edgelesssys · katexochen · Jan 10, 2025 · Jan 10, 2025 · Jan 10, 2025 · Jan 10, 2025
@@ -14,18 +14,18 @@ Signed-off-by: Markus Rudy <[email protected]>
  6 files changed, 85 insertions(+)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 2ecbeba7cc9d9600c122f4de4baf741dbc8a8095..ac84a6f6ec39aba77427b588bd6037dce1f1ac76 100644
+index 4e4c3b3e03ddf173ebfcf07915f3f16a6801627b..b904391af531327d7def819cb9da47cd04d7124e 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -58,6 +58,7 @@ CreateContainerRequest {
+@@ -63,6 +63,7 @@ CreateContainerRequest {
 
      i_oci := input.OCI
      i_storages := input.storages
 +    i_devices := input.devices
 
      # Check if any element from the policy_data.containers array allows the input request.
      some p_container in policy_data.containers
-@@ -81,6 +82,9 @@ CreateContainerRequest {
+@@ -86,6 +87,9 @@ CreateContainerRequest {
      p_storages := p_container.storages
      allow_by_anno(p_oci, i_oci, p_storages, i_storages)
 
@@ -35,7 +35,7 @@ index 2ecbeba7cc9d9600c122f4de4baf741dbc8a8095..ac84a6f6ec39aba77427b588bd6037dc
      allow_linux(p_oci, i_oci)
 
      print("CreateContainerRequest: true")
-@@ -363,6 +367,16 @@ allow_log_directory(p_oci, i_oci) {
+@@ -362,6 +366,16 @@ allow_log_directory(p_oci, i_oci) {
      print("allow_log_directory: true")
  }
 
@@ -52,15 +52,15 @@ index 2ecbeba7cc9d9600c122f4de4baf741dbc8a8095..ac84a6f6ec39aba77427b588bd6037dc
  allow_linux(p_oci, i_oci) {
      p_namespaces := p_oci.Linux.Namespaces
      print("allow_linux: p namespaces =", p_namespaces)
-@@ -374,6 +388,7 @@ allow_linux(p_oci, i_oci) {
+@@ -373,6 +387,7 @@ allow_linux(p_oci, i_oci) {
 
      allow_masked_paths(p_oci, i_oci)
      allow_readonly_paths(p_oci, i_oci)
 +    allow_linux_devices(p_oci.Linux.Devices, i_oci.Linux.Devices)
 
      print("allow_linux: true")
  }
-@@ -462,6 +477,13 @@ allow_readonly_path(p_elem, i_array, masked_paths) {
+@@ -461,6 +476,13 @@ allow_readonly_path(p_elem, i_array, masked_paths) {
      print("allow_readonly_path 2: true")
  }
 
@@ -111,7 +111,7 @@ index 2b826a51a4f587e2ca45f0b304b0eed29046b104..075fced5bfec11b27e529f0b1d2dba5e
      }
  }
 diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
-index 2ea8fdb9be848c8c00f634ec813475ebaf3d55bb..da2a47ee2d6affc43dc9246670675e3367d73bfe 100644
+index 16d633aa2b29eaa4f4f497fb4de306b51e05c8b7..cae93c53257ec8b2195974b14589cb5571d10623 100644
 --- a/src/tools/genpolicy/src/pod.rs
 +++ b/src/tools/genpolicy/src/pod.rs
 @@ -120,6 +120,9 @@ pub struct Container {
@@ -139,7 +139,7 @@ index 2ea8fdb9be848c8c00f634ec813475ebaf3d55bb..da2a47ee2d6affc43dc9246670675e33
  #[derive(Clone, Debug, Serialize, Deserialize)]
  struct ResourceRequirements {
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index baa382b7646a11cd1fa18274801616eb36f04db6..7c1479d571dc163e4fe0bacef15cf60e8dd85920 100644
+index 8528d84827139a89d056a717f2d868d9c9c9f5f8..ff06786ca8610a71059d469dac613750cc0c8623 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -198,6 +198,10 @@ pub struct KataLinux {
@@ -182,7 +182,7 @@ index baa382b7646a11cd1fa18274801616eb36f04db6..7c1479d571dc163e4fe0bacef15cf60e
      /// Data compared with req.sandbox_pidns for CreateContainerRequest calls.
      sandbox_pidns: bool,
 
