Merge pull request vmware-tanzu#8284 from sseago/selinux-readonly

only set spec.volumes readonly if PVC is readonly for datamover
sseago · Oct 11, 2024 · f02613d · f02613d
2 parents b34e011 + de7a414
commit f02613d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/changelogs/unreleased/8284-sseago b/changelogs/unreleased/8284-sseago
@@ -0,0 +1 @@
+only set spec.volumes readonly if PVC is readonly for datamover
diff --git a/pkg/exposer/csi_snapshot.go b/pkg/exposer/csi_snapshot.go
@@ -202,6 +202,7 @@ func (e *csiSnapshotExposer) Expose(ctx context.Context, ownerObject corev1.Obje
 		csiExposeParam.HostingPodLabels,
 		csiExposeParam.Affinity,
 		csiExposeParam.Resources,
+		backupPVCReadOnly,
 	)
 	if err != nil {
 		return errors.Wrap(err, "error to create backup pod")
@@ -442,6 +443,7 @@ func (e *csiSnapshotExposer) createBackupPod(
 	label map[string]string,
 	affinity *kube.LoadAffinity,
 	resources corev1.ResourceRequirements,
+	backupPVCReadOnly bool,
 ) (*corev1.Pod, error) {
 	podName := ownerObject.Name
 
@@ -454,18 +456,22 @@ func (e *csiSnapshotExposer) createBackupPod(
 	}
 
 	var gracePeriod int64 = 0
-	volumeMounts, volumeDevices, volumePath := kube.MakePodPVCAttachment(volumeName, backupPVC.Spec.VolumeMode, true)
+	volumeMounts, volumeDevices, volumePath := kube.MakePodPVCAttachment(volumeName, backupPVC.Spec.VolumeMode, backupPVCReadOnly)
 	volumeMounts = append(volumeMounts, podInfo.volumeMounts...)
 
 	volumes := []corev1.Volume{{
 		Name: volumeName,
 		VolumeSource: corev1.VolumeSource{
 			PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
 				ClaimName: backupPVC.Name,
-				ReadOnly:  true,
 			},
 		},
 	}}
+
+	if backupPVCReadOnly {
+		volumes[0].VolumeSource.PersistentVolumeClaim.ReadOnly = true
+	}
+
 	volumes = append(volumes, podInfo.volumes...)
 
 	if label == nil {