-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure that the runtime mounts RO volumes read-only #58720
Conversation
/unassign @dims |
/approve |
/retest |
I am afraid this is behavior change. Volumes that were not read-only are read-only now. As you can see in e2e test updates, it can break existing applications. IMO it is the right way to go, however I am not sure a small release note is enough. @saad-ali, what do you think? |
/retest |
Due to the issues raised by @jsafrane we should probably hold this PR until we get a 👍 from @smarterclayton and/or @saad-ali . /hold |
Applications that relied on persisting data in these locations were already broken, since the volume sync would remove that data at a later point in time. A release note seems sufficient to me (updated the release note with additional context) |
/retest |
The |
* Update statefulset.yaml ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume. * Update Chart.yaml Bump version * Update statefulset.yaml
…refactor (helm#4281) * Rename manifests to align with best practices * Refactor minio chart - add ingress resource - consolidate svc resource to support all deployment modes - update labels and selectors to align with helm best practices - general cleanup to align with helm best practices/patterns observed in `helm create` - update values, README and _helpers accordingly - bump image tag - bump chart version * Fix issue caused by ConfigMaps now being mounted ReadOnly Tested on: k8s 1.8.10 and 1.9.6 Related: kubernetes/kubernetes#58720 Fixes: helm#4272 * Bump chart version to 1.0.0
…figMap to an EmptyDir (helm#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to helm#4169. Fixes helm#4267. * bump Chart version
See kubernetes/kubernetes#58720 The chown breaks the gitlab startup in k8s 1.9 and is not necessary.
See kubernetes/kubernetes#58720 The chown breaks the gitlab startup in k8s 1.9 and is not necessary.
How can I create executable files with configMap now? |
* Update statefulset.yaml ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume. * Update Chart.yaml Bump version * Update statefulset.yaml Signed-off-by: voron <[email protected]>
…refactor (helm#4281) * Rename manifests to align with best practices * Refactor minio chart - add ingress resource - consolidate svc resource to support all deployment modes - update labels and selectors to align with helm best practices - general cleanup to align with helm best practices/patterns observed in `helm create` - update values, README and _helpers accordingly - bump image tag - bump chart version * Fix issue caused by ConfigMaps now being mounted ReadOnly Tested on: k8s 1.8.10 and 1.9.6 Related: kubernetes/kubernetes#58720 Fixes: helm#4272 * Bump chart version to 1.0.0 Signed-off-by: voron <[email protected]>
…figMap to an EmptyDir (helm#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to helm#4169. Fixes helm#4267. * bump Chart version Signed-off-by: voron <[email protected]>
…refactor (#4281) * Rename manifests to align with best practices * Refactor minio chart - add ingress resource - consolidate svc resource to support all deployment modes - update labels and selectors to align with helm best practices - general cleanup to align with helm best practices/patterns observed in `helm create` - update values, README and _helpers accordingly - bump image tag - bump chart version * Fix issue caused by ConfigMaps now being mounted ReadOnly Tested on: k8s 1.8.10 and 1.9.6 Related: kubernetes/kubernetes#58720 Fixes: helm/charts#4272 * Bump chart version to 1.0.0
* Update statefulset.yaml ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume. * Update Chart.yaml Bump version * Update statefulset.yaml
…figMap to an EmptyDir (#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to #4169. Fixes #4267. * bump Chart version
* Update statefulset.yaml ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume. * Update Chart.yaml Bump version * Update statefulset.yaml
…figMap to an EmptyDir (#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to #4169. Fixes #4267. * bump Chart version
…figMap to an EmptyDir (#4271) * Update deployment.yaml ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to #4169. Fixes #4267. * bump Chart version
What this PR does / why we need it:
This change is part of the fix to address CVE-2017-1002102 (#60814).
This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs.
It also adds a feature gate
ReadOnlyAPIDataVolumes
to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional.Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc.
Which issue(s) this PR fixes
Fixes #58719
Fixes #60814 for master / 1.10
Release note: