Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-3857: Recursive Read-only (RRO) mounts #123180

Merged
merged 11 commits into from
Mar 9, 2024
Merged

KEP-3857: Recursive Read-only (RRO) mounts #123180

merged 11 commits into from
Mar 9, 2024

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Feb 7, 2024
edited
Loading

Depends on:

Depended by:

Relevant:

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

Implement KEP-3857: Recursive Read-only (RRO) mounts: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/3857-rro-mounts

Which issue(s) this PR fixes:

NONE

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Support Recursive Read-only (RRO) mounts  (KEP-3857)

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://kep.k8s.io/3857

An example manifest:

apiVersion: v1
kind: Pod
metadata:
  name: rro
spec:
  volumes:
    - name: mnt
      hostPath:
        # tmpfs is mounted on /mnt/tmpfs
        path: /mnt
  containers:
    - name: busybox
      image: busybox
      args: ["sleep", "infinity"]
      volumeMounts:
        # /mnt-rro/tmpfs is not writable
        - name: mnt
          mountPath: /mnt-rro
          readOnly: true
          mountPropagation: None
          recursiveReadOnly: IfPossible
        # /mnt-ro/tmpfs is writable
        - name: mnt
          mountPath: /mnt-ro
          readOnly: true
        # /mnt-rw/tmpfs is writable
        - name: mnt
          mountPath: /mnt-rw

Requirements:

  • Feature gate "RecursiveReadOnlyMounts" to be enabled
  • Linux kernel >= 5.12
  • runc >= 1.1

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/code-generation area/kubelet sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/node Categorizes an issue or PR as relevant to SIG Node. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Feb 7, 2024
This was referenced Feb 7, 2024
Merged
Merged
Merged
Open
@AkihiroSuda AkihiroSuda force-pushed the rro branch 2 times, most recently from 08f3253 to eaebbaf Compare February 8, 2024 10:22
@AkihiroSuda AkihiroSuda marked this pull request as ready for review February 8, 2024 18:54
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 8, 2024
@AkihiroSuda
kubelet: change map[string]RuntimeHandler to []RuntimeHandler
27f24a6 
The map is changed to an array so as to retain the order of the original array
propagated from the CRI runtime.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
kubelet: RuntimeHandler: add SupportsRecursiveReadOnlyMounts
76081a1 
For KEP-3857: Recursive Read-only (RRO) mounts

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
pkg/features: add RecursiveReadOnlyMounts
0b1a507 
For KEP-3857: Recursive Read-only (RRO) mounts

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
api: KEP-3857: Recursive Read-only (RRO) mounts
d940886 
This commit modifies the following files:

- pkg/apis/core/types.go
- staging/src/k8s.io/api/core/v1/types.go

Other changes were auto-generated by running `make update`.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
pod: dropDisabledFields: recognize RecursiveReadOnlyMounts
ce19188 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
node: dropDisabledFields: recognize RecursiveReadOnlyMounts gate
8828530 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Copy link
Member Author

I think I have only one major outstanding comment otherwise the node bits look fine to me.

Fixed, PTAL 🙏

@mrunalp
Copy link
Contributor

mrunalp commented Mar 9, 2024

/approve
for node

@mrunalp
Copy link
Contributor

mrunalp commented Mar 9, 2024

@thockin for API approval / lgtm if around

thockin
thockin reviewed Mar 9, 2024
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can live with these as a followup, but @kubernetes/release-team has final say

pkg/apis/core/validation/validation.go Outdated Show resolved Hide resolved
pkg/apis/core/validation/validation.go Outdated Show resolved Hide resolved
pkg/apis/core/validation/validation.go Outdated Show resolved Hide resolved
pkg/api/pod/util.go Outdated Show resolved Hide resolved
pkg/apis/core/validation/validation.go Outdated Show resolved Hide resolved
pkg/apis/core/validation/validation.go Outdated Show resolved Hide resolved
pkg/apis/core/validation/validation.go Outdated Show resolved Hide resolved
@AkihiroSuda
api: validate RecursiveReadOnlyMounts
8db0744 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
kubelet: expose node.status.runtimeClasses
dd0882a 
For KEP-3857: Recursive Read-only (RRO) mounts

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
kubelet: expose containerStatuses.volumeMounts
6f12e1d 
For KEP-3857: Recursive Read-only (RRO) mounts

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
kubelet: KEP-3857: Recursive Read-only (RRO) mounts
c7f52b3 
See <https://kep.k8s.io/3857>.

An example manifest:
```yaml
apiVersion: v1
kind: Pod
metadata:
  name: rro
spec:
  volumes:
    - name: mnt
      hostPath:
        # tmpfs is mounted on /mnt/tmpfs
        path: /mnt
  containers:
    - name: busybox
      image: busybox
      args: ["sleep", "infinity"]
      volumeMounts:
        # /mnt-rro/tmpfs is not writable
        - name: mnt
          mountPath: /mnt-rro
          readOnly: true
          mountPropagation: None
          recursiveReadOnly: IfPossible
        # /mnt-ro/tmpfs is writable
        - name: mnt
          mountPath: /mnt-ro
          readOnly: true
        # /mnt-rw/tmpfs is writable
        - name: mnt
          mountPath: /mnt-rw
```

Requirements:
- Feature gate "RecursiveReadOnlyMounts" to be enabled
- Linux kernel >= 5.12
- runc >= 1.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
e2e: KEP-3857: Recursive Read-only (RRO) mounts
d4925ce 
Usage:
```
make test-e2e-node \
  TEST_ARGS='--service-feature-gates=RecursiveReadOnlyMounts=true --kubelet-flags="--feature-gates=RecursiveReadOnlyMounts=true"' \
  FOCUS="Mount recursive read-only" SKIP=""
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@thockin
Copy link
Member

thockin commented Mar 9, 2024

Thanks!

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 9, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: f22f5ffc1f00a85d447d8cc84c22c41bf802c678

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AkihiroSuda, mrunalp, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 9, 2024
@AkihiroSuda
Copy link
Member Author

Thanks for reviewing and approval, could you review the docs PR too?

@k8s-ci-robot k8s-ci-robot merged commit eafd289 into kubernetes:master Mar 9, 2024
15 of 16 checks passed
@dims dims mentioned this pull request Mar 11, 2024
Closed
@AkihiroSuda AkihiroSuda mentioned this pull request Mar 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthyx matthyx matthyx left review comments

@haircommander haircommander haircommander left review comments

@thockin thockin thockin left review comments

@mrunalp mrunalp mrunalp approved these changes

@caesarxuchao caesarxuchao Awaiting requested review from caesarxuchao

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@andrewsykim andrewsykim Awaiting requested review from andrewsykim

@deads2k deads2k Awaiting requested review from deads2k

@bart0sh bart0sh Awaiting requested review from bart0sh

Assignees

@thockin thockin

@haircommander haircommander

Labels
api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/code-generation area/kubelet area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
API Reviews
Status: API review completed, 1.30
SIG Apps
Archived in project
SIG Node: code and documentation PRs
Archived in project
[sig-release] Bug Triage
Archived in project
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.