diff --git a/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch b/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch
index a4e909b7b0..9cafb0e877 100644
--- a/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch
+++ b/packages/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch
@@ -1,7 +1,7 @@
-From 41f26a5803fa50abf3bd0d6cfebc8106ae9dcbc8 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <mr@edgeless.systems>
 Date: Thu, 23 May 2024 09:20:20 +0200
-Subject: [PATCH 1/6] genpolicy: add rules and types for volumeDevices
+Subject: [PATCH] genpolicy: add rules and types for volumeDevices
 
 Signed-off-by: Markus Rudy <mr@edgeless.systems>
 ---
@@ -14,7 +14,7 @@ Signed-off-by: Markus Rudy <mr@edgeless.systems>
  6 files changed, 85 insertions(+)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index c3eb33461..25c16bada 100644
+index c3eb334612fc0ff05c49031e7b305fd10297896a..25c16badaddea436539c9ec8b8bd210461cda615 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
 @@ -54,6 +54,7 @@ default AllowRequestsFailingPolicy := false
@@ -75,7 +75,7 @@ index c3eb33461..25c16bada 100644
  # and io.kubernetes.cri.sandbox-id" values with other fields.
  allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
 diff --git a/src/tools/genpolicy/src/agent.rs b/src/tools/genpolicy/src/agent.rs
-index 19a934d81..f3f398b0e 100644
+index 19a934d81995ece42a148e733b41e96474921b3a..f3f398b0ee052ba02a3b5ecae884fed646b38cc3 100644
 --- a/src/tools/genpolicy/src/agent.rs
 +++ b/src/tools/genpolicy/src/agent.rs
 @@ -16,3 +16,12 @@ pub struct SerializedFsGroup {
@@ -92,7 +92,7 @@ index 19a934d81..f3f398b0e 100644
 +    pub options: Vec<String>,
 +}  
 diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs
-index 2b826a51a..075fced5b 100644
+index 2b826a51a4f587e2ca45f0b304b0eed29046b104..075fced5bfec11b27e529f0b1d2dba5e6271ba82 100644
 --- a/src/tools/genpolicy/src/containerd.rs
 +++ b/src/tools/genpolicy/src/containerd.rs
 @@ -152,12 +152,14 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux {
@@ -111,7 +111,7 @@ index 2b826a51a..075fced5b 100644
      }
  }
 diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
-index 2ea8fdb9b..da2a47ee2 100644
+index 2ea8fdb9be848c8c00f634ec813475ebaf3d55bb..da2a47ee2d6affc43dc9246670675e3367d73bfe 100644
 --- a/src/tools/genpolicy/src/pod.rs
 +++ b/src/tools/genpolicy/src/pod.rs
 @@ -120,6 +120,9 @@ pub struct Container {
@@ -139,7 +139,7 @@ index 2ea8fdb9b..da2a47ee2 100644
  #[derive(Clone, Debug, Serialize, Deserialize)]
  struct ResourceRequirements {
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index baa382b76..7c1479d57 100644
+index baa382b7646a11cd1fa18274801616eb36f04db6..7c1479d571dc163e4fe0bacef15cf60e8dd85920 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -198,6 +198,10 @@ pub struct KataLinux {
@@ -217,7 +217,7 @@ index baa382b76..7c1479d57 100644
              exec_commands,
          }
 diff --git a/src/tools/genpolicy/src/pvc.rs b/src/tools/genpolicy/src/pvc.rs
-index 0a768ed8e..61d0ce3f0 100644
+index 0a768ed8e0e16965270be44f94b8d60d0eb4381c..61d0ce3f08686843ce1095e7e108636e5bd34ad9 100644
 --- a/src/tools/genpolicy/src/pvc.rs
 +++ b/src/tools/genpolicy/src/pvc.rs
 @@ -34,6 +34,9 @@ pub struct PersistentVolumeClaimSpec {
@@ -230,6 +230,3 @@ index 0a768ed8e..61d0ce3f0 100644
      // TODO: additional fields.
  }
  
--- 
-2.34.1
-
diff --git a/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch b/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch
index 72956c23bc..18b6c3b0ae 100644
--- a/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch
+++ b/packages/by-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch
@@ -1,7 +1,7 @@
-From c890911981a072a14c69d92f82ece28e5d55d7fa Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 Date: Tue, 9 Jul 2024 16:07:09 +0200
-Subject: [PATCH 2/6] genpolicy: add ability to filter for runtimeClassName
+Subject: [PATCH] genpolicy: add ability to filter for runtimeClassName
 
 Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 ---
@@ -15,7 +15,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
  7 files changed, 59 insertions(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs
-index 5b18d96d9..90ea48597 100644
+index 5b18d96d9415a99556226b50bf67b1106b393d70..90ea48597605f056250424ff0d8758017d20220f 100644
 --- a/src/tools/genpolicy/src/daemon_set.rs
 +++ b/src/tools/genpolicy/src/daemon_set.rs
 @@ -143,4 +143,13 @@ impl yaml::K8sResource for DaemonSet {
@@ -33,7 +33,7 @@ index 5b18d96d9..90ea48597 100644
 +    }
  }
 diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs
-index f1b8e8d80..890579cdf 100644
+index f1b8e8d80f497d275a571125374fd77fa5490f24..890579cdfbd67cd7f5949c817dbd9391043b1cf0 100644
 --- a/src/tools/genpolicy/src/deployment.rs
 +++ b/src/tools/genpolicy/src/deployment.rs
 @@ -141,4 +141,13 @@ impl yaml::K8sResource for Deployment {
@@ -51,7 +51,7 @@ index f1b8e8d80..890579cdf 100644
 +    }
  }
 diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
-index da2a47ee2..4a40c9570 100644
+index da2a47ee2d6affc43dc9246670675e3367d73bfe..4a40c957042e73ba584b66bc681469458a7f18f4 100644
 --- a/src/tools/genpolicy/src/pod.rs
 +++ b/src/tools/genpolicy/src/pod.rs
 @@ -47,7 +47,7 @@ pub struct PodSpec {
@@ -78,7 +78,7 @@ index da2a47ee2..4a40c9570 100644
          if let Some(context) = &self.spec.securityContext {
              if let Some(uid) = context.runAsUser {
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index 7c1479d57..a1affda77 100644
+index 7c1479d571dc163e4fe0bacef15cf60e8dd85920..a1affda77ef87fb7fd09d875ec8779324b47e3fb 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -10,6 +10,7 @@ use crate::agent;
@@ -108,10 +108,10 @@ index 7c1479d57..a1affda77 100644
  
                  // ConfigMap and Secret documents contain additional input for policy generation.
 diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs
-index 096cafbeb..73f0b0a30 100644
+index 4c55f59ec3e88b324c25c5065d5b4c898a0db804..d25398358f526116f5b766ffba6db2e287e0f8e9 100644
 --- a/src/tools/genpolicy/src/stateful_set.rs
 +++ b/src/tools/genpolicy/src/stateful_set.rs
-@@ -187,6 +187,15 @@ impl yaml::K8sResource for StatefulSet {
+@@ -194,6 +194,15 @@ impl yaml::K8sResource for StatefulSet {
          }
          false
      }
@@ -128,7 +128,7 @@ index 096cafbeb..73f0b0a30 100644
  
  impl StatefulSet {
 diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs
-index e45b188d4..2402c2ed2 100644
+index e45b188d40a82a32547290ccdfd4a263e193e1c2..2402c2ed213e45b89c47b2b6a94d54f8d200edb1 100644
 --- a/src/tools/genpolicy/src/utils.rs
 +++ b/src/tools/genpolicy/src/utils.rs
 @@ -72,6 +72,12 @@ struct CommandLineOptions {
@@ -161,7 +161,7 @@ index e45b188d4..2402c2ed2 100644
              rego_rules_path: args.rego_rules_path,
              json_settings_path: args.json_settings_path,
 diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
-index 8f06d291e..c898240af 100644
+index 8f06d291e97b6955f2970b05c5987678362602eb..c898240af337f3cb7cfc34fa1398cb5a6bd828a5 100644
 --- a/src/tools/genpolicy/src/yaml.rs
 +++ b/src/tools/genpolicy/src/yaml.rs
 @@ -75,6 +75,10 @@ pub trait K8sResource {
@@ -175,6 +175,3 @@ index 8f06d291e..c898240af 100644
  }
  
  /// See Reference / Kubernetes API / Common Definitions / LabelSelector.
--- 
-2.34.1
-
diff --git a/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch b/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch
index b25c9fc8e8..35accfdf71 100644
--- a/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch
+++ b/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch
@@ -1,7 +1,7 @@
-From cf495b76fe64e56b3c18a7175cb4e01d27d02dc7 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 Date: Tue, 9 Jul 2024 16:14:46 +0200
-Subject: [PATCH 3/6] genpolicy: allow specifying layer cache file
+Subject: [PATCH] genpolicy: allow specifying layer cache file
 
 Add --layers-cache-file-path flag to allow the user to
 specify where the cache file for the container layers
@@ -23,7 +23,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
  3 files changed, 52 insertions(+), 26 deletions(-)
 
 diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
-index 97e35ee60..b212eeb8b 100644
+index 97e35ee601beed99929e36661dadfd6ed15dfc5f..b212eeb8bca209d9916249fe8e01351f5943823c 100644
 --- a/src/tools/genpolicy/src/registry.rs
 +++ b/src/tools/genpolicy/src/registry.rs
 @@ -66,7 +66,7 @@ pub struct ImageLayer {
@@ -130,7 +130,7 @@ index 97e35ee60..b212eeb8b 100644
  
