Require read-only runtime cache delegates

MaxRink · MaxRink · commit 8922f414e261 · 2026-06-19T02:18:31.000+02:00
diff --git a/controllers/container_image/runtime_cache/resources.go b/controllers/container_image/runtime_cache/resources.go
@@ -442,6 +442,9 @@ func Validate(cache v1alpha2.RuntimeCacheScanner) error {
 		if !strings.HasPrefix(delegate.HostPath, "/") {
 			return fmt.Errorf("containers.runtimeCache.delegates[%s].hostPath must be absolute", delegate.Name)
 		}
+		if delegate.ReadOnly != nil && !*delegate.ReadOnly {
+			return fmt.Errorf("containers.runtimeCache.delegates[%s].readOnly must be true", delegate.Name)
+		}
 	}
 	return nil
 }
diff --git a/controllers/container_image/runtime_cache/resources_test.go b/controllers/container_image/runtime_cache/resources_test.go
@@ -60,6 +60,10 @@ func TestValidateRuntimeCache(t *testing.T) {
 	cfg.Delegates[0].HostPath = "relative.sock"
 	assert.ErrorContains(t, Validate(cfg), "hostPath must be absolute")
 
+	cfg = runtimeCacheAuditConfig().Spec.Containers.RuntimeCache
+	cfg.Delegates[0].ReadOnly = ptr.To(false)
+	assert.ErrorContains(t, Validate(cfg), "readOnly must be true")
+
 	cfg = runtimeCacheAuditConfig().Spec.Containers.RuntimeCache
 	cfg.Delegates[0].Name = strings.Repeat("a", 64)
 	assert.ErrorContains(t, Validate(cfg), "must be a valid DNS label")

Original file line number	Diff line number	Diff line change
`@@ -442,6 +442,9 @@ func Validate(cache v1alpha2.RuntimeCacheScanner) error {`
`442`	`442`	`if !strings.HasPrefix(delegate.HostPath, "/") {`
`443`	`443`	`return fmt.Errorf("containers.runtimeCache.delegates[%s].hostPath must be absolute", delegate.Name)`
`444`	`444`	`}`
	`445`	`+ if delegate.ReadOnly != nil && !*delegate.ReadOnly {`
	`446`	`+ return fmt.Errorf("containers.runtimeCache.delegates[%s].readOnly must be true", delegate.Name)`
	`447`	`+ }`
`445`	`448`	`}`
`446`	`449`	`return nil`
`447`	`450`	`}`