- Show VolumeSnapshotContent YAML output with new annotation for clarity

- Add example xfs CVE - Clarify that e2e tests will have feature flag enabled
kubernetes · Jan 27, 2022 · 9c1b720 · 9c1b720
1 parent e957dd6
commit 9c1b720
Showing 1 changed file with 15 additions and 6 deletions.
diff --git a/keps/sig-storage/3141-prevent-volume-mode-conversion/README.md b/keps/sig-storage/3141-prevent-volume-mode-conversion/README.md
@@ -155,8 +155,11 @@ kernel.
        kernel, the user can crash it.
 
 Note that, as of this writing, there is no known CVE in the kernel that a
-malicious user can exploit. This proposal aims to prevent a security vulnerability
-in the even that a CVE is discovered. 
+malicious user can exploit. However CVE's are regularly discovered that affect
+filesystems. For example https://access.redhat.com/security/cve/cve-2020-12655
+allows an attacker to trigger a DoS attack on the kernel.
+This proposal aims to prevent a security vulnerability in the event that a CVE 
+is discovered.
 
 We cannot simply block this operation as some backup vendors try to create a 
 volume with the exact same mode as the original volume but may need to do the
@@ -279,10 +282,15 @@ SourceVolumeMode *SourceVolumeMode
 
 2. A new annotation to `VolumeSnapshotContent` objects. The onus is on the 
 backup vendor (via s/w or manually) to add this annotation to the `VolumeSnapshotContent`
-if they intend to alter the volume mode.
+if they intend to alter the volume mode. The `VolumeSnapshotContent` must look
+like below after this change:
 
 ```go
-snapshot.storage.kubernetes.io/allowVolumeModeChange: true
+kind: VolumeSnapshotContent 
+metadata: 
+	annotations: 
+		- snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"
+...
 ```
 
 ### Changes to Snapshot Controller
@@ -348,7 +356,8 @@ from a `VolumeSnapshot`:
 
 #### E2E tests
 
-- Attempt to convert volume mode when creating a `PVC` from a `VolumeSnapshot`:
+The feature flag will be enabled for e2e tests. The tests will attempt to convert volume 
+mode when creating a `PVC` from a `VolumeSnapshot`:
   - With `Spec.SourceVolumeMode` populated and `snapshot.storage.kubernetes.io/allowVolumeModeChange: true`
     annotation present.
   - With `Spec.SourceVolumeMode` populated but no `snapshot.storage.kubernetes.io/allowVolumeModeChange: true`
@@ -384,7 +393,7 @@ unpopulated.
 
 2. Downgrading `external-snapshotter` and `external-provisioner` with `PreventVolumeModeConversion`
 disabled: 
-- `VolumeSnapshots` created priot to the upgrade will still maintain a reference 
+- `VolumeSnapshots` created prior to the upgrade will still maintain a reference 
 to the source volume mode, but `PVCs` can be created from them without the
 additional check.