• Kubernetes Submit Queue's avatar
    Merge pull request #58720 from joelsmith/ro-vol · 8c6be65f
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
    
    Ensure that the runtime mounts RO volumes read-only
    
    **What this PR does / why we need it**:
    
    This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs.
    
    It also adds a feature gate `ReadOnlyAPIDataVolumes` to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional.
    
    Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc.
    
    **Which issue(s) this PR fixes**
    Fixes #58719 
    
    **Release note**:
    ```release-note
    Containers now mount secret, configMap, downwardAPI and projected volumes read-only. Previously,
    container modifications to files in these types of volumes were temporary and reverted by the kubelet
    during volume sync. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will
    preserve the old behavior.
    ```
    8c6be65f
Name
Last commit
Last update
..
BUILD Loading commit data...
kube_features.go Loading commit data...