Ensure that the runtime mounts RO volumes read-only #58720
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
release-note
|
/unassign @dims |
k8s-ci-robot
added
kind/bug
|
/approve |
k8s-ci-robot
added
the
approved
k8s-ci-robot
added
size/M
|
/retest |
|
I am afraid this is behavior change. Volumes that were not read-only are read-only now. As you can see in e2e test updates, it can break existing applications. IMO it is the right way to go, however I am not sure a small release note is enough. @saad-ali, what do you think? |
|
/retest |
|
Due to the issues raised by @jsafrane we should probably hold this PR until we get a 👍 from @smarterclayton and/or @saad-ali . /hold |
k8s-ci-robot
added
the
do-not-merge/hold
liggitt
reviewed
Jan 25, 2018
Applications that relied on persisting data in these locations were already broken, since the volume sync would remove that data at a later point in time. A release note seems sufficient to me (updated the release note with additional context) |
|
/retest |
|
The |
ichtar
pushed a commit
to Bestmile/charts
that referenced
this pull request
May 15, 2018
* Update statefulset.yaml ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume. * Update Chart.yaml Bump version * Update statefulset.yaml
ichtar
pushed a commit
to Bestmile/charts
that referenced
this pull request
May 15, 2018
…refactor (helm#4281) * Rename manifests to align with best practices * Refactor minio chart - add ingress resource - consolidate svc resource to support all deployment modes - update labels and selectors to align with helm best practices - general cleanup to align with helm best practices/patterns observed in `helm create` - update values, README and _helpers accordingly - bump image tag - bump chart version * Fix issue caused by ConfigMaps now being mounted ReadOnly Tested on: k8s 1.8.10 and 1.9.6 Related: kubernetes/kubernetes#58720 Fixes: helm#4272 * Bump chart version to 1.0.0
ichtar
pushed a commit
to Bestmile/charts
that referenced
this pull request
May 15, 2018
…figMap to an EmptyDir (helm#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to helm#4169. Fixes helm#4267. * bump Chart version
theinrichs
pushed a commit
to theinrichs/gitlab
that referenced
this pull request
May 25, 2018
See kubernetes/kubernetes#58720 The chown breaks the gitlab startup in k8s 1.9 and is not necessary.
theinrichs
pushed a commit
to inovex/gitlab
that referenced
this pull request
May 25, 2018
See kubernetes/kubernetes#58720 The chown breaks the gitlab startup in k8s 1.9 and is not necessary.
Closed
This was referenced Jul 22, 2018
|
How can I create executable files with configMap now? |
voron
pushed a commit
to dysnix/helm-charts
that referenced
this pull request
Sep 5, 2018
* Update statefulset.yaml ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume. * Update Chart.yaml Bump version * Update statefulset.yaml Signed-off-by: voron <av@arilot.com>
voron
pushed a commit
to dysnix/helm-charts
that referenced
this pull request
Sep 5, 2018
…refactor (helm#4281) * Rename manifests to align with best practices * Refactor minio chart - add ingress resource - consolidate svc resource to support all deployment modes - update labels and selectors to align with helm best practices - general cleanup to align with helm best practices/patterns observed in `helm create` - update values, README and _helpers accordingly - bump image tag - bump chart version * Fix issue caused by ConfigMaps now being mounted ReadOnly Tested on: k8s 1.8.10 and 1.9.6 Related: kubernetes/kubernetes#58720 Fixes: helm#4272 * Bump chart version to 1.0.0 Signed-off-by: voron <av@arilot.com>
voron
pushed a commit
to dysnix/helm-charts
that referenced
this pull request
Sep 5, 2018
…figMap to an EmptyDir (helm#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to helm#4169. Fixes helm#4267. * bump Chart version Signed-off-by: voron <av@arilot.com>
manics
pushed a commit
to ome/minio-helm-chart
that referenced
this pull request
Oct 8, 2018
…refactor (#4281) * Rename manifests to align with best practices * Refactor minio chart - add ingress resource - consolidate svc resource to support all deployment modes - update labels and selectors to align with helm best practices - general cleanup to align with helm best practices/patterns observed in `helm create` - update values, README and _helpers accordingly - bump image tag - bump chart version * Fix issue caused by ConfigMaps now being mounted ReadOnly Tested on: k8s 1.8.10 and 1.9.6 Related: kubernetes/kubernetes#58720 Fixes: helm/charts#4272 * Bump chart version to 1.0.0
gochist
pushed a commit
to gochist/charts
that referenced
this pull request
Mar 27, 2019
* Update statefulset.yaml ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume. * Update Chart.yaml Bump version * Update statefulset.yaml
endrec
pushed a commit
to Rungway/charts-we-use
that referenced
this pull request
Aug 14, 2020
…figMap to an EmptyDir (#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to #4169. Fixes #4267. * bump Chart version
endrec
pushed a commit
to Rungway/charts-we-use
that referenced
this pull request
Aug 14, 2020
* Update statefulset.yaml ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume. * Update Chart.yaml Bump version * Update statefulset.yaml
torstenwalter
pushed a commit
to grafana/helm-charts
that referenced
this pull request
Sep 4, 2020
…figMap to an EmptyDir (#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to #4169. Fixes #4267. * bump Chart version
torstenwalter
pushed a commit
to grafana/helm-charts
that referenced
this pull request
Sep 4, 2020
…figMap to an EmptyDir (#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to #4169. Fixes #4267. * bump Chart version
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
This change is part of the fix to address CVE-2017-1002102 (#60814).
This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs.
It also adds a feature gate
ReadOnlyAPIDataVolumesto a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional.Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc.
Which issue(s) this PR fixes
Fixes #58719
Fixes #60814 for master / 1.10
Release note: