From feb1b53af04bb7256645bd86c1be4a569d980e84 Mon Sep 17 00:00:00 2001
From: Kaizhe Huang <derek0405@gmail.com>
Date: Thu, 16 Sep 2021 14:55:18 -0700
Subject: [PATCH] add subpath usage to the report (#48)

Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
---
 advisor/report/report.go      |  8 ++++++++
 advisor/types/securityspec.go | 12 ++++++++++++
 test-yaml/subpath.yaml        | 26 ++++++++++++++++++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 test-yaml/subpath.yaml

diff --git a/advisor/report/report.go b/advisor/report/report.go
index 1b52c7e..6c7ce92 100644
--- a/advisor/report/report.go
+++ b/advisor/report/report.go
@@ -16,6 +16,7 @@ const (
 	hostPID                = "hostPID"
 	hostIPC                = "hostIPC"
 	hostNetwork            = "hostNetwork"
+	subPath                = "subPath"
 )
 
 type Report struct {
@@ -40,6 +41,7 @@ func NewReport() *Report {
 	r.Containers[runAsGroup] = []types.ContainerSecuritySpec{}
 	r.Containers[privileged] = []types.ContainerSecuritySpec{}
 	r.Containers[readOnlyRootFileSystem] = []types.ContainerSecuritySpec{}
+	r.Containers[subPath] = []types.ContainerSecuritySpec{}
 
 	// pod related security posture report
 	r.PodSecuritySpecs[hostPID] = []types.PodSecuritySpec{}
@@ -103,4 +105,10 @@ func (r *Report) AddContainer(c types.ContainerSecuritySpec) {
 	if c.ReadOnlyRootFS {
 		r.Containers[readOnlyRootFileSystem] = append(r.Containers[readOnlyRootFileSystem], c)
 	}
+
+	for _, vm := range c.VolumeMounts {
+		if vm.UsesSubPath() {
+			r.Containers[subPath] = append(r.Containers[subPath], c)
+		}
+	}
 }
diff --git a/advisor/types/securityspec.go b/advisor/types/securityspec.go
index 4bdb507..565bc3e 100644
--- a/advisor/types/securityspec.go
+++ b/advisor/types/securityspec.go
@@ -47,6 +47,18 @@ type VolumeMount struct {
 	SubPathExpr string `json:"subPathExpr,omitempty"`
 }
 
+func (vm VolumeMount) IsReadOnlyMount() bool {
+	return vm.ReadOnly == true
+}
+
+func (vm VolumeMount) UsesSubPath() bool {
+	if vm.SubPath != "" || vm.SubPathExpr != "" {
+		return true
+	}
+
+	return false
+}
+
 type ContainerSecuritySpec struct {
 	Metadata                 Metadata      `json:"parentMetadata"`
 	ContainerID              string        `json:"containerID"`
diff --git a/test-yaml/subpath.yaml b/test-yaml/subpath.yaml
new file mode 100644
index 0000000..da7e12f
--- /dev/null
+++ b/test-yaml/subpath.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: my-lamp-site
+spec:
+  containers:
+  - name: mysql
+    image: mysql
+    env:
+    # this is a bad example for testing purpose
+    - name: MYSQL_ROOT_PASSWORD
+      value: "rootpasswd"
+    volumeMounts:
+    - mountPath: /var/lib/mysql
+      name: site-data
+      subPath: mysql
+  - name: php
+    image: php:7.0-apache
+    volumeMounts:
+    - mountPath: /var/www/html
+      name: site-data
+      subPath: html
+  volumes:
+  - name: site-data
+    persistentVolumeClaim:
+      claimName: my-lamp-site-data