  #[cfg(target_os = "windows")]
 diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs
-index fcc51ad78..333a4dd33 100644
+index fcc51ad783afb392e706e92a63efed0fe3f416a1..333a4dd33032c4842e70d5e618b4660fa2ffb6c5 100644
 --- a/src/tools/genpolicy/src/registry_containerd.rs
 +++ b/src/tools/genpolicy/src/registry_containerd.rs
 @@ -28,7 +28,7 @@ use tower::service_fn;
@@ -219,7 +219,7 @@ index fcc51ad78..333a4dd33 100644
          warn!("{error_message}");
      }
 diff --git a/src/tools/genpolicy/src/utils.rs b/src/tools/genpolicy/src/utils.rs
-index 2402c2ed2..7579d74bf 100644
+index 2402c2ed213e45b89c47b2b6a94d54f8d200edb1..7579d74bf5a488bf6f577949862e6f976fa14ac5 100644
 --- a/src/tools/genpolicy/src/utils.rs
 +++ b/src/tools/genpolicy/src/utils.rs
 @@ -78,6 +78,14 @@ struct CommandLineOptions {
@@ -266,6 +266,3 @@ index 2402c2ed2..7579d74bf 100644
              version: args.version,
          }
      }
--- 
-2.34.1
-
diff --git a/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch b/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
index 01441a2358..a696338291 100644
--- a/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
+++ b/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
@@ -1,7 +1,7 @@
-From 3b444c242de3bc130f0cf73d1a89ab540690c9f0 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 Date: Thu, 11 Jul 2024 12:05:00 +0200
-Subject: [PATCH 4/6] genpolicy: regex check contrast specific layer-src-prefix
+Subject: [PATCH] genpolicy: regex check contrast specific layer-src-prefix
 
 Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 ---
@@ -9,7 +9,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 25c16bada..d933b928d 100644
+index 25c16badaddea436539c9ec8b8bd210461cda615..d933b928d21b549ef7c315a9e0c5cbb4bbbe88b3 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
 @@ -887,7 +887,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
@@ -21,6 +21,3 @@ index 25c16bada..d933b928d 100644
  
      print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2])
      i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw"
--- 
-2.34.1
-
diff --git a/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch b/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch
index eb90b5c8c1..b8c24803f3 100644
--- a/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch
+++ b/packages/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch
@@ -1,7 +1,7 @@
-From e60354b386c9b50ee5f3a0804be66152fe0849d7 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Leonard Cohnen <lc@edgeless.systems>
 Date: Thu, 29 Aug 2024 03:45:24 +0200
-Subject: [PATCH 5/6] genpolicy: propagate mount_options for empty dirs
+Subject: [PATCH] genpolicy: propagate mount_options for empty dirs
 
 In order to mount empty dirs e.g., with mount propagation "Bidirectional", we need the yaml value to the policy
 ---
@@ -9,7 +9,7 @@ In order to mount empty dirs e.g., with mount propagation "Bidirectional", we ne
  1 file changed, 13 insertions(+), 3 deletions(-)
 
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index 520d3a8cb..05a4521f0 100644
+index ecb8bf5776ffb946bdab3b594a1f5bcb43799e84..327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
 @@ -127,7 +127,14 @@ pub fn get_mount_and_storage(
@@ -55,6 +55,3 @@ index 520d3a8cb..05a4521f0 100644
          ],
      });
  }
--- 
-2.34.1
-
diff --git a/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch b/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch
index 57a71ce381..6bc7b9b22d 100644
--- a/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch
+++ b/packages/by-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch
@@ -1,14 +1,14 @@
-From 8255b303a8d1c21ed22f2d9f7166101de151a9f4 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Leonard Cohnen <lc@edgeless.systems>
 Date: Fri, 30 Aug 2024 00:30:57 +0200
-Subject: [PATCH 6/6] genpolicy: support HostToContainer mount propagation
+Subject: [PATCH] genpolicy: support HostToContainer mount propagation
 
 ---
  src/tools/genpolicy/src/mount_and_storage.rs | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)
 
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index 05a4521f0..c81dc0c52 100644
+index 327dd6990f8e7a275cf7561e20d2ce5cc0eeab2e..09bc89fdf7e6eb239428adbb093c9cb5962da8a7 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
 @@ -108,8 +108,9 @@ pub fn get_mount_and_storage(
@@ -23,6 +23,3 @@ index 05a4521f0..c81dc0c52 100644
          _ => "rprivate",
      };
  
