Merge pull request #70495 from rosti/writable-to-readonly-volumes

kubeadm: Writable to ReadOnly in HostPathMount
2025-07-29 14:37:00 +00:00 · 2018-11-03 01:43:02 -07:00 · 2018-11-03 01:43:02 -07:00 · 474e27f914
commit 474e27f914
parent d50e920906 6c9e347e31
11 changed files with 119 additions and 37 deletions
--- a/cmd/kubeadm/app/apis/kubeadm/types.go
+++ b/cmd/kubeadm/app/apis/kubeadm/types.go
@ -369,8 +369,8 @@ type HostPathMount struct {
 	HostPath string
 	// MountPath is the path inside the pod where hostPath will be mounted.
 	MountPath string
-	// Writable controls write access to the volume
-	Writable bool
+	// ReadOnly controls write access to the volume
+	ReadOnly bool
 	// PathType is the type of the HostPath.
 	PathType v1.HostPathType
 }
--- a/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion.go
@ -17,8 +17,6 @@ limitations under the License.
 package v1alpha3

 import (
-	"unsafe"
-
 	"k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 )
@ -85,14 +83,20 @@ func Convert_v1alpha3_ClusterConfiguration_To_kubeadm_ClusterConfiguration(in *C
 	}

 	out.APIServer.ExtraArgs = in.APIServerExtraArgs
-	out.APIServer.ExtraVolumes = *(*[]kubeadm.HostPathMount)(unsafe.Pointer(&in.APIServerExtraVolumes))
 	out.APIServer.CertSANs = in.APIServerCertSANs
+	if err := convertSlice_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(&in.APIServerExtraVolumes, &out.APIServer.ExtraVolumes, s); err != nil {
+		return err
+	}

 	out.ControllerManager.ExtraArgs = in.ControllerManagerExtraArgs
-	out.ControllerManager.ExtraVolumes = *(*[]kubeadm.HostPathMount)(unsafe.Pointer(&in.ControllerManagerExtraVolumes))
+	if err := convertSlice_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(&in.ControllerManagerExtraVolumes, &out.ControllerManager.ExtraVolumes, s); err != nil {
+		return err
+	}

 	out.Scheduler.ExtraArgs = in.SchedulerExtraArgs
-	out.Scheduler.ExtraVolumes = *(*[]kubeadm.HostPathMount)(unsafe.Pointer(&in.SchedulerExtraVolumes))
+	if err := convertSlice_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(&in.SchedulerExtraVolumes, &out.Scheduler.ExtraVolumes, s); err != nil {
+		return err
+	}

 	return nil
 }
@ -103,14 +107,66 @@ func Convert_kubeadm_ClusterConfiguration_To_v1alpha3_ClusterConfiguration(in *k
 	}

 	out.APIServerExtraArgs = in.APIServer.ExtraArgs
-	out.APIServerExtraVolumes = *(*[]HostPathMount)(unsafe.Pointer(&in.APIServer.ExtraVolumes))
 	out.APIServerCertSANs = in.APIServer.CertSANs
+	if err := convertSlice_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(&in.APIServer.ExtraVolumes, &out.APIServerExtraVolumes, s); err != nil {
+		return err
+	}

 	out.ControllerManagerExtraArgs = in.ControllerManager.ExtraArgs
-	out.ControllerManagerExtraVolumes = *(*[]HostPathMount)(unsafe.Pointer(&in.ControllerManager.ExtraVolumes))
+	if err := convertSlice_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(&in.ControllerManager.ExtraVolumes, &out.ControllerManagerExtraVolumes, s); err != nil {
+		return err
+	}

 	out.SchedulerExtraArgs = in.Scheduler.ExtraArgs
-	out.SchedulerExtraVolumes = *(*[]HostPathMount)(unsafe.Pointer(&in.Scheduler.ExtraVolumes))
+	if err := convertSlice_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(&in.Scheduler.ExtraVolumes, &out.SchedulerExtraVolumes, s); err != nil {
+		return err
+	}

