Merge pull request #701 from RaunakShah/cp-svm-webhook

Backport: Add webhook to make SourceVolumeMode immutable

Author: k8s-ci-robot

pkg/validation-webhook/snapshot.go

@@ -377,5 +377,12 @@ func checkSnapshotContentImmutableFieldsV1(snapcontent, oldSnapcontent *volumesn
 	if !reflect.DeepEqual(source.SnapshotHandle, oldSource.SnapshotHandle) {
 		return fmt.Errorf("Spec.Source.SnapshotHandle is immutable but was changed from %s to %s", strPtrDereference(oldSource.SnapshotHandle), strPtrDereference(source.SnapshotHandle))
 	}
+
+	if preventVolumeModeConversion {
+		if !reflect.DeepEqual(snapcontent.Spec.SourceVolumeMode, oldSnapcontent.Spec.SourceVolumeMode) {
+			return fmt.Errorf("Spec.SourceVolumeMode is immutable but was changed from %v to %v", *oldSnapcontent.Spec.SourceVolumeMode, *snapcontent.Spec.SourceVolumeMode)
+		}
+	}
+
 	return nil
 }

pkg/validation-webhook/webhook.go

@@ -39,10 +39,11 @@ import (
 )
 
 var (
-	certFile       string
-	keyFile        string
-	kubeconfigFile string
-	port           int
+	certFile                    string
+	keyFile                     string
+	kubeconfigFile              string
+	port                        int
+	preventVolumeModeConversion bool
 )
 
 // CmdWebhook is used by Cobra.
@@ -67,6 +68,8 @@ func init() {
 	CmdWebhook.MarkFlagRequired("tls-private-key-file")
 	// Add optional flag for kubeconfig
 	CmdWebhook.Flags().StringVar(&kubeconfigFile, "kubeconfig", "", "kubeconfig file to use for volumesnapshotclasses")
+	CmdWebhook.Flags().BoolVar(&preventVolumeModeConversion, "prevent-volume-mode-conversion",
+		false, "Prevents an unauthorised user from modifying the volume mode when creating a PVC from an existing VolumeSnapshot.")
 }
 
 // admitv1beta1Func handles a v1beta1 admission