--- 
-2.34.1
-
diff --git a/packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch b/packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch
new file mode 100644
index 0000000000..5013f0a13a
--- /dev/null
+++ b/packages/by-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch
@@ -0,0 +1,641 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: miampf <miampf@proton.me>
+Date: Thu, 14 Nov 2024 12:34:56 +0100
+Subject: [PATCH] genpolicy: support for VOLUME definition in container image
+
+---
+ src/tools/genpolicy/genpolicy-settings.json   | 14 ++++-
+ src/tools/genpolicy/src/daemon_set.rs         | 18 +++---
+ src/tools/genpolicy/src/deployment.rs         | 18 +++---
+ src/tools/genpolicy/src/job.rs                | 18 +++---
+ src/tools/genpolicy/src/mount_and_storage.rs  | 58 +++++++++++++++++++
+ src/tools/genpolicy/src/pod.rs                | 18 +++---
+ src/tools/genpolicy/src/registry.rs           | 21 ++++++-
+ .../genpolicy/src/registry_containerd.rs      |  4 +-
+ src/tools/genpolicy/src/replica_set.rs        | 18 +++---
+ .../genpolicy/src/replication_controller.rs   | 18 +++---
+ src/tools/genpolicy/src/settings.rs           | 12 ++++
+ src/tools/genpolicy/src/stateful_set.rs       | 20 +++----
+ src/tools/genpolicy/src/yaml.rs               | 43 +++++++++-----
+ .../kubernetes/k8s-policy-deployments.bats    | 47 +++++++++++++++
+ .../kubernetes/run_kubernetes_tests.sh        |  1 +
+ .../k8s-policy-deployment.yaml                | 36 ++++++++++++
+ 16 files changed, 275 insertions(+), 89 deletions(-)
+ create mode 100644 tests/integration/kubernetes/k8s-policy-deployments.bats
+ create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml
+
+diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
+index 7d35862afa73e9f4c9004189d3ec50ebd3e8855d..fd998a41be8978b85928d12101c7ff4fdc38e4eb 100644
+--- a/src/tools/genpolicy/genpolicy-settings.json
++++ b/src/tools/genpolicy/genpolicy-settings.json
+@@ -178,6 +178,18 @@
+                 "rprivate",
+                 "ro"
+             ]
++        },
++        "image_volume": {
++            "mount_type": "bind",
++            "mount_source": "$(sfprefix)",
++            "driver": "local",
++            "source": "local",
++            "fstype": "bind",
++            "options": [
++                "rbind",
++                "rprivate",
++                "rw"
++            ]
+         }
+     },
+     "mount_destinations": [
+@@ -322,4 +334,4 @@
+         "UpdateEphemeralMountsRequest": false,
+         "WriteStreamRequest": false
+     }
+-}
+\ No newline at end of file
++}
+diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs
+index 90ea48597605f056250424ff0d8758017d20220f..d5a159c318f65339a9044a85a08bfae91f839e01 100644
+--- a/src/tools/genpolicy/src/daemon_set.rs
++++ b/src/tools/genpolicy/src/daemon_set.rs
+@@ -98,16 +98,14 @@ impl yaml::K8sResource for DaemonSet {
+         container: &pod::Container,
+         settings: &settings::Settings,
+     ) {
+-        if let Some(volumes) = &self.spec.template.spec.volumes {
+-            yaml::get_container_mounts_and_storages(
+-                policy_mounts,
+-                storages,
+-                persistent_volume_claims,
+-                container,
+-                settings,
+-                volumes,
+-            )
+-        }
++        yaml::get_container_mounts_and_storages(
++            policy_mounts,
++            storages,
++            persistent_volume_claims,
++            container,
++            settings,
++            &self.spec.template.spec.volumes,
++        );
+     }
+ 
+     fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
+diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs
+index 890579cdfbd67cd7f5949c817dbd9391043b1cf0..65db6937e874ce13d655498b441e5c71913fca97 100644
+--- a/src/tools/genpolicy/src/deployment.rs
++++ b/src/tools/genpolicy/src/deployment.rs
+@@ -96,16 +96,14 @@ impl yaml::K8sResource for Deployment {
+         container: &pod::Container,
+         settings: &settings::Settings,
+     ) {
+-        if let Some(volumes) = &self.spec.template.spec.volumes {
+-            yaml::get_container_mounts_and_storages(
+-                policy_mounts,
+-                storages,
+-                persistent_volume_claims,
+-                container,
+-                settings,
+-                volumes,
+-            );
+-        }
++        yaml::get_container_mounts_and_storages(
++            policy_mounts,
++            storages,
++            persistent_volume_claims,
++            container,
++            settings,
++            &self.spec.template.spec.volumes,
++        );
+     }
+ 
+     fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
+diff --git a/src/tools/genpolicy/src/job.rs b/src/tools/genpolicy/src/job.rs
+index bca1463017bb7359fb59d1ebbf1ae801c0f17190..32c1048f6b979b38e598169892c75adbb725a983 100644
+--- a/src/tools/genpolicy/src/job.rs
