only set spec.volumes readonly if PVC is readonly for datamover #8284
Conversation
sseago
force-pushed
the
selinux-readonly
branch
from
92a8000
to
be62db0
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #8284 +/- ##
=======================================
Coverage 59.20% 59.21%
=======================================
Files 367 367
Lines 30838 30840 +2
=======================================
+ Hits 18259 18261 +2
Misses 11119 11119
Partials 1460 1460 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Shouldn't we make the pod-pvc attachment also configurable i.e. based on the value of readOnly flag ?
|
@shubham-pampattiwar I'm not 100% certain here. I was going for minimal change to make this work, and in my testing, what is required for SELinux relabeling to work is for PVC AccessMode and pod.spec.volumes entry to be read-write, but it's fine if pod's volumeMounts entry is readOnly. Backup succeeds. The effect of this combination is volume relabeling prior to mount works, but mounted filesystem is readonly by the pod user -- so velero can't accidentally modify the filesystem. If we set volumeMount readwrite when PVC is not readonly, then velero could modify it. Are there cases where having volumeMounts readonly for non-shallow-copy will break? I can't think of any, but I'm not 100% sure. My inclination is to leave as-is until we see a problem, but I'm open to suggestion here. What do others think? |
Signed-off-by: Scott Seago <sseago@redhat.com>
sseago
force-pushed
the
selinux-readonly
branch
from
b02cf12
to
de7a414
Compare
Thank you for contributing to Velero!
Please add a summary of your change
Only set pod.spec.volumes entry readOnly if backup PVC is configured to be read-only
Does your change fix a particular issue?
Fixes #(issue)
Please indicate you've done the following:
make new-changelog) or comment/kind changelog-not-requiredon this PR.site/content/docs/main.