Merge pull request #26397 from euank/fixReadOnlyRootfsPanic

Automatic merge from submit-queue rkt: Fix panic in setting ReadOnlyRootFS What the title says. I wish this method were broken out in a reasonably unit testable way. fixing this panic is more important for the second though, testing will come in a later commit. I observed the panic in a `./hack/local-up-cluster.sh` run with rkt as the container runtime. This is also the panic that's failing our jenkins against master ([recent run](https://console.cloud.google.com/m/cloudstorage/b/rktnetes-jenkins/o/logs/kubernetes-e2e-gce/1946/artifacts/jenkins-e2e-minion-group-qjh3/kubelet.log for the log output of a recent run)) cc @tmrts @yifan-gu
2025-07-22 03:11:40 +00:00 · 2016-05-29 02:17:09 -07:00 · 2016-05-29 02:17:09 -07:00 · d00dec7825
commit d00dec7825
parent 825cd920ff ecfd8f723f
1 changed files with 7 additions and 4 deletions
--- a/pkg/kubelet/rkt/rkt.go
+++ b/pkg/kubelet/rkt/rkt.go
@ -767,10 +767,9 @@ func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, podIP string, c api.Container,
 	}

 	ra := appcschema.RuntimeApp{
-		Name:           convertToACName(c.Name),
-		Image:          appcschema.RuntimeImage{ID: *hash},
-		App:            imgManifest.App,
-		ReadOnlyRootFS: *c.SecurityContext.ReadOnlyRootFilesystem,
+		Name:  convertToACName(c.Name),
+		Image: appcschema.RuntimeImage{ID: *hash},
+		App:   imgManifest.App,
 		Annotations: []appctypes.Annotation{
 			{
 				Name:  *appctypes.MustACIdentifier(k8sRktContainerHashAnno),
@ -783,6 +782,10 @@ func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, podIP string, c api.Container,
 		},
 	}

+	if c.SecurityContext != nil && c.SecurityContext.ReadOnlyRootFilesystem != nil {
+		ra.ReadOnlyRootFS = *c.SecurityContext.ReadOnlyRootFilesystem
+	}
+
 	if mnt != nil {
 		ra.Annotations = append(ra.Annotations, appctypes.Annotation{
 			Name:  *appctypes.MustACIdentifier(k8sRktTerminationMessagePathAnno),