++++ b/src/tools/genpolicy/src/job.rs
+@@ -70,16 +70,14 @@ impl yaml::K8sResource for Job {
+         container: &pod::Container,
+         settings: &settings::Settings,
+     ) {
+-        if let Some(volumes) = &self.spec.template.spec.volumes {
+-            yaml::get_container_mounts_and_storages(
+-                policy_mounts,
+-                storages,
+-                persistent_volume_claims,
+-                container,
+-                settings,
+-                volumes,
+-            );
+-        }
++        yaml::get_container_mounts_and_storages(
++            policy_mounts,
++            storages,
++            persistent_volume_claims,
++            container,
++            settings,
++            &self.spec.template.spec.volumes,
++        );
+     }
+ 
+     fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
+diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
+index 09bc89fdf7e6eb239428adbb093c9cb5962da8a7..0c2b5e58a45317d4d614ac51b7e0b5f035c8f11f 100644
+--- a/src/tools/genpolicy/src/mount_and_storage.rs
++++ b/src/tools/genpolicy/src/mount_and_storage.rs
+@@ -108,6 +108,10 @@ pub fn get_mount_and_storage(
+     yaml_volume: &volume::Volume,
+     yaml_mount: &pod::VolumeMount,
+ ) {
++    debug!(
++        "get_mount_and_storage: adding mount and storage for: {:?}",
++        &yaml_volume
++    );
+     let propagation = match yaml_mount.mountPropagation.as_deref() {
+         Some("Bidirectional") => "rshared",
+         Some("HostToContainer") => "rslave",
+@@ -422,6 +426,60 @@ fn get_downward_api_mount(yaml_mount: &pod::VolumeMount, p_mounts: &mut Vec<poli
+     }
+ }
+ 
++pub fn get_image_mount_and_storage(
++    settings: &settings::Settings,
++    p_mounts: &mut Vec<policy::KataMount>,
++    storages: &mut Vec<agent::Storage>,
++    destination: &str,
++) {
++    // https://github.com/kubernetes/examples/blob/master/cassandra/image/Dockerfile
++    // has a volume mount starting with two '/' characters:
++    //
++    // CASSANDRA_DATA=/cassandra_data
++    // VOLUME ["/$CASSANDRA_DATA"]
++    let mut destination_string = destination.to_string();
++    while destination_string.contains("//") {
++        destination_string = destination_string.replace("//", "/");
++    }
++    debug!("get_image_mount_and_storage: image dest = {destination}, dest = {destination_string}");
++
++    for mount in &mut *p_mounts {
++        if mount.destination == destination_string {
++            debug!(
++                "get_image_mount_and_storage: mount {destination_string} already defined by YAML"
++            );
++            return;
++        }
++    }
++
++    let settings_image = &settings.volumes.image_volume;
++    debug!(
++        "get_image_mount_and_storage: settings for container image volumes: {:?}",
++        settings_image
++    );
++
++    storages.push(agent::Storage {
++        driver: settings_image.driver.clone(),
++        driver_options: Vec::new(),
++        source: settings_image.source.clone(),
++        fstype: settings_image.fstype.clone(),
++        options: settings_image.options.clone(),
++        mount_point: destination_string.clone(),
++        fs_group: None,
++    });
++
++    let file_name = Path::new(&destination_string).file_name().unwrap();
++    let name = OsString::from(file_name).into_string().unwrap();
++    let source = format!("{}{name}$", &settings_image.mount_source);
++
++    p_mounts.push(policy::KataMount {
++        destination: destination_string,
++        type_: settings_image.fstype.clone(),
++        source,
++        options: settings_image.options.clone(),
++    });
++}
++
+ fn get_ephemeral_mount(
+     settings: &settings::Settings,
+     yaml_mount: &pod::VolumeMount,
+diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
+index 4a40c957042e73ba584b66bc681469458a7f18f4..f5bf61bec420ed7ee642818e10ecdca80f710ad8 100644
+--- a/src/tools/genpolicy/src/pod.rs
++++ b/src/tools/genpolicy/src/pod.rs
+@@ -846,16 +846,14 @@ impl yaml::K8sResource for Pod {
+         container: &Container,
+         settings: &settings::Settings,
+     ) {
+-        if let Some(volumes) = &self.spec.volumes {
+-            yaml::get_container_mounts_and_storages(
+-                policy_mounts,
+-                storages,
+-                persistent_volume_claims,
+-                container,
+-                settings,
+-                volumes,
+-            );
+-        }
++        yaml::get_container_mounts_and_storages(
++            policy_mounts,
++            storages,
++            persistent_volume_claims,
++            container,
++            settings,
++            &self.spec.volumes,
++        );
+     }
+ 
+     fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
+diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
+index b212eeb8bca209d9916249fe8e01351f5943823c..bdce2d40e3a7c3ec34137ceb3685fcc94aedcb39 100644
+--- a/src/tools/genpolicy/src/registry.rs
++++ b/src/tools/genpolicy/src/registry.rs
