You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-node/4639-oci-volume-source/README.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -586,8 +586,7 @@ feature cannot be used. Pods using the new `VolumeSource` combined with a not
586
586
supported container runtime version will fail to run on the node, because the
587
587
`Mount.host_path` field is not set for those mounts.
588
588
589
-
For security reasons, volume mounts should set the [`noexec`] and `ro`
590
-
(read-only) options by default.
589
+
For security reasons, `ro` (read-only) options by default.
591
590
592
591
Note: in the process of mounting images into the container's rootfs, there may need to be intermediate mounts created. This is especially relevant if
593
592
the CRI implementation wishes to support one image being mounted with multiple different SELinux labels. If that's done, the CRI implementation is responsible
@@ -884,6 +883,7 @@ in back-to-back releases.
884
883
- Allowing time for feedback
885
884
- Consider a new `RuntimeConfig` field to indicate to end users if the feature
886
885
is supported or not.
886
+
- Security Evaluation ensuring robust protection without the `noexec` option
0 commit comments