From ce1918875f636b8e6c869f947a93b23ef071d7e9 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Sat, 9 Mar 2024 09:48:12 +0900
Subject: [PATCH] pod: dropDisabledFields: recognize RecursiveReadOnlyMounts

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 pkg/api/pod/util.go | 47 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/pkg/api/pod/util.go b/pkg/api/pod/util.go
index 06948894247..c81669df93e 100644
--- a/pkg/api/pod/util.go
+++ b/pkg/api/pod/util.go
@@ -685,6 +685,24 @@ func dropDisabledFields(
 		// For other types of containers, validateContainers will handle them.
 	}
 
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) && !rroInUse(oldPodSpec) {
+		for i := range podSpec.Containers {
+			for j := range podSpec.Containers[i].VolumeMounts {
+				podSpec.Containers[i].VolumeMounts[j].RecursiveReadOnly = nil
+			}
+		}
+		for i := range podSpec.InitContainers {
+			for j := range podSpec.InitContainers[i].VolumeMounts {
+				podSpec.InitContainers[i].VolumeMounts[j].RecursiveReadOnly = nil
+			}
+		}
+		for i := range podSpec.EphemeralContainers {
+			for j := range podSpec.EphemeralContainers[i].VolumeMounts {
+				podSpec.EphemeralContainers[i].VolumeMounts[j].RecursiveReadOnly = nil
+			}
+		}
+	}
+
 	dropPodLifecycleSleepAction(podSpec, oldPodSpec)
 }
 
@@ -790,6 +808,18 @@ func dropDisabledPodStatusFields(podStatus, oldPodStatus *api.PodStatus, podSpec
 	if !utilfeature.DefaultFeatureGate.Enabled(features.PodHostIPs) && !hostIPsInUse(oldPodStatus) {
 		podStatus.HostIPs = nil
 	}
+
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) && !rroInUse(oldPodSpec) {
+		for i := range podStatus.ContainerStatuses {
+			podStatus.ContainerStatuses[i].VolumeMounts = nil
+		}
+		for i := range podStatus.InitContainerStatuses {
+			podStatus.InitContainerStatuses[i].VolumeMounts = nil
+		}
+		for i := range podStatus.EphemeralContainerStatuses {
+			podStatus.EphemeralContainerStatuses[i].VolumeMounts = nil
+		}
+	}
 }
 
 func hostIPsInUse(podStatus *api.PodStatus) bool {
@@ -1102,6 +1132,23 @@ func clusterTrustBundleProjectionInUse(podSpec *api.PodSpec) bool {
 	return false
 }
 
+func rroInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+	var inUse bool
+	VisitContainers(podSpec, AllContainers, func(c *api.Container, _ ContainerType) bool {
+		for _, f := range c.VolumeMounts {
+			if f.RecursiveReadOnly != nil {
+				inUse = true
+				return false
+			}
+		}
+		return true
+	})
+	return inUse
+}
+
 func dropDisabledClusterTrustBundleProjection(podSpec, oldPodSpec *api.PodSpec) {
 	if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundleProjection) {
 		return