+@@ -23,11 +23,13 @@ use sha2::{digest::typenum::Unsigned, digest::OutputSizeUser, Sha256};
+ use std::fs::OpenOptions;
+ use std::io::BufWriter;
+ use std::{io, io::Seek, io::Write, path::Path};
++use std::collections::BTreeMap;
+ use tokio::io::AsyncWriteExt;
+ 
+ /// Container image properties obtained from an OCI repository.
+ #[derive(Clone, Debug, Default)]
+ pub struct Container {
++    pub image: String,
+     pub config_layer: DockerConfigLayer,
+     pub image_layers: Vec<ImageLayer>,
+ }
+@@ -36,19 +38,20 @@ pub struct Container {
+ #[derive(Clone, Debug, Default, Deserialize, Serialize)]
+ pub struct DockerConfigLayer {
+     architecture: String,
+-    config: DockerImageConfig,
++    pub config: DockerImageConfig,
+     pub rootfs: DockerRootfs,
+ }
+ 
+-/// Image config properties.
++/// See: https://docs.docker.com/reference/dockerfile/.
+ #[derive(Clone, Debug, Default, Deserialize, Serialize)]
+-struct DockerImageConfig {
++pub struct DockerImageConfig {
+     User: Option<String>,
+     Tty: Option<bool>,
+     Env: Option<Vec<String>>,
+     Cmd: Option<Vec<String>>,
+     WorkingDir: Option<String>,
+     Entrypoint: Option<Vec<String>>,
++    pub Volumes: Option<BTreeMap<String, DockerVolumeHostDirectory>>
+ }
+ 
+ /// Container rootfs information.
+@@ -65,10 +68,20 @@ pub struct ImageLayer {
+     pub verity_hash: String,
+ }
+ 
++/// See https://docs.docker.com/reference/dockerfile/#volume.
++#[derive(Clone, Debug, Serialize, Deserialize)]
++pub struct DockerVolumeHostDirectory {
++    // This struct is empty because, according to the documentation:
++    // "The VOLUME instruction does not support specifying a host-dir
++    // parameter. You must specify the mountpoint when you create or
++    // run the container."
++}
++
+ impl Container {
+     pub async fn new(layers_cache_file_path: Option<String>, image: &str) -> Result<Self> {
+         info!("============================================");
+         info!("Pulling manifest and config for {:?}", image);
++        let image_string = image.to_string();
+         let reference: Reference = image.to_string().parse().unwrap();
+         let auth = build_auth(&reference);
+ 
+@@ -94,6 +107,7 @@ impl Container {
+ 
+                 let config_layer: DockerConfigLayer =
+                     serde_json::from_str(&config_layer_str).unwrap();
++                debug!("config_layer: {:?}", &config_layer);
+                 let image_layers = get_image_layers(
+                     layers_cache_file_path,
+                     &mut client,
+@@ -105,6 +119,7 @@ impl Container {
+                 .unwrap();
+ 
+                 Ok(Container {
++                    image: image_string,
+                     config_layer,
+                     image_layers,
+                 })
+diff --git a/src/tools/genpolicy/src/registry_containerd.rs b/src/tools/genpolicy/src/registry_containerd.rs
+index 333a4dd33032c4842e70d5e618b4660fa2ffb6c5..793137224b88d4a562ea214bbc8d93316563f863 100644
+--- a/src/tools/genpolicy/src/registry_containerd.rs
++++ b/src/tools/genpolicy/src/registry_containerd.rs
+@@ -46,7 +46,8 @@ impl Container {
+         let ctrd_client = containerd_client::Client::from(containerd_channel.clone());
+         let k8_cri_image_client = ImageServiceClient::new(containerd_channel);
+ 
+-        let image_ref: Reference = image.to_string().parse().unwrap();
++        let image_str = image.to_string();
++        let image_ref: Reference = image_str.parse().unwrap();
+ 
+         info!("Pulling image: {:?}", image_ref);
+ 
+@@ -67,6 +68,7 @@ impl Container {
+         .await?;
+ 
+         Ok(Container {
++            image: image_str,
+             config_layer,
+             image_layers,
+         })
+diff --git a/src/tools/genpolicy/src/replica_set.rs b/src/tools/genpolicy/src/replica_set.rs
+index 094daf1da4cf2f202cfc41e76a0f693bdf84e46a..205937f0a9f1e17b5e2b1a6ab9e3d67d5263daa5 100644
+--- a/src/tools/genpolicy/src/replica_set.rs
++++ b/src/tools/genpolicy/src/replica_set.rs
+@@ -68,16 +68,14 @@ impl yaml::K8sResource for ReplicaSet {
+         container: &pod::Container,
+         settings: &settings::Settings,
+     ) {
+-        if let Some(volumes) = &self.spec.template.spec.volumes {
+-            yaml::get_container_mounts_and_storages(
+-                policy_mounts,
+-                storages,
+-                persistent_volume_claims,
+-                container,
+-                settings,
+-                volumes,
+-            );
+-        }
++        yaml::get_container_mounts_and_storages(
++            policy_mounts,
++            storages,
++            persistent_volume_claims,
++            container,
++            settings,
++            &self.spec.template.spec.volumes,
++        );
+     }
+ 
+     fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
+diff --git a/src/tools/genpolicy/src/replication_controller.rs b/src/tools/genpolicy/src/replication_controller.rs