 	return nil
 }
+
+func Convert_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(in *HostPathMount, out *kubeadm.HostPathMount, s conversion.Scope) error {
+	if err := autoConvert_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(in, out, s); err != nil {
+		return err
+	}
+
+	out.ReadOnly = !in.Writable
+	return nil
+}
+
+func Convert_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(in *kubeadm.HostPathMount, out *HostPathMount, s conversion.Scope) error {
+	if err := autoConvert_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(in, out, s); err != nil {
+		return err
+	}
+
+	out.Writable = !in.ReadOnly
+	return nil
+}
+
+func convertSlice_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(in *[]HostPathMount, out *[]kubeadm.HostPathMount, s conversion.Scope) error {
+	if *in != nil {
+		*out = make([]kubeadm.HostPathMount, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		*out = nil
+	}
+	return nil
+}
+
+func convertSlice_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(in *[]kubeadm.HostPathMount, out *[]HostPathMount, s conversion.Scope) error {
+	if *in != nil {
+		*out = make([]HostPathMount, len(*in))
+		for i := range *in {
+			if err := Convert_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		*out = nil
+	}
+	return nil
+}
--- a/cmd/kubeadm/app/apis/kubeadm/v1alpha3/zz_generated.conversion.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha3/zz_generated.conversion.go
@ -182,6 +182,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*kubeadm.HostPathMount)(nil), (*HostPathMount)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(a.(*kubeadm.HostPathMount), b.(*HostPathMount), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*kubeadm.JoinConfiguration)(nil), (*JoinConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_kubeadm_JoinConfiguration_To_v1alpha3_JoinConfiguration(a.(*kubeadm.JoinConfiguration), b.(*JoinConfiguration), scope)
 	}); err != nil {
@ -192,6 +197,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*HostPathMount)(nil), (*kubeadm.HostPathMount)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(a.(*HostPathMount), b.(*kubeadm.HostPathMount), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*JoinConfiguration)(nil), (*kubeadm.JoinConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha3_JoinConfiguration_To_kubeadm_JoinConfiguration(a.(*JoinConfiguration), b.(*kubeadm.JoinConfiguration), scope)
 	}); err != nil {
@ -422,30 +432,20 @@ func autoConvert_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(in *HostPathMou
 	out.Name = in.Name
 	out.HostPath = in.HostPath
 	out.MountPath = in.MountPath
-	out.Writable = in.Writable
+	// WARNING: in.Writable requires manual conversion: does not exist in peer-type
 	out.PathType = corev1.HostPathType(in.PathType)
 	return nil
 }

-// Convert_v1alpha3_HostPathMount_To_kubeadm_HostPathMount is an autogenerated conversion function.
-func Convert_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(in *HostPathMount, out *kubeadm.HostPathMount, s conversion.Scope) error {
-	return autoConvert_v1alpha3_HostPathMount_To_kubeadm_HostPathMount(in, out, s)
-}
-
 func autoConvert_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(in *kubeadm.HostPathMount, out *HostPathMount, s conversion.Scope) error {
 	out.Name = in.Name
 	out.HostPath = in.HostPath
 	out.MountPath = in.MountPath
-	out.Writable = in.Writable
+	// WARNING: in.ReadOnly requires manual conversion: does not exist in peer-type
 	out.PathType = corev1.HostPathType(in.PathType)
 	return nil
 }

-// Convert_kubeadm_HostPathMount_To_v1alpha3_HostPathMount is an autogenerated conversion function.
-func Convert_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(in *kubeadm.HostPathMount, out *HostPathMount, s conversion.Scope) error {
-	return autoConvert_kubeadm_HostPathMount_To_v1alpha3_HostPathMount(in, out, s)
-}
-
 func autoConvert_v1alpha3_InitConfiguration_To_kubeadm_InitConfiguration(in *InitConfiguration, out *kubeadm.InitConfiguration, s conversion.Scope) error {
 	if err := Convert_v1alpha3_ClusterConfiguration_To_kubeadm_ClusterConfiguration(&in.ClusterConfiguration, &out.ClusterConfiguration, s); err != nil {
 		return err
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta1/doc.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta1/doc.go
@ -207,7 +207,7 @@ limitations under the License.
 //	  - name: "some-volume"
 //	    hostPath: "/etc/some-path"
 //	    mountPath: "/etc/some-pod-path"
-//	    writable: true
+//	    readOnly: false
 //	    pathType: File
 //	  certSANs:
 //	  - "10.100.1.1"
@ -219,7 +219,7 @@ limitations under the License.
 //	  - name: "some-volume"
 //	    hostPath: "/etc/some-path"
 //	    mountPath: "/etc/some-pod-path"
-//	    writable: true
+//	    readOnly: false
 //	    pathType: File
 //	scheduler:
 //	  extraArgs:
@ -228,7 +228,7 @@ limitations under the License.
 //	  - name: "some-volume"
 //	    hostPath: "/etc/some-path"
 //	    mountPath: "/etc/some-pod-path"
-//	    writable: true
+//	    readOnly: false
 //	    pathType: File
 //	certificatesDir: "/etc/kubernetes/pki"
 //	imageRepository: "k8s.gcr.io"
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta1/types.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta1/types.go
@ -336,8 +336,8 @@ type HostPathMount struct {
 	HostPath string `json:"hostPath"`
 	// MountPath is the path inside the pod where hostPath will be mounted.
 	MountPath string `json:"mountPath"`
-	// Writable controls write access to the volume
-	Writable bool `json:"writable,omitempty"`
+	// ReadOnly controls write access to the volume
+	ReadOnly bool `json:"readOnly,omitempty"`
 	// PathType is the type of the HostPath.
 	PathType v1.HostPathType `json:"pathType,omitempty"`
 }
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.conversion.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.conversion.go
@ -590,7 +590,7 @@ func autoConvert_v1beta1_HostPathMount_To_kubeadm_HostPathMount(in *HostPathMoun
 	out.Name = in.Name
 	out.HostPath = in.HostPath
 	out.MountPath = in.MountPath
-	out.Writable = in.Writable
+	out.ReadOnly = in.ReadOnly
 	out.PathType = corev1.HostPathType(in.PathType)
 	return nil
 }
@ -604,7 +604,7 @@ func autoConvert_kubeadm_HostPathMount_To_v1beta1_HostPathMount(in *kubeadm.Host
 	out.Name = in.Name
 	out.HostPath = in.HostPath
 	out.MountPath = in.MountPath
-	out.Writable = in.Writable
+	out.ReadOnly = in.ReadOnly
 	out.PathType = corev1.HostPathType(in.PathType)
 	return nil
 }
--- a/cmd/kubeadm/app/phases/controlplane/volumes.go
+++ b/cmd/kubeadm/app/phases/controlplane/volumes.go
@ -151,7 +151,7 @@ func (c *controlPlaneHostPathMounts) AddExtraHostPathMounts(component string, ex
 	for _, extraVol := range extraVols {
 		fmt.Printf("[controlplane] Adding extra host path mount %q to %q\n", extraVol.Name, component)
 		hostPathType := extraVol.PathType
-		c.NewHostPathMount(component, extraVol.Name, extraVol.HostPath, extraVol.MountPath, !extraVol.Writable, &hostPathType)
+		c.NewHostPathMount(component, extraVol.Name, extraVol.HostPath, extraVol.MountPath, extraVol.ReadOnly, &hostPathType)
 	}
 }

