k3s/features at f3512cbbb93bba43773da64f09f4f9296fa0936c - k3s

History

Kubernetes Submit Queue 8c6be65f4c Merge pull request #58720 from joelsmith/ro-vol Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Ensure that the runtime mounts RO volumes read-only What this PR does / why we need it: This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs. It also adds a feature gate `ReadOnlyAPIDataVolumes` to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional. Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc. Which issue(s) this PR fixes Fixes #58719 Release note: ```release-note Containers now mount secret, configMap, downwardAPI and projected volumes read-only. Previously, container modifications to files in these types of volumes were temporary and reverted by the kubelet during volume sync. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will preserve the old behavior. ```	2018-02-02 06:42:12 -08:00
..
BUILD	update BUILD files	2017-10-15 18:18:13 -07:00
kube_features.go	Merge pull request #58720 from joelsmith/ro-vol	2018-02-02 06:42:12 -08:00

Kubernetes Submit Queue 8c6be65f4c

Merge pull request #58720 from joelsmith/ro-vol

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Ensure that the runtime mounts RO volumes read-only

**What this PR does / why we need it**:

This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs.

It also adds a feature gate `ReadOnlyAPIDataVolumes` to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional.

Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc.

**Which issue(s) this PR fixes**
Fixes #58719 

**Release note**:
```release-note
Containers now mount secret, configMap, downwardAPI and projected volumes read-only. Previously,
container modifications to files in these types of volumes were temporary and reverted by the kubelet
during volume sync. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will
preserve the old behavior.
```

2018-02-02 06:42:12 -08:00

BUILD

update BUILD files

2017-10-15 18:18:13 -07:00

kube_features.go

Merge pull request #58720 from joelsmith/ro-vol

2018-02-02 06:42:12 -08:00