: corev1.VolumeSource{