+index 55788a45c2e0ede93b5fb27349b9096d6dc706ef..049e6a1394ba4c1151f44dc56abe1392102f5582 100644
+--- a/src/tools/genpolicy/src/replication_controller.rs
++++ b/src/tools/genpolicy/src/replication_controller.rs
+@@ -70,16 +70,14 @@ impl yaml::K8sResource for ReplicationController {
+         container: &pod::Container,
+         settings: &settings::Settings,
+     ) {
+-        if let Some(volumes) = &self.spec.template.spec.volumes {
+-            yaml::get_container_mounts_and_storages(
+-                policy_mounts,
+-                storages,
+-                persistent_volume_claims,
+-                container,
+-                settings,
+-                volumes,
+-            );
+-        }
++        yaml::get_container_mounts_and_storages(
++            policy_mounts,
++            storages,
++            persistent_volume_claims,
++            container,
++            settings,
++            &self.spec.template.spec.volumes,
++        );
+     }
+ 
+     fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
+diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs
+index 3d86971914ad4a659cab4bba0737ca53a183c2ba..a388f074e5168abb14c40c324c8aeef74062cdc0 100644
+--- a/src/tools/genpolicy/src/settings.rs
++++ b/src/tools/genpolicy/src/settings.rs
+@@ -34,6 +34,7 @@ pub struct Volumes {
+     pub emptyDir_memory: EmptyDirVolume,
+     pub configMap: ConfigMapVolume,
+     pub confidential_configMap: ConfigMapVolume,
++    pub image_volume: ImageVolume
+ }
+ 
+ /// EmptyDir volume settings loaded from genpolicy-settings.json.
+@@ -59,6 +60,17 @@ pub struct ConfigMapVolume {
+     pub options: Vec<String>,
+ }
+ 
++/// Container image volume settings loaded from genpolicy-settings.json.
++#[derive(Clone, Debug, Serialize, Deserialize)]
++pub struct ImageVolume {
++    pub mount_type: String,
++    pub mount_source: String,
++    pub driver: String,
++    pub source: String,
++    pub fstype: String,
++    pub options: Vec<String>,
++}
++
+ /// Data corresponding to the kata runtime config file data, loaded from
+ /// genpolicy-settings.json.
+ #[derive(Clone, Debug, Serialize, Deserialize)]
+diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs
+index d25398358f526116f5b766ffba6db2e287e0f8e9..aa25bf5a78443dce6493fe5a2a2c3a3b6bd8c00c 100644
+--- a/src/tools/genpolicy/src/stateful_set.rs
++++ b/src/tools/genpolicy/src/stateful_set.rs
+@@ -118,17 +118,6 @@ impl yaml::K8sResource for StatefulSet {
+         container: &pod::Container,
+         settings: &settings::Settings,
+     ) {
+-        if let Some(volumes) = &self.spec.template.spec.volumes {
+-            yaml::get_container_mounts_and_storages(
+-                policy_mounts,
+-                storages,
+-                persistent_volume_claims,
+-                container,
+-                settings,
+-                volumes,
+-            );
+-        }
+-
+         // Example:
+         //
+         // containers:
+@@ -159,6 +148,15 @@ impl yaml::K8sResource for StatefulSet {
+                 );
+             }
+         }
++
++        yaml::get_container_mounts_and_storages(
++            policy_mounts,
++            storages,
++            persistent_volume_claims,
++            container,
++            settings,
++            &self.spec.template.spec.volumes,
++        );
+     }
+ 
+     fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
+diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
+index c898240af337f3cb7cfc34fa1398cb5a6bd828a5..07ebb32aea0ae8265c8deb8c32fb02242d1a7d84 100644
+--- a/src/tools/genpolicy/src/yaml.rs
++++ b/src/tools/genpolicy/src/yaml.rs
+@@ -251,24 +251,41 @@ pub fn get_container_mounts_and_storages(
+     persistent_volume_claims: &[pvc::PersistentVolumeClaim],
+     container: &pod::Container,
+     settings: &settings::Settings,
+-    volumes: &Vec<volume::Volume>,
++    volumes_option: &Option<Vec<volume::Volume>>,
+ ) {
+-    if let Some(volume_mounts) = &container.volumeMounts {
+-        for volume in volumes {
+-            for volume_mount in volume_mounts {
+-                if volume_mount.name.eq(&volume.name) {
+-                    mount_and_storage::get_mount_and_storage(
+-                        settings,
+-                        policy_mounts,
+-                        storages,
+-                        persistent_volume_claims,
+-                        volume,
+-                        volume_mount,
+-                    );
++    if let Some(volumes) = volumes_option {
++        if let Some(volume_mounts) = &container.volumeMounts {
++            for volume in volumes {
++                for volume_mount in volume_mounts {
++                    if volume_mount.name.eq(&volume.name) {
++                        mount_and_storage::get_mount_and_storage(
++                            settings,
++                            policy_mounts,
++                            storages,
++                            persistent_volume_claims,
++                            volume,
++                            volume_mount,
++                        );
++                    }
+                 }
+             }
+         }
+     }
++
++    // Add storage and mount for each volume defined in the docker container image
++    // configuration layer.
++    if let Some(volumes) = &container.registry.config_layer.config.Volumes {
++        for volume in volumes {
++            debug!("get_container_mounts_and_storages: {:?}", &volume);
++
++            mount_and_storage::get_image_mount_and_storage(
++                settings,
++                policy_mounts,
++                storages,
++                volume.0,
++            );
++        }
++    }
+ }
+ 
+ /// Add the "io.katacontainers.config.agent.policy" annotation into
+diff --git a/tests/integration/kubernetes/k8s-policy-deployments.bats b/tests/integration/kubernetes/k8s-policy-deployments.bats
+new file mode 100644
+index 0000000000000000000000000000000000000000..8919c7dae1536ba62a84a8ab27370498f2a76704
+--- /dev/null
++++ b/tests/integration/kubernetes/k8s-policy-deployments.bats
+@@ -0,0 +1,47 @@
++#!/usr/bin/env bats
++#
++# Copyright (c) 2024 Microsoft.
++#
++# SPDX-License-Identifier: Apache-2.0
++#
++
++load "${BATS_TEST_DIRNAME}/../../common.bash"
++load "${BATS_TEST_DIRNAME}/tests_common.sh"
++
++setup() {
++    auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
++
++    get_pod_config_dir
++
++    deployment_name="policy-redis-deployment"
++    deployment_yaml="${pod_config_dir}/k8s-policy-deployment.yaml"
++
++    # Add an appropriate policy to the correct YAML file.
++    policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
++    add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
++    auto_generate_policy "${policy_settings_dir}" "${deployment_yaml}"
++}
++
++@test "Successful deployment with auto-generated policy and container image volumes" {
++    # Initiate deployment
++    kubectl apply -f "${deployment_yaml}"
++
++    # Wait for the deployment to be created
++    cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'"
++    info "Waiting for: ${cmd}"
++    waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
++}
++
++teardown() {
++    auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
++
++    # Debugging information
++    info "Deployment ${deployment_name}:"
++    kubectl describe deployment "${deployment_name}"
++    kubectl rollout status deployment/${deployment_name}
++
++    # Clean-up
++    kubectl delete deployment "${deployment_name}"
++
++    delete_tmp_policy_settings_dir "${policy_settings_dir}"
++}
+diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh
+index b16c22ae64fa23f3a42fd4915d9c1f0eee6812eb..203128f51e357b17c4a8c0e832619c08c1b35746 100644
+--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
++++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
+@@ -45,6 +45,7 @@ else
+ 		"k8s-optional-empty-secret.bats" \
+ 		"k8s-pid-ns.bats" \
+ 		"k8s-pod-quota.bats" \
++    "k8s-policy-deployments.bats" \
+ 		"k8s-port-forward.bats" \
+ 		"k8s-projected-volume.bats" \
+ 		"k8s-qos-pods.bats" \
+diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml
+new file mode 100644
+index 0000000000000000000000000000000000000000..407b99729061dc7e651296afcc10ce6138e481af
+--- /dev/null
++++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml
+@@ -0,0 +1,36 @@
++#
++# Copyright (c) 2024 Microsoft
++#
++# SPDX-License-Identifier: Apache-2.0
++#
++apiVersion: apps/v1
++kind: Deployment
++metadata:
++  name: policy-redis-deployment
++  labels:
++    app: policyredis
++spec:
++  selector:
++    matchLabels:
++      app: policyredis
++      role: master
++      tier: backend
++  replicas: 1
++  template:
++    metadata:
++      labels:
++        app: policyredis
++        role: master
++        tier: backend
++    spec:
++      terminationGracePeriodSeconds: 0
++      runtimeClassName: kata
++      containers:
++      - name: master
++        image: quay.io/opstree/redis
++        resources:
++          requests:
++            cpu: 100m
++            memory: 100Mi
++        ports:
++        - containerPort: 6379
diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix
index 4286550cd2..928e62b8e4 100644
--- a/packages/by-name/microsoft/genpolicy/package.nix
+++ b/packages/by-name/microsoft/genpolicy/package.nix
@@ -55,6 +55,10 @@ rustPlatform.buildRustPackage rec {
       # We can revisit this if microsoft upstreamed
       # https://github.com/microsoft/kata-containers/pull/174
       ./0006-genpolicy-support-HostToContainer-mount-propagation.patch
+      # This patch is a port of https://github.com/kata-containers/kata-containers/pull/10136/files
+      # to microsofts genpolicy.
+      # remove when picked up by Microsoft/kata-containers fork.
+      ./0007-genpolicy-support-for-VOLUME-definition-in-container.patch
     ];
   };