--- a/cmd/kubeadm/app/phases/controlplane/volumes_test.go
+++ b/cmd/kubeadm/app/phases/controlplane/volumes_test.go
@ -621,28 +621,28 @@ func TestAddExtraHostPathMounts(t *testing.T) {
 			Name:      "foo-0",
 			HostPath:  "/tmp/qux-0",
 			MountPath: "/tmp/qux-0",
-			Writable:  false,
+			ReadOnly:  true,
 			PathType:  v1.HostPathFile,
 		},
 		{
 			Name:      "bar-0",
 			HostPath:  "/tmp/asd-0",
 			MountPath: "/tmp/asd-0",
-			Writable:  true,
+			ReadOnly:  false,
 			PathType:  v1.HostPathDirectory,
 		},
 		{
 			Name:      "foo-1",
 			HostPath:  "/tmp/qux-1",
 			MountPath: "/tmp/qux-1",
-			Writable:  false,
+			ReadOnly:  true,
 			PathType:  v1.HostPathFileOrCreate,
 		},
 		{
 			Name:      "bar-1",
 			HostPath:  "/tmp/asd-1",
 			MountPath: "/tmp/asd-1",
-			Writable:  true,
+			ReadOnly:  false,
 			PathType:  v1.HostPathDirectoryOrCreate,
 		},
 	}
@ -672,8 +672,8 @@ func TestAddExtraHostPathMounts(t *testing.T) {
 		if volMount.MountPath != hostMount.MountPath {
 			t.Errorf("Expected container path %q", hostMount.MountPath)
 		}
-		if volMount.ReadOnly != !hostMount.Writable {
-			t.Errorf("Expected volume writable setting %t", hostMount.Writable)
+		if volMount.ReadOnly != hostMount.ReadOnly {
+			t.Errorf("Expected volume readOnly setting %t", hostMount.ReadOnly)
 		}
 	}
 }
--- a/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml
+++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml
@ -5,7 +5,17 @@ APIServer:
  CertSANs: null
  ExtraArgs:
    authorization-mode: Node,RBAC,Webhook
-  ExtraVolumes: null
+  ExtraVolumes:
+  - HostPath: /host/read-only
+    MountPath: /mount/read-only
+    Name: ReadOnlyVolume
+    PathType: ""
+    ReadOnly: true
+  - HostPath: /host/writable
+    MountPath: /mount/writable
+    Name: WritableVolume
+    PathType: ""
+    ReadOnly: false
 AuditPolicyConfiguration:
  LogDir: /var/log/kubernetes/audit
  LogMaxAge: 2
--- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha3.yaml
+++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha3.yaml
@ -20,6 +20,14 @@ nodeRegistration:
 ---
 apiServerExtraArgs:
  authorization-mode: Node,RBAC,Webhook
+apiServerExtraVolumes:
+- hostPath: /host/read-only
+  mountPath: /mount/read-only
+  name: ReadOnlyVolume
+- hostPath: /host/writable
+  mountPath: /mount/writable
+  name: WritableVolume
+  writable: true
 apiVersion: kubeadm.k8s.io/v1alpha3
 auditPolicy:
  logDir: /var/log/kubernetes/audit
--- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1beta1.yaml
+++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1beta1.yaml
@ -21,6 +21,14 @@ nodeRegistration:
 apiServer:
  extraArgs:
    authorization-mode: Node,RBAC,Webhook
+  extraVolumes:
+  - hostPath: /host/read-only
+    mountPath: /mount/read-only
+    name: ReadOnlyVolume
+    readOnly: true
+  - hostPath: /host/writable
+    mountPath: /mount/writable
+    name: WritableVolume
 apiVersion: kubeadm.k8s.io/v1beta1
 auditPolicy:
  logDir: /var/log/kubernetes/audit