Harden scanner extra volume handling by sozercan · Pull Request #1222 · eraser-dev/eraser

sozercan · 2026-04-09T05:55:42Z

The manager config previously allowed components.scanner.volumes to include hostPath volumes which were mounted into the scanner container at the host path, enabling disclosure of host filesystem data if the ConfigMap could be modified.

Reject hostPath-backed volumes from components.scanner.volumes by logging an error and skipping them to prevent arbitrary hostPath mounts into the scanner container.
Introduce a fixed internal base directory "/run/eraser.sh/scanner-extra" and mount accepted non-hostPath extra volumes under "/run/eraser.sh/scanner-extra/<volume-name>" as read-only to avoid mirroring host paths.
Only validated (non-hostPath) volumes are appended to the job template's Spec.Volumes and mounted into the scanner container; changes are localized to controllers/imagecollector/imagecollector_controller.go.

Ran go test -run TestDoesNotExist ./controllers/imagecollector, which completed (package has no test files).
Ran go test ./api/unversioned/..., which completed (packages have no test files).

Harden scanner extra volume handling

c7267f2

sozercan requested review from ashnamehrotra and pmengelbert as code owners April 9, 2026 05:55

sozercan added aardvark codex labels Apr 9, 2026 — with ChatGPT Codex Connector

Provide feedback