From b97b5928ea4dac0c0aca2ac30271001bae717bcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Domas=20Tama=C5=A1auskas?= <puerdomus@gmail.com>
Date: Thu, 5 Dec 2024 09:55:07 +0200
Subject: [PATCH] Allow image scanner to read write /tmp directory (#424)

image-analyzer library used by the scanner creates temporary directories
as part of the layer analysis and emptyDir volume is required when read only
filesystem setting is enabled
---
 cmd/controller/state/imagescan/scanner.go      | 14 +++++++++++++-
 cmd/controller/state/imagescan/scanner_test.go | 11 +++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/cmd/controller/state/imagescan/scanner.go b/cmd/controller/state/imagescan/scanner.go
index d2a2224d..1b502fdb 100644
--- a/cmd/controller/state/imagescan/scanner.go
+++ b/cmd/controller/state/imagescan/scanner.go
@@ -89,7 +89,19 @@ func (s *Scanner) ScanImage(ctx context.Context, params ScanImageParams) (rerr e
 	}
 
 	jobName := genJobName(params.ImageName)
-	vols := volumesAndMounts{}
+	vols := volumesAndMounts{
+		volumes: []corev1.Volume{{ // required by image-analyzer during layer tar walking
+			Name: "tmp",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		}},
+		mounts: []corev1.VolumeMount{{
+			Name:      "tmp",
+			ReadOnly:  false,
+			MountPath: "/tmp",
+		}},
+	}
 	mode := imagescanconfig.Mode(params.Mode)
 	containerRuntime := params.ContainerRuntime
 
diff --git a/cmd/controller/state/imagescan/scanner_test.go b/cmd/controller/state/imagescan/scanner_test.go
index f67bd2e9..d5f3cb09 100644
--- a/cmd/controller/state/imagescan/scanner_test.go
+++ b/cmd/controller/state/imagescan/scanner_test.go
@@ -220,6 +220,11 @@ func TestScanner(t *testing.T) {
 											},
 										},
 										VolumeMounts: []corev1.VolumeMount{
+											{
+												Name:      "tmp",
+												ReadOnly:  false,
+												MountPath: "/tmp",
+											},
 											{
 												Name:      "containerd-content",
 												ReadOnly:  true,
@@ -245,6 +250,12 @@ func TestScanner(t *testing.T) {
 									},
 								},
 								Volumes: []corev1.Volume{
+									{
+										Name: "tmp",
+										VolumeSource: corev1.VolumeSource{
+											EmptyDir: &corev1.EmptyDirVolumeSource{},
+										},
+									},
 									{
 										Name: "containerd-content",
 										VolumeSource: corev1.VolumeSource{