From f89729d014d68a28d881676c36d293568fa52945 Mon Sep 17 00:00:00 2001 From: Raunak Pradip Shah Date: Thu, 31 Mar 2022 10:22:04 +0530 Subject: [PATCH 1/5] Add docs for preventing volume mode conversion --- .../docs/concepts/storage/volume-snapshots.md | 32 +++++++++++++++++++ .../labels-annotations-taints/_index.md | 12 +++++++ 2 files changed, 44 insertions(+) diff --git a/content/en/docs/concepts/storage/volume-snapshots.md b/content/en/docs/concepts/storage/volume-snapshots.md index 8d9a5acb7254e..2490a1ae081fc 100644 --- a/content/en/docs/concepts/storage/volume-snapshots.md +++ b/content/en/docs/concepts/storage/volume-snapshots.md @@ -120,6 +120,7 @@ spec: driver: hostpath.csi.k8s.io source: volumeHandle: ee0cfb94-f8d4-11e9-b2d8-0242ac110002 + sourceVolumeMode: Filesystem volumeSnapshotClassName: csi-hostpath-snapclass volumeSnapshotRef: name: new-snapshot-test @@ -141,6 +142,7 @@ spec: driver: hostpath.csi.k8s.io source: snapshotHandle: 7bdd0de3-aaeb-11e8-9aae-0242ac110002 + sourceVolumeMode: Filesystem volumeSnapshotRef: name: new-snapshot-test namespace: default @@ -148,6 +150,36 @@ spec: `snapshotHandle` is the unique identifier of the volume snapshot created on the storage backend. This field is required for the pre-provisioned snapshots. It specifies the CSI snapshot id on the storage system that this `VolumeSnapshotContent` represents. +`sourceVolumeMode` is the mode of the volume whose snapshot is taken. The value of the `sourceVolumeMode` field can be either `Filesystem` or `Block`. If the source volume mode is not specified, Kubernetes treats the snapshot as if the source volume's mode is unknown. Support for this field can only be enabled in VolumeSnapshot client v6.0.0 and higher. Visit the [VolumeSnapshot Release page](https://github.com/kubernetes-csi/external-snapshotter/releases) for more information. + +## Converting the volume mode of a Snapshot {#convert-volume-mode} + +This feature is only present for `VolumeSnapshotContents` created with client version `v6.0.0` onwards. +The volume mode can be either `Filesystem` or `Block`. If not specified, it indicates the volume mode is unknown. +If you want to allow users to create a `PersistentVolumeClaim` from an existing `VolumeSnapshot`, but with a +different volume mode than the source, the annotation `snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"` +needs to be added to the `VolumeSnapshotContent` that corresponds to the `VolumeSnapshot`. For pre-provisioned snapshots, +`Spec.SourceVolumeMode` needs to be populated by the cluster administrator. +An example `VolumeSnapshotContent` resource with this feature enabled would look like: + +```yaml +apiVersion: snapshot.storage.k8s.io/v1 +kind: VolumeSnapshotContent +metadata: + name: new-snapshot-content-test + annotations: + - snapshot.storage.kubernetes.io/allowVolumeModeChange: "true" +spec: + deletionPolicy: Delete + driver: hostpath.csi.k8s.io + source: + snapshotHandle: 7bdd0de3-aaeb-11e8-9aae-0242ac110002 + sourceVolumeMode: Filesystem + volumeSnapshotRef: + name: new-snapshot-test + namespace: default +``` + ## Provisioning Volumes from Snapshots You can provision a new volume, pre-populated with data from a snapshot, by using diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md index bae7f3f14cc8d..85877feb4d11c 100644 --- a/content/en/docs/reference/labels-annotations-taints/_index.md +++ b/content/en/docs/reference/labels-annotations-taints/_index.md @@ -508,6 +508,18 @@ you through the steps you follow to apply a seccomp profile to a Pod or to one o its containers. That tutorial covers the supported mechanism for configuring seccomp in Kubernetes, based on setting `securityContext` within the Pod's `.spec`. +### snapshot.storage.kubernetes.io/allowVolumeModeChange + +Example: `snapshot.storage.kubernetes.io/allowVolumeModeChange: true` + +Used on: VolumeSnapshotContent + +Value can either be `true` or `false`. +This determines whether a user can modify the mode of the source volume when a `PVC` is being created from a `VolumeSnapshot`. + +See [Converting the volume mode of a Snapshot](/docs/concepts/storage/volume-snapshots/#convert-volume-mode) for more information. + + ## Annotations used for audit From 5a1479b742740384583ee27f65c7d5074e84b354 Mon Sep 17 00:00:00 2001 From: Raunak Pradip Shah Date: Wed, 20 Apr 2022 00:17:33 +0530 Subject: [PATCH 2/5] Use kubectl to determine if feature is present --- .../docs/concepts/storage/volume-snapshots.md | 29 ++++++++++++++----- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/content/en/docs/concepts/storage/volume-snapshots.md b/content/en/docs/concepts/storage/volume-snapshots.md index 2490a1ae081fc..437defd30ffdf 100644 --- a/content/en/docs/concepts/storage/volume-snapshots.md +++ b/content/en/docs/concepts/storage/volume-snapshots.md @@ -150,16 +150,31 @@ spec: `snapshotHandle` is the unique identifier of the volume snapshot created on the storage backend. This field is required for the pre-provisioned snapshots. It specifies the CSI snapshot id on the storage system that this `VolumeSnapshotContent` represents. -`sourceVolumeMode` is the mode of the volume whose snapshot is taken. The value of the `sourceVolumeMode` field can be either `Filesystem` or `Block`. If the source volume mode is not specified, Kubernetes treats the snapshot as if the source volume's mode is unknown. Support for this field can only be enabled in VolumeSnapshot client v6.0.0 and higher. Visit the [VolumeSnapshot Release page](https://github.com/kubernetes-csi/external-snapshotter/releases) for more information. +`sourceVolumeMode` is the mode of the volume whose snapshot is taken. The value +of the `sourceVolumeMode` field can be either `Filesystem` or `Block`. If the +source volume mode is not specified, Kubernetes treats the snapshot as if the +source volume's mode is unknown. Support for this field can only be enabled in +`VolumeSnapshot` API v6.0.0 and higher. Visit the [VolumeSnapshot Release page](https://github.com/kubernetes-csi/external-snapshotter/releases) for more information. ## Converting the volume mode of a Snapshot {#convert-volume-mode} -This feature is only present for `VolumeSnapshotContents` created with client version `v6.