Skip to main content

Kubernetes version 1.30 finally supports true read-only volume mounting

CillianApril 23, 2024About 5 minkubernetesk8s

Kubernetes version 1.30 finally supports true read-only volume mounting

Let’s talk about something else

I don’t know whether it’s because of the focus on new energy vehicles or because of the numerous news reports. Recently, various tram brands have held press conferences one after another, and the prices are quite attractive. Are readers who are also budgeting carefully and considering joining the electric car army? What do you think at this time?

There is good news! The public account has opened a message function for me, waiting for you at the bottom of the article! No need to jump to the background anymore, leave your thoughts and opinions directly where you finish reading. Join our discussion family, interact and communicate with many readers and friends, and let your voice become the force for our common progress! Come share your unique perspectives, participate in exciting conversations, and spark sparks of inspiration! 💬✨

Additional services: You can check the attention time for readers!

Don’t forget, scroll down now, wonderful messages are waiting for you!

Recent news

  1. Ant Design 5.16.4 released, many updates --https://github.com/ant-design/ant-design/releases/tag/5.16.4

  2. On April 16, Robin Li, founder, chairman and CEO of Baidu, announced at the Create 2024 Baidu AI Developer Conference that the second "Wenxin Cup" Entrepreneurship Competition was officially launched. Participants will have the opportunity to win up to 50 million RMB investment. --Baidu

  3. I think if an operating system is the same as the current operating system, there will be no future and it will be impossible to develop. The open source Hongmeng operating system is the only architectural innovation in our country in the field of basic software. It is not a simple domestic replacement, it is oriented to the future of the Internet of Everything. --Wang Chenglu, who once led the development of Hongmeng system

  4. Excerpt:
    To live in this world, people need this kind of experience:

One thing is done, and another thing is done,

Gradually, I became sure of what I wanted to do.

——Wang Xiaobo Wang Xiaobo (May 13, 1952 -April 11, 1997) was born in Beijing and graduated from the University of Pittsburgh in the United States. He is a contemporary Chinese scholar and writer. In 1968, he worked in the Yunnan Corps and began to try writing. In 1978, he was successfully admitted to Renmin University of China and studied in the Department of Trade and Economics, majoring in commodity science. In 1980, he published his debut novel "Eternal Life" in "The Ugly Duckling" magazine. In 1982, he began writing his famous work "The Golden Age" which took ten years to be completed. In 1984, he worked as a graduate student at the Center for East Asian Studies. In 1986, he received a master's degree; in the same year, he began to write antique novels based on Tang legends, and continued to revise "The Golden Age". In 1988, he returned to China with his wife and served as a lecturer at the Institute of Sociology at Peking University. In 1989, he published his first collection of novels "Secret Stories of the Tang Dynasty". In 1991, the novel "The Golden Age" won the Novella Grand Prize at the 13th "United Daily News" Literary Award. In May 1995, the novel "Future World" won the Novella Grand Prize at the 16th "United Daily News" Literary Award. He died of illness in Beijing on April 11, 1997, at the age of 45.

Today’s recommendation

A quick reference cheat list for developers [cheat sheet]. It basically covers the entire technology stack, so go check it out!
https://cheatsheets.zip/

For example, common status codes:
src/.vuepress/public/image.png

Kubernetes version 1.30 finally supports true read-only volume mounting

I recently checked the k8s official website blog and found this content. I would like to share it with you here:

The new feature introduced in Kubernetes 1.30 solves a long-standing problem: under certain conditions, volume mounts marked as read-only are not fully read-only. The new recursiveReadOnly option allows users to ensure that all submounts under a specified mount point are read-only, which is a big step towards ensuring file system security within the container. While this feature is currently in alpha testing, it demonstrates the Kubernetes community's continued commitment to improving container runtime security and reliability, and may become part of the default configuration in the future as this feature matures and stabilizes. For those users who have special needs for Kubernetes security, this will be an update worth paying attention to and trying.
In a Kubernetes environment, when you mount a volume into a container and mark it as read-only by setting readOnly: true, the purpose of this setting is to prevent processes within the container from modifying these mounted file systems. However, under certain conditions, this read-only setting is not completely absolute. The reason mainly involves how to handle submounts or mount inheritance.

The core of the problem lies in how Linux file system mounts work and how Kubernetes handles them. When you have a mount point on the host and there are other mount points (i.e. child mounts) under this mount point, the behavior of these child mount points will not automatically inherit the behavior of the parent mount point. Read-only property. This means that even if a parent mount point is set to read-only in the Kubernetes pod configuration, its child mount points may still be writable unless those child mount points are also explicitly set to read-only.
For example, if you have a mount point /mnt, it is set to read-only in the container. However, if there is a sub-mount point /mnt/my-nfs-server under /mnt, and this sub-mount point is writable on the host, then within the container, even though /mnt Files and directories under cannot be modified (in line with the read-only setting), but the write operation to /mnt/my-nfs-server may succeed because its read-only attribute is not recursively applied to all sub-mount points .

This is why Kubernetes 1.30 introduced the recursiveReadOnly option, which allows explicit settings when defining volume mounts to ensure that all child mount points inherit the read-only attribute, thereby achieving a true read-only mount and solving the problem. restrictions under this particular condition.

Original content: https://kubernetes.io/blog/2024/04/23/recursive-read-only-mounts/
Read-only volume mounts have been a feature of Kubernetes since its inception. But surprisingly, read-only mounts on Linux are not entirely read-only under certain conditions. Starting with v1.30, they can be set to be fully read-only, while support for recursive read-only mounts is in alpha.

Read-only volume mounts are not truly read-only by default, and volume mounts can be surprisingly complex.

You might expect the following manifest to make everything under /mnt in the container read-only:

---
apiVersion: v1
Kind: Pod
spec:
  volumes:
    -name: mnt
      hostPath:
        path: /mnt
  containers:
    -volumeMounts:
        -name: mnt
          mountPath: /mnt
          readOnly: true
However, any submounts located under /mnt may still be writable! For example, if /mnt/my-nfs-server on the host is writable, write operations to /mnt/*within the container will be rejected, but write operations to /mnt/my-nfs-server/*will be rejected. Still feasible.

New mount option: recursiveReadOnly Kubernetes 1.30 adds a new mount option recursiveReadOnly to make submounts recursively read-only.

This option can be enabled as follows:

---
apiVersion: v1
Kind: Pod
spec:
  volumes:
    -name: mnt
      hostPath:
        path: /mnt
  containers:
    -volumeMounts:
        -name: mnt
          mountPath: /mnt
          readOnly: true
          # Add
# Possible values ​​are `Enabled`, `IfPossible`, and `Disabled`.
          # Needs to be specified with `readOnly: true`.
          recursiveReadOnly: Enabled
This is accomplished by applying the MOUNT_ATTR_RDONLY attribute using the mount_setattr(2) function and the AT_RECURSIVE flag (added in Linux kernel v5.12).

For backward compatibility, the recursiveReadOnly field is not a replacement for readOnly but is intended to be used in conjunction with it. To get a correct recursive read-only mount, you must set both fields.

Feature availability To enable recursiveReadOnly mounts, the following components must be used:

-Kubernetes: v1.30 or higher, requires the RecursiveReadOnlyMounts feature gating to be enabled. Starting with v1.30, this gate is marked as alpha.

-CRI runtime: -containerd: v2.0 or higher

-OCI runtime: -runc: v1.1 or higher -crun: v1.8.6 or higher

-Linux kernel: v5.12 or higher ```
Life is as gorgeous as summer flowers, death is as quiet and beautiful as autumn leaves
Copyright © 2025 Cillian