From 79399f25d75f94016ebeb19d93df11870538e59a Mon Sep 17 00:00:00 2001
From: Leonardo Milleri <lmilleri@redhat.com>
Date: Tue, 4 Nov 2025 14:16:45 +0000
Subject: [PATCH] Fix

Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
---
 internal/controller/kbsconfig_controller.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/internal/controller/kbsconfig_controller.go b/internal/controller/kbsconfig_controller.go
index f8dae290..cb89890e 100644
--- a/internal/controller/kbsconfig_controller.go
+++ b/internal/controller/kbsconfig_controller.go
@@ -364,6 +364,19 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
 	volumes = append(volumes, *volume)
 	kbsVM = append(kbsVM, volumeMount)
 
+	// attestation policy directory - create empty writable directory
+	volume, err = r.createEmptyDirVolume("attestation-policy-dir")
+	if err != nil {
+		return nil, err
+	}
+	volumes = append(volumes, *volume)
+	volumeMount = createVolumeMount(volume.Name, attestationPolicyPath)
+	if r.kbsConfig.Spec.KbsDeploymentType == confidentialcontainersorgv1alpha1.DeploymentTypeAllInOne {
+		kbsVM = append(kbsVM, volumeMount)
+	} else {
+		asVM = append(asVM, volumeMount)
+	}
+
 	// attestation policy
 	if r.kbsConfig.Spec.KbsAttestationPolicyConfigMapName != "" {
 		volume, err = r.createConfigMapVolume(ctx, "attestation-policy", r.kbsConfig.Spec.KbsAttestationPolicyConfigMapName)