Restrict device plugin hostPath volumes to allowed prefixes

[TomerNewman]

Summary

Add webhook validation that rejects hostPath volumes in spec.devicePlugin.volumes unless the path resolves under /dev, /sys, /var or /opt. This prevents device plugins from mounting arbitrary host directories such as / or /etc.

Details

• New validateDevicePluginVolumes function in the webhook with filepath.Clean to prevent path traversal bypasses (e.g. /dev/../etc)
• Called from validateModule on both create and update
• Non-hostPath volumes (ConfigMap, Secret, EmptyDir, etc.) are allowed through since they don't expose host filesystem

Test plan

• Unit tests added (13 cases covering nil, empty, allowed paths, rejected paths, prefix tricks, path traversal)
• make fmt passes
• make lint passes
• make unit-test passes

---

/cc @ybettan @yevgeny-shnaidman
/assign @ybettan @yevgeny-shnaidman

[netlify]

✅ Deploy Preview for kubernetes-sigs-kmm ready!

Name	Link
🔨 Latest commit	93a10ba
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-sigs-kmm/deploys/6a3a21df934e100008885610
😎 Deploy Preview	https://deploy-preview-1292--kubernetes-sigs-kmm.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[kubernetes-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: TomerNewman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [TomerNewman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov-commenter]

Codecov Report

❌ Patch coverage is 88.88889% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.57%. Comparing base (fa23a9b) to head (93a10ba).
⚠️ Report is 386 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/webhook/module.go	88.88%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1292      +/-   ##
==========================================
- Coverage   79.09%   73.57%   -5.52%     
==========================================
  Files          51       67      +16     
  Lines        5109     5022      -87     
==========================================
- Hits         4041     3695     -346     
- Misses        882     1157     +275     
+ Partials      186      170      -16     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[yevgeny-shnaidman]

please update the title and the commit message

[TomerNewman]

please update the title and the commit message

Done

[yevgeny-shnaidman]

why do we need prefix + "/"? What happens if the volume is "/var"?

[TomerNewman]

The check has two parts:

if cleanPath == prefix || strings.HasPrefix(cleanPath, prefix+"/") {

• cleanPath == prefix handles the exact match — so /var by itself is allowed.
• strings.HasPrefix(cleanPath, prefix+"/") handles subdirectories like /var/lib/kubelet.

The + "/" is specifically to prevent false positives: without it, strings.HasPrefix("/variable", "/var") would return true, incorrectly allowing a path like /variable. The trailing slash ensures we only match actual subdirectories.

[yevgeny-shnaidman]

/lgtm