Skip to content

Commit 9f15141

Browse files
saschagrunertsaschagrunert
committed
Add review from smuelkarp
Signed-off-by: Sascha Grunert <[email protected]>
1 parent ec69891 commit 9f15141

File tree

1 file changed

+7
-7
lines changed
  • keps/sig-node/4639-oci-volume-source

1 file changed

+7
-7
lines changed

keps/sig-node/4639-oci-volume-source/README.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,7 @@ tags, and then generate with `hack/update-toc.sh`.
8787
- [Story 1](#story-1)
8888
- [Story 2](#story-2)
8989
- [Story 3](#story-3)
90+
- [Story 4](#story-4)
9091
- [Notes/Constraints/Caveats (Optional)](#notesconstraintscaveats-optional)
9192
- [Vocabulary: OCI Images, Artifacts, and Objects](#vocabulary-oci-images-artifacts-and-objects)
9293
- [Risks and Mitigations](#risks-and-mitigations)
@@ -268,9 +269,7 @@ to support this source type. Key design aspects include:
268269
- API changes to introduce the new `VolumeSource` type.
269270
- Modifications to the Kubelet to handle mounting OCI images and artifacts.
270271
- Handling image pull secrets and registry authentication.
271-
- Reuse existing logic from ConfigMaps for:
272-
- Determining the file location on the host filesystem.
273-
- Handling updates to the OCI image or artifact, similar to how ConfigMaps update mounted files.
272+
- Reuse existing logic from ConfigMaps to determining the file location on the host filesystem.
274273

275274
The following code snippet illustrates the proposed API change:
276275

@@ -356,7 +355,7 @@ message ImageSpec {
356355
// …
357356
358357
// Absolute local path where the image/artifacts should be mounted to.
359-
string mount_path = 20;
358+
string mountpoint = 20;
360359
}
361360
```
362361

@@ -366,14 +365,15 @@ plugin as part of the existing [volume manager](https://github.com/kubernetes/ku
366365

367366
#### Container Runtimes
368367

369-
Container runtimes need to support the new `mount_path` field, otherwise the
370-
feature cannot be used. The kubelet will verify if the mount path actually
368+
Container runtimes need to support the new `mountpoint` field, otherwise the
369+
feature cannot be used. The kubelet will verify if the `mountpoint` actually
371370
exists on disk to check the feature availability, because Protobuf will strip
372371
the field in a backwards compatible way for older runtimes. Pods using the new
373372
`VolumeSource` combined with a not supported container runtime version will fail
374373
to run on the node.
375374

376-
For security reasons, volume mounts should be done using the [`noexec`] flag.
375+
For security reasons, volume mounts should set the [`noexec`] and `ro`
376+
(read-only) options by default.
377377

378378
### Test Plan
379379

0 commit comments

Comments
 (0)