Merge pull request #54761 from ianchakeres/storage-read-only-pvSource

Automatic merge from submit-queue (batch tested with PRs 54761, 54748, 53991, 54485, 46951). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Validate that PersistentVolumeSource is not changed during PV Update **What this PR does / why we need it**: An administrator might change `PV.Spec.PersistentVolumeSource`, but Kubernetes does not have the ability perform this type of update. **Which issue this PR fixes** : fixes #54562 **Special notes for your reviewer**: N/A **Release note**: ``` Prevent updates to PV.Spec.PersistentVolumeSource. ```
2025-07-24 20:24:09 +00:00 · 2017-10-30 15:38:24 -07:00 · 2017-10-30 15:38:24 -07:00 · e19d401d61
commit e19d401d61
parent d7567cd6c7 b396cd6f8f
2 changed files with 67 additions and 0 deletions
--- a/pkg/api/validation/validation.go
+++ b/pkg/api/validation/validation.go
@ -1554,6 +1554,12 @@ func ValidatePersistentVolume(pv *api.PersistentVolume) field.ErrorList {
 func ValidatePersistentVolumeUpdate(newPv, oldPv *api.PersistentVolume) field.ErrorList {
 	allErrs := field.ErrorList{}
 	allErrs = ValidatePersistentVolume(newPv)
+
+	// PersistentVolumeSource should be immutable after creation.
+	if !apiequality.Semantic.DeepEqual(newPv.Spec.PersistentVolumeSource, oldPv.Spec.PersistentVolumeSource) {
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "persistentvolumesource"), "is immutable after creation"))
+	}
+
 	newPv.Status = oldPv.Status
 	return allErrs
 }
--- a/pkg/api/validation/validation_test.go
+++ b/pkg/api/validation/validation_test.go
@ -349,6 +349,67 @@ func TestValidatePersistentVolumes(t *testing.T) {

 }

+func TestValidatePersistentVolumeSourceUpdate(t *testing.T) {
+	validVolume := testVolume("foo", "", api.PersistentVolumeSpec{
+		Capacity: api.ResourceList{
+			api.ResourceName(api.ResourceStorage): resource.MustParse("1G"),
+		},
+		AccessModes: []api.PersistentVolumeAccessMode{api.ReadWriteOnce},
+		PersistentVolumeSource: api.PersistentVolumeSource{
+			HostPath: &api.HostPathVolumeSource{
+				Path: "/foo",
+				Type: newHostPathType(string(api.HostPathDirectory)),
+			},
+		},
+		StorageClassName: "valid",
+	})
+	validPvSourceNoUpdate := validVolume.DeepCopy()
+	invalidPvSourceUpdateType := validVolume.DeepCopy()
+	invalidPvSourceUpdateType.Spec.PersistentVolumeSource = api.PersistentVolumeSource{
+		FlexVolume: &api.FlexVolumeSource{
+			Driver: "kubernetes.io/blue",
+			FSType: "ext4",
+		},
+	}
+	invalidPvSourceUpdateDeep := validVolume.DeepCopy()
+	invalidPvSourceUpdateDeep.Spec.PersistentVolumeSource = api.PersistentVolumeSource{
+		HostPath: &api.HostPathVolumeSource{
+			Path: "/updated",
+			Type: newHostPathType(string(api.HostPathDirectory)),
+		},
+	}
+	scenarios := map[string]struct {
+		isExpectedFailure bool
+		oldVolume         *api.PersistentVolume
+		newVolume         *api.PersistentVolume
+	}{
+		"condition-no-update": {
+			isExpectedFailure: false,
+			oldVolume:         validVolume,
+			newVolume:         validPvSourceNoUpdate,
+		},
+		"condition-update-source-type": {
+			isExpectedFailure: true,
+			oldVolume:         validVolume,
+			newVolume:         invalidPvSourceUpdateType,
+		},
+		"condition-update-source-deep": {
+			isExpectedFailure: true,
+			oldVolume:         validVolume,
+			newVolume:         invalidPvSourceUpdateDeep,
+		},
+	}
+	for name, scenario := range scenarios {
+		errs := ValidatePersistentVolumeUpdate(scenario.newVolume, scenario.oldVolume)
+		if len(errs) == 0 && scenario.isExpectedFailure {
+			t.Errorf("Unexpected success for scenario: %s", name)
+		}
+		if len(errs) > 0 && !scenario.isExpectedFailure {
+			t.Errorf("Unexpected failure for scenario: %s - %+v", name, errs)
+		}
+	}
+}
+
 func TestValidateLocalVolumes(t *testing.T) {
 	scenarios := map[string]struct {
 		isExpectedFailure bool