Skip to content

[KEP-4639] Image Volume: remove noexec option #5354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 16, 2025
Merged

[KEP-4639] Image Volume: remove noexec option #5354

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions keps/sig-node/4639-oci-volume-source/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -586,8 +586,7 @@ feature cannot be used. Pods using the new `VolumeSource` combined with a not
supported container runtime version will fail to run on the node, because the
`Mount.host_path` field is not set for those mounts.

For security reasons, volume mounts should set the [`noexec`] and `ro`
(read-only) options by default.
For security reasons, `ro` (read-only) options by default.

Note: in the process of mounting images into the container's rootfs, there may need to be intermediate mounts created. This is especially relevant if
the CRI implementation wishes to support one image being mounted with multiple different SELinux labels. If that's done, the CRI implementation is responsible
Expand Down Expand Up @@ -884,6 +883,7 @@ in back-to-back releases.
- Allowing time for feedback
- Consider a new `RuntimeConfig` field to indicate to end users if the feature
is supported or not.
- Security Evaluation ensuring robust protection without the `noexec` option

### Upgrade / Downgrade Strategy

Expand Down