diff options
| author | Jan Safranek <jsafrane@redhat.com> | 2017-08-03 16:42:50 +0200 |
|---|---|---|
| committer | Jan Safranek <jsafrane@redhat.com> | 2017-08-03 16:42:50 +0200 |
| commit | fb3e2f97ddfc86f47105e113ad46ee9764368ea6 (patch) | |
| tree | c8e2de6940010c3af4eace773bccaa86fb3dead9 | |
| parent | 67cd5443727ed90b98bcc2dfb5d7e46000c4a671 (diff) | |
Move Propagation to HostPathVolumeSource
| -rw-r--r-- | contributors/design-proposals/propagation.md | 34 |
1 files changed, 22 insertions, 12 deletions
diff --git a/contributors/design-proposals/propagation.md b/contributors/design-proposals/propagation.md index 6bd880e2..352b40b8 100644 --- a/contributors/design-proposals/propagation.md +++ b/contributors/design-proposals/propagation.md @@ -66,9 +66,9 @@ The new `VolumeMount` will look like: ```go const ( - PropagationRShared PropagationMode = "RShared" - PropagationRSlave PropagationMode = "RSlave" - PropagationPrivate PropagationMode = "Private" + MountPropagationRShared MountPropagationMode = "RShared" + MountPropagationRSlave MountPropagationMode = "RSlave" + MountPropagationPrivate MountPropagationMode = "Private" ) type VolumeMount struct { @@ -100,18 +100,23 @@ The new `HostPathVolumeSource` will look like: ```go const ( - PropagationRShared PropagationMode = "RShared" - PropagationRSlave PropagationMode = "RSlave" - PropagationPrivate PropagationMode = "Private" + MountPropagationRShared MountPropagationMode = "RShared" + MountPropagationRSlave MountPropagationMode = "RSlave" + MountPropagationPrivate MountPropagationMode = "Private" ) type HostPathVolumeSource struct { Path string `json:"path"` // Mount the host path with propagation mode specified. Docker only. - Propagation PropagationMode `json:"propagation,omitempty"` + MountPropagation MountPropagationMode `json:"propagation,omitempty"` } ``` +The default mount propagation is `rslave`. Any HostPath can ask for `private`. +Only privileged containers can use HostPath with `rshared` mount propagation - +kubelet silently downgrades the propagation to `rslave` when running `rshared` +HostPath in a non-privileged container. + Opinion against this: 1. This need API change, which is discouraged. @@ -120,6 +125,12 @@ Opinion against this: 1. (From @jonboulle) May cause cross-runtime compatibility issue. +1. It's not possible to validate a pod + mount propagation. Mount propagation + is stored in a HostPath PersistentVolume object, while privileged mode is + stored in Pod object. Validator sees only one object and we don't do + cross-object validation and can't reject non-provileged pod that uses a PV + with shared mount propagation. + ### Make HostPath shared for privileged containers, slave for non-privileged. Given only HostPath needs this feature, and CAP_SYS_ADMIN access is needed when @@ -162,12 +173,11 @@ and something prevents it from starting if `/sys` is shared. ## Decision -* We will take 'Add an option in VolumeMount API' +* We will take 'Add an option in HostPathVolumeSource API' * With an alpha feature gate in 1.8. - * With validation that it can be used only with HostPath volumes. - * With validation that shared propagation can be used only in privileged - containers. - * kubernetes/kubernetes#46444 + * Only privileged containers can use `rshared` mount propagation. + * When non-privileged container uses `rshared` HostPath, it silently + downgrades it to `rslave`. * Kubelet will make sure that at least `/var/lib/kubelet` can be share-able into containers and it will refuse to start if it's unsuccessful * kubernetes/kubernetes#45724 |