-@@ -588,6 +607,25 @@ impl AgentPolicy {
+@@ -601,6 +620,25 @@ impl AgentPolicy {
          };
          let exec_commands = yaml_container.get_exec_commands();
 
@@ -208,7 +208,7 @@ index baa382b7646a11cd1fa18274801616eb36f04db6..7c1479d571dc163e4fe0bacef15cf60e
          ContainerPolicy {
              OCI: KataSpec {
                  Version: version_default(),
-@@ -599,6 +637,7 @@ impl AgentPolicy {
+@@ -612,6 +650,7 @@ impl AgentPolicy {
                  Linux: linux,
              },
              storages,

@@ -15,12 +15,12 @@ Signed-off-by: Paul Meyer <[email protected]>
  7 files changed, 59 insertions(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs
-index 5b18d96d9415a99556226b50bf67b1106b393d70..90ea48597605f056250424ff0d8758017d20220f 100644
+index 65c5db08beedb10dfe7c2f16c99b92a8a0a24e0c..b543b989095300ec3a8bc0e00137e1087d24f90c 100644
 --- a/src/tools/genpolicy/src/daemon_set.rs
 +++ b/src/tools/genpolicy/src/daemon_set.rs
-@@ -143,4 +143,13 @@ impl yaml::K8sResource for DaemonSet {
-         }
-         false
+@@ -147,4 +147,13 @@ impl yaml::K8sResource for DaemonSet {
+     fn get_process_fields(&self, process: &mut policy::KataProcess) {
+         yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
      }
 +
 +    fn get_runtime_class_name(&self) -> Option<String> {
@@ -33,12 +33,12 @@ index 5b18d96d9415a99556226b50bf67b1106b393d70..90ea48597605f056250424ff0d875801
 +    }
  }
 diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs
-index f1b8e8d80f497d275a571125374fd77fa5490f24..890579cdfbd67cd7f5949c817dbd9391043b1cf0 100644
+index be2ffd6474550f71b1680c83888ee7c9fbcd8b33..8cd9ff51a7fdbcf232141b255e008babc6a4b108 100644
 --- a/src/tools/genpolicy/src/deployment.rs
 +++ b/src/tools/genpolicy/src/deployment.rs
-@@ -141,4 +141,13 @@ impl yaml::K8sResource for Deployment {
-         }
-         false
+@@ -145,4 +145,13 @@ impl yaml::K8sResource for Deployment {
+     fn get_process_fields(&self, process: &mut policy::KataProcess) {
+         yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
      }
 +
 +    fn get_runtime_class_name(&self) -> Option<String> {
@@ -51,7 +51,7 @@ index f1b8e8d80f497d275a571125374fd77fa5490f24..890579cdfbd67cd7f5949c817dbd9391
 +    }
  }
 diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
-index da2a47ee2d6affc43dc9246670675e3367d73bfe..4a40c957042e73ba584b66bc681469458a7f18f4 100644
+index cae93c53257ec8b2195974b14589cb5571d10623..45111763af659f7c86640779be95280eb8a4c23f 100644
 --- a/src/tools/genpolicy/src/pod.rs
 +++ b/src/tools/genpolicy/src/pod.rs
 @@ -47,7 +47,7 @@ pub struct PodSpec {
@@ -75,10 +75,10 @@ index da2a47ee2d6affc43dc9246670675e3367d73bfe..4a40c957042e73ba584b66bc68146945
 +    }
 +
      fn get_process_fields(&self, process: &mut policy::KataProcess) {
-         if let Some(context) = &self.spec.securityContext {
-             if let Some(uid) = context.runAsUser {
+         yaml::get_process_fields(process, &self.spec.securityContext);
+     }
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index 7c1479d571dc163e4fe0bacef15cf60e8dd85920..a1affda77ef87fb7fd09d875ec8779324b47e3fb 100644
+index ff06786ca8610a71059d469dac613750cc0c8623..b3c6557fd61be79e76110b99a6a7751dcc841602 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -10,6 +10,7 @@ use crate::agent;
@@ -89,7 +89,7 @@ index 7c1479d571dc163e4fe0bacef15cf60e8dd85920..a1affda77ef87fb7fd09d875ec877932
  use crate::pod;
  use crate::policy;
  use crate::pvc;
-@@ -434,6 +435,17 @@ impl AgentPolicy {
+@@ -447,6 +448,17 @@ impl AgentPolicy {
                  let yaml_string = serde_yaml::to_string(&doc_mapping)?;
                  let silent = config.silent_unsupported_fields;
                  let (mut resource, kind) = yaml::new_k8s_resource(&yaml_string, silent)?;
@@ -108,12 +108,12 @@ index 7c1479d571dc163e4fe0bacef15cf60e8dd85920..a1affda77ef87fb7fd09d875ec877932
 
                  // ConfigMap and Secret documents contain additional input for policy generation.
 diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs
-index 4c55f59ec3e88b324c25c5065d5b4c898a0db804..d25398358f526116f5b766ffba6db2e287e0f8e9 100644
+index ec952af07c5ee134cc8cb6ae48246ced83fee0f5..a987e5e72292d36f5bbc3b27265002daf42c2819 100644
 --- a/src/tools/genpolicy/src/stateful_set.rs
 +++ b/src/tools/genpolicy/src/stateful_set.rs
-@@ -194,6 +194,15 @@ impl yaml::K8sResource for StatefulSet {
-         }
-         false
+@@ -197,6 +197,15 @@ impl yaml::K8sResource for StatefulSet {
+     fn get_process_fields(&self, process: &mut policy::KataProcess) {
+         yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
      }
 +
 +    fn get_runtime_class_name(&self) -> Option<String> {
@@ -161,12 +161,12 @@ index e45b188d40a82a32547290ccdfd4a263e193e1c2..2402c2ed213e45b89c47b2b6a94d54f8
              rego_rules_path: args.rego_rules_path,
              json_settings_path: args.json_settings_path,
 diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
-index 378374dbf249ea0722a93bf024de177c48639b8f..0f94371052675049c19e4e057ea72e68432ce5ec 100644
+index 105bd8628b86733788886202b6c21a2586aa0525..f3748f0e079766de08f26c38e9ff2c4ade0a7c7a 100644
 --- a/src/tools/genpolicy/src/yaml.rs
 +++ b/src/tools/genpolicy/src/yaml.rs
 @@ -76,6 +76,10 @@ pub trait K8sResource {
-         // Just Pods can have a PodSecurityContext field, so the other
-         // resources can use this default get_process_fields implementation.
+         // No need to implement support for securityContext or similar fields
+         // for some of the K8s resource types.
      }
 +
 +    fn get_runtime_class_name(&self) -> Option<String> {

@@ -9,10 +9,10 @@ Signed-off-by: Paul Meyer <[email protected]>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index ac84a6f6ec39aba77427b588bd6037dce1f1ac76..3e03070e3743f9a2ecc29e5d7714a5a0335bd1ed 100644
+index b904391af531327d7def819cb9da47cd04d7124e..33c44fd4c8d20dcc4c13cbd12fcd9e577994ee97 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -917,7 +917,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+@@ -948,7 +948,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
      i_count == p_count + 3
 
      print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0])

@@ -9,10 +9,10 @@ In order to mount empty dirs e.g., with mount propagation "Bidirectional", we ne
  1 file changed, 13 insertions(+), 3 deletions(-)
 
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index ecb8bf5776ffb946bdab3b594a1f5bcb43799e84..327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e 100644
+index 922a224a523765161083f961fa7cd32599f1901d..82304ba640cbe2ca056309b0c9b8c792e1523675 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
-@@ -127,7 +127,14 @@ pub fn get_mount_and_storage(
+@@ -161,7 +161,14 @@ pub fn get_mount_and_storage(
          } else {
              false
          };
@@ -28,15 +28,15 @@ index ecb8bf5776ffb946bdab3b594a1f5bcb43799e84..327dd6990f8e7a275cf7561e20d2ce5c
      } else if yaml_volume.persistentVolumeClaim.is_some() {
          get_persistent_volume_claim_mount(
              settings,
-@@ -169,6 +176,7 @@ fn get_empty_dir_mount_and_storage(
+@@ -203,6 +210,7 @@ fn get_empty_dir_mount_and_storage(
      storages: &mut Vec<agent::Storage>,
      yaml_mount: &pod::VolumeMount,
      memory_medium: bool,
 +    mount_options: (&str, &str),
  ) {
      let settings_volumes = &settings.volumes;
      let settings_empty_dir = if memory_medium {
-@@ -204,14 +212,16 @@ fn get_empty_dir_mount_and_storage(
+@@ -238,14 +246,16 @@ fn get_empty_dir_mount_and_storage(
          &settings_empty_dir.mount_type
      };
 

@@ -8,10 +8,10 @@ Subject: [PATCH] genpolicy: support HostToContainer mount propagation
  1 file changed, 3 insertions(+), 2 deletions(-)
 
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index 327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e..09bc89fdf7e6eb239428adbb093c9cb5962da8a7 100644
+index 82304ba640cbe2ca056309b0c9b8c792e1523675..1f19d1daaf84a3b8800b0a55188205fd0ba9b2d8 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
-@@ -108,8 +108,9 @@ pub fn get_mount_and_storage(
+@@ -142,8 +142,9 @@ pub fn get_mount_and_storage(
      yaml_volume: &volume::Volume,
      yaml_mount: &pod::VolumeMount,
  ) {

@@ -4,7 +4,7 @@ Date: Tue, 26 Nov 2024 11:29:14 +0100
 Subject: [PATCH] genpolicy: support for VOLUME definition in container image
 
 ---
- src/tools/genpolicy/genpolicy-settings.json   | 14 +++++-
+ src/tools/genpolicy/genpolicy-settings.json   | 12 +++++
  src/tools/genpolicy/src/cronjob.rs            | 18 ++++---
  src/tools/genpolicy/src/daemon_set.rs         | 18 ++++---
  src/tools/genpolicy/src/deployment.rs         | 18 ++++---
@@ -18,10 +18,10 @@ Subject: [PATCH] genpolicy: support for VOLUME definition in container image
  src/tools/genpolicy/src/settings.rs           | 12 +++++
  src/tools/genpolicy/src/stateful_set.rs       | 20 ++++----
  src/tools/genpolicy/src/yaml.rs               | 43 ++++++++++++-----
- 14 files changed, 189 insertions(+), 99 deletions(-)
+ 14 files changed, 188 insertions(+), 98 deletions(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index 7d35862afa73e9f4c9004189d3ec50ebd3e8855d..fd998a41be8978b85928d12101c7ff4fdc38e4eb 100644
+index 73d9c1125bbfeefce4bce24109f552db87860bca..ce3e90579266bf463d815b8f3a10fea21a97b044 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -178,6 +178,18 @@
@@ -43,13 +43,6 @@ index 7d35862afa73e9f4c9004189d3ec50ebd3e8855d..fd998a41be8978b85928d12101c7ff4f
          }
      },
      "mount_destinations": [
-@@ -322,4 +334,4 @@
-         "UpdateEphemeralMountsRequest": false,
-         "WriteStreamRequest": false
-     }
--}
-\ No newline at end of file
-+}
 diff --git a/src/tools/genpolicy/src/cronjob.rs b/src/tools/genpolicy/src/cronjob.rs
 index 5da0989a77870bf9809a609b26269f59e7c3e2b5..6a2d63de3138d7728d430aad1a9b15201f61b62a 100644
 --- a/src/tools/genpolicy/src/cronjob.rs
@@ -80,7 +73,7 @@ index 5da0989a77870bf9809a609b26269f59e7c3e2b5..6a2d63de3138d7728d430aad1a9b1520
 
      fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
 diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs
-index 90ea48597605f056250424ff0d8758017d20220f..d5a159c318f65339a9044a85a08bfae91f839e01 100644
+index b543b989095300ec3a8bc0e00137e1087d24f90c..bed1eb8bc88a4b0a94a988d712bc155d1bb14d25 100644
 --- a/src/tools/genpolicy/src/daemon_set.rs
 +++ b/src/tools/genpolicy/src/daemon_set.rs
 @@ -98,16 +98,14 @@ impl yaml::K8sResource for DaemonSet {
@@ -109,7 +102,7 @@ index 90ea48597605f056250424ff0d8758017d20220f..d5a159c318f65339a9044a85a08bfae9
 
      fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
 diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs
-index 890579cdfbd67cd7f5949c817dbd9391043b1cf0..65db6937e874ce13d655498b441e5c71913fca97 100644
+index 8cd9ff51a7fdbcf232141b255e008babc6a4b108..90f15617ec6b68a1410d9077df26f7290c817397 100644
 --- a/src/tools/genpolicy/src/deployment.rs
 +++ b/src/tools/genpolicy/src/deployment.rs
 @@ -96,16 +96,14 @@ impl yaml::K8sResource for Deployment {
@@ -138,7 +131,7 @@ index 890579cdfbd67cd7f5949c817dbd9391043b1cf0..65db6937e874ce13d655498b441e5c71
 
      fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
 diff --git a/src/tools/genpolicy/src/job.rs b/src/tools/genpolicy/src/job.rs
-index ebe4cc871ff7f9c244c93e4b909cbd519a438069..39c0a4c62ee8f59108dd9e0ba90f51e43d7a115c 100644
+index b48d4480346b8af590b60fdb0278343ce28ab25c..e9dc76532d8bdd975cdff16bdc4b8c981ea93d33 100644
 --- a/src/tools/genpolicy/src/job.rs
 +++ b/src/tools/genpolicy/src/job.rs
 @@ -70,16 +70,14 @@ impl yaml::K8sResource for Job {
@@ -167,10 +160,10 @@ index ebe4cc871ff7f9c244c93e4b909cbd519a438069..39c0a4c62ee8f59108dd9e0ba90f51e4
 
      fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index 09bc89fdf7e6eb239428adbb093c9cb5962da8a7..070824f1fabce743e69f6822e70dc1aed0811cda 100644
+index 1f19d1daaf84a3b8800b0a55188205fd0ba9b2d8..bc2aae47a3993dc0efa2c1a51c0901518143f1be 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
-@@ -108,6 +108,10 @@ pub fn get_mount_and_storage(
+@@ -142,6 +142,10 @@ pub fn get_mount_and_storage(
      yaml_volume: &volume::Volume,
      yaml_mount: &pod::VolumeMount,
  ) {
@@ -181,7 +174,7 @@ index 09bc89fdf7e6eb239428adbb093c9cb5962da8a7..070824f1fabce743e69f6822e70dc1ae
      let propagation = match yaml_mount.mountPropagation.as_deref() {
          Some("Bidirectional") => "rshared",
          Some("HostToContainer") => "rslave",
-@@ -422,6 +426,50 @@ fn get_downward_api_mount(yaml_mount: &pod::VolumeMount, p_mounts: &mut Vec<poli
+@@ -461,6 +465,50 @@ fn get_downward_api_mount(yaml_mount: &pod::VolumeMount, p_mounts: &mut Vec<poli
      }
  }
 
@@ -233,7 +226,7 @@ index 09bc89fdf7e6eb239428adbb093c9cb5962da8a7..070824f1fabce743e69f6822e70dc1ae
      settings: &settings::Settings,
      yaml_mount: &pod::VolumeMount,
 diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
-index 4a40c957042e73ba584b66bc681469458a7f18f4..f5bf61bec420ed7ee642818e10ecdca80f710ad8 100644
+index 45111763af659f7c86640779be95280eb8a4c23f..a9bd1638b7cc7e7a0652d2df78e8d2cd24fa449b 100644
 --- a/src/tools/genpolicy/src/pod.rs
 +++ b/src/tools/genpolicy/src/pod.rs
 @@ -846,16 +846,14 @@ impl yaml::K8sResource for Pod {
@@ -363,7 +356,7 @@ index 333a4dd33032c4842e70d5e618b4660fa2ffb6c5..793137224b88d4a562ea214bbc8d9331
              image_layers,
          })
 diff --git a/src/tools/genpolicy/src/replica_set.rs b/src/tools/genpolicy/src/replica_set.rs
-index 094daf1da4cf2f202cfc41e76a0f693bdf84e46a..205937f0a9f1e17b5e2b1a6ab9e3d67d5263daa5 100644
+index 12e515ad8203f8180bacdf70e7a8e24ad98238e0..27e70d20f0085e36b7170d6c24eea3f7771cbb1f 100644
 --- a/src/tools/genpolicy/src/replica_set.rs
 +++ b/src/tools/genpolicy/src/replica_set.rs
 @@ -68,16 +68,14 @@ impl yaml::K8sResource for ReplicaSet {
@@ -392,7 +385,7 @@ index 094daf1da4cf2f202cfc41e76a0f693bdf84e46a..205937f0a9f1e17b5e2b1a6ab9e3d67d
 
      fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
 diff --git a/src/tools/genpolicy/src/replication_controller.rs b/src/tools/genpolicy/src/replication_controller.rs
-index 55788a45c2e0ede93b5fb27349b9096d6dc706ef..049e6a1394ba4c1151f44dc56abe1392102f5582 100644
+index e6279fbac5c4cb4544338f7d453a7896fe75368f..9029c5a9173c1aa0e6b27f4314f35eacdd7a5e65 100644
 --- a/src/tools/genpolicy/src/replication_controller.rs
 +++ b/src/tools/genpolicy/src/replication_controller.rs
 @@ -70,16 +70,14 @@ impl yaml::K8sResource for ReplicationController {
@@ -451,7 +444,7 @@ index 3d86971914ad4a659cab4bba0737ca53a183c2ba..a388f074e5168abb14c40c324c8aeef7
  /// genpolicy-settings.json.
  #[derive(Clone, Debug, Serialize, Deserialize)]
 diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs
-index d25398358f526116f5b766ffba6db2e287e0f8e9..aa25bf5a78443dce6493fe5a2a2c3a3b6bd8c00c 100644
+index a987e5e72292d36f5bbc3b27265002daf42c2819..298af4eb577687246125dc567743a2f49742d905 100644
 --- a/src/tools/genpolicy/src/stateful_set.rs
 +++ b/src/tools/genpolicy/src/stateful_set.rs
 @@ -118,17 +118,6 @@ impl yaml::K8sResource for StatefulSet {
@@ -489,7 +482,7 @@ index d25398358f526116f5b766ffba6db2e287e0f8e9..aa25bf5a78443dce6493fe5a2a2c3a3b
 
      fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
 diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
-index 0f94371052675049c19e4e057ea72e68432ce5ec..d8a4fd5a4c1797bba19262566b31698c03a641f5 100644
+index f3748f0e079766de08f26c38e9ff2c4ade0a7c7a..8ae1000eb319267a7732132ee42731c792ebd48c 100644
 --- a/src/tools/genpolicy/src/yaml.rs
 +++ b/src/tools/genpolicy/src/yaml.rs
 @@ -260,24 +260,41 @@ pub fn get_container_mounts_and_storages(