Merge pull request kubernetes#123180 from AkihiroSuda/rro

KEP-3857: Recursive Read-only (RRO) mounts

Author: k8s-ci-robot

api/openapi-spec/swagger.json

@@ -1590,6 +1590,24 @@
             ],
             "default": {},
             "description": "State holds details about the container's current condition."
+          },
+          "volumeMounts": {
+            "description": "Status of volume mounts.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.core.v1.VolumeMountStatus"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-map-keys": [
+              "mountPath"
+            ],
+            "x-kubernetes-list-type": "map",
+            "x-kubernetes-patch-merge-key": "mountPath",
+            "x-kubernetes-patch-strategy": "merge"
           }
         },
         "required": [
@@ -3709,6 +3727,35 @@
           }
         ]
       },
+      "io.k8s.api.core.v1.NodeRuntimeClass": {
+        "description": "NodeRuntimeClass is a set of runtime class information.",
+        "properties": {
+          "features": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.core.v1.NodeRuntimeClassFeatures"
+              }
+            ],
+            "description": "Supported features."
+          },
+          "name": {
+            "default": "",
+            "description": "Runtime class name. Empty for the default runtime class.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.api.core.v1.NodeRuntimeClassFeatures": {
+        "description": "NodeRuntimeClassFeatures is a set of runtime features.",
+        "properties": {
+          "recursiveReadOnlyMounts": {
+            "description": "RecursiveReadOnlyMounts is set to true if the runtime class supports RecursiveReadOnlyMounts.",
+            "type": "boolean"
+          }
+        },
+        "type": "object"
+      },
       "io.k8s.api.core.v1.NodeSelector": {
         "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.",
         "properties": {
@@ -3943,6 +3990,19 @@
             "description": "NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.",
             "type": "string"
           },
+          "runtimeClasses": {
+            "description": "The available runtime classes.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.core.v1.NodeRuntimeClass"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
           "volumesAttached": {
             "description": "List of volumes that are attached to the node.",
             "items": {
@@ -8106,7 +8166,7 @@
             "type": "string"
           },
           "mountPropagation": {
-            "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.",
+            "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified (which defaults to None).",
             "type": "string"
           },
           "name": {
@@ -8118,6 +8178,10 @@
             "description": "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.",
             "type": "boolean"
           },
+          "recursiveReadOnly": {
+            "description": "RecursiveReadOnly specifies whether read-only mounts should be handled recursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only.  If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime.  If this field is set to Enabled, the mount is made recursively read-only if it is supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.",
+            "type": "string"
+          },
           "subPath": {
             "description": "Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).",
             "type": "string"
@@ -8133,6 +8197,34 @@
         ],
         "type": "object"
       },
+      "io.k8s.api.core.v1.VolumeMountStatus": {
+        "description": "VolumeMountStatus shows status of volume mounts.",
+        "properties": {
+          "mountPath": {
+            "default": "",
+            "description": "MountPath corresponds to the original VolumeMount.",
+            "type": "string"
+          },
+          "name": {
+            "default": "",
+            "description": "Name corresponds to the name of the original VolumeMount.",
+            "type": "string"
+          },
+          "readOnly": {
+            "description": "ReadOnly corresponds to the original VolumeMount.",
+            "type": "boolean"
+          },
+          "recursiveReadOnly": {
+            "description": "RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non-readonly mounts). An IfPossible value in the original VolumeMount must be translated to Disabled or Enabled, depending on the mount result.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "name",
+          "mountPath"
+        ],
+        "type": "object"
+      },
       "io.k8s.api.core.v1.VolumeNodeAffinity": {
         "description": "VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from.",
         "properties": {

api/openapi-spec/v3/api__v1_openapi.json

@@ -5147,7 +5147,7 @@
             "type": "string"
           },
           "mountPropagation": {
-            "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.",
+            "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified (which defaults to None).",
             "type": "string"
           },
           "name": {
@@ -5159,6 +5159,10 @@
             "description": "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.",
             "type": "boolean"
           },
+          "recursiveReadOnly": {
+            "description": "RecursiveReadOnly specifies whether read-only mounts should be handled recursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only.  If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime.  If this field is set to Enabled, the mount is made recursively read-only if it is supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.",
+            "type": "string"
+          },
           "subPath": {
             "description": "Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).",
             "type": "string"

api/openapi-spec/v3/apis__apps__v1_openapi.json

@@ -4351,7 +4351,7 @@
             "type": "string"
           },
           "mountPropagation": {
-            "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.",
+            "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified (which defaults to None).",
             "type": "string"
           },
           "name": {
@@ -4363,6 +4363,10 @@
             "description": "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.",
             "type": "boolean"
           },
+          "recursiveReadOnly": {
+            "description": "RecursiveReadOnly specifies whether read-only mounts should be handled recursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only.  If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime.  If this field is set to Enabled, the mount is made recursively read-only if it is supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.",
+            "type": "string"
+          },
           "subPath": {
             "description": "Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).",
             "type": "string"

api/openapi-spec/v3/apis__batch__v1_openapi.json

@@ -685,6 +685,24 @@ func dropDisabledFields(
 		// For other types of containers, validateContainers will handle them.
 	}
 
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) && !rroInUse(oldPodSpec) {
+		for i := range podSpec.Containers {
+			for j := range podSpec.Containers[i].VolumeMounts {
+				podSpec.Containers[i].VolumeMounts[j].RecursiveReadOnly = nil
+			}
+		}
+		for i := range podSpec.InitContainers {
+			for j := range podSpec.InitContainers[i].VolumeMounts {
+				podSpec.InitContainers[i].VolumeMounts[j].RecursiveReadOnly = nil
+			}
+		}
+		for i := range podSpec.EphemeralContainers {
+			for j := range podSpec.EphemeralContainers[i].VolumeMounts {
+				podSpec.EphemeralContainers[i].VolumeMounts[j].RecursiveReadOnly = nil
+			}
+		}
+	}
+
 	dropPodLifecycleSleepAction(podSpec, oldPodSpec)
 }
 
@@ -790,6 +808,18 @@ func dropDisabledPodStatusFields(podStatus, oldPodStatus *api.PodStatus, podSpec
 	if !utilfeature.DefaultFeatureGate.Enabled(features.PodHostIPs) && !hostIPsInUse(oldPodStatus) {
 		podStatus.HostIPs = nil
 	}
+
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) && !rroInUse(oldPodSpec) {
+		for i := range podStatus.ContainerStatuses {
+			podStatus.ContainerStatuses[i].VolumeMounts = nil
+		}
+		for i := range podStatus.InitContainerStatuses {
+			podStatus.InitContainerStatuses[i].VolumeMounts = nil
+		}
+		for i := range podStatus.EphemeralContainerStatuses {
+			podStatus.EphemeralContainerStatuses[i].VolumeMounts = nil
+		}
+	}
 }
 
 func hostIPsInUse(podStatus *api.PodStatus) bool {
@@ -1102,6 +1132,23 @@ func clusterTrustBundleProjectionInUse(podSpec *api.PodSpec) bool {
 	return false
 }
 
+func rroInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+	var inUse bool
+	VisitContainers(podSpec, AllContainers, func(c *api.Container, _ ContainerType) bool {
+		for _, f := range c.VolumeMounts {
+			if f.RecursiveReadOnly != nil {
+				inUse = true
+				return false
+			}
+		}
+		return true
+	})
+	return inUse
+}
+
 func dropDisabledClusterTrustBundleProjection(podSpec, oldPodSpec *api.PodSpec) {
 	if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundleProjection) {
 		return