Ensure that the runtime mounts RO volumes read-only #58720
What this PR does / why we need it:
This change is part of the fix to address CVE-2017-1002102 (#60814).
This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs.
It also adds a feature gate
Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc.
Which issue(s) this PR fixes
Fixes #60814 for master / 1.10
referenced this pull request
Jan 23, 2018
I am afraid this is behavior change. Volumes that were not read-only are read-only now. As you can see in e2e test updates, it can break existing applications.
IMO it is the right way to go, however I am not sure a small release note is enough.
@saad-ali, what do you think?
Applications that relied on persisting data in these locations were already broken, since the volume sync would remove that data at a later point in time. A release note seems sufficient to me (updated the release note with additional context)