mirror of https://github.com/k3s-io/k3s
8c6be65f4c
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Ensure that the runtime mounts RO volumes read-only **What this PR does / why we need it**: This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs. It also adds a feature gate `ReadOnlyAPIDataVolumes` to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional. Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc. **Which issue(s) this PR fixes** Fixes #58719 **Release note**: ```release-note Containers now mount secret, configMap, downwardAPI and projected volumes read-only. Previously, container modifications to files in these types of volumes were temporary and reverted by the kubelet during volume sync. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will preserve the old behavior. ``` |
||
|---|---|---|
| .. | ||
| apis | ||
| cadvisor | ||
| certificate | ||
| checkpoint | ||
| client | ||
| cm | ||
| config | ||
| configmap | ||
| container | ||
| custommetrics | ||
| dockershim | ||
| envvars | ||
| events | ||
| eviction | ||
| gpu | ||
| images | ||
| kubeletconfig | ||
| kuberuntime | ||
| leaky | ||
| lifecycle | ||
| metrics | ||
| mountpod | ||
| network | ||
| pleg | ||
| pod | ||
| preemption | ||
| prober | ||
| qos | ||
| remote | ||
| rkt | ||
| secret | ||
| server | ||
| stats | ||
| status | ||
| sysctl | ||
| types | ||
| util | ||
| volumemanager | ||
| winstats | ||
| BUILD | ||
| OWNERS | ||
| active_deadline.go | ||
| active_deadline_test.go | ||
| doc.go | ||
| kubelet.go | ||
| kubelet_getters.go | ||
| kubelet_getters_test.go | ||
| kubelet_network.go | ||
| kubelet_network_test.go | ||
| kubelet_node_status.go | ||
| kubelet_node_status_test.go | ||
| kubelet_pods.go | ||
| kubelet_pods_test.go | ||
| kubelet_pods_windows_test.go | ||
| kubelet_resources.go | ||
| kubelet_resources_test.go | ||
| kubelet_test.go | ||
| kubelet_volumes.go | ||
| kubelet_volumes_test.go | ||
| oom_watcher.go | ||
| oom_watcher_test.go | ||
| pod_container_deletor.go | ||
| pod_container_deletor_test.go | ||
| pod_workers.go | ||
| pod_workers_test.go | ||
| reason_cache.go | ||
| reason_cache_test.go | ||
| runonce.go | ||
| runonce_test.go | ||
| runtime.go | ||
| util.go | ||
| volume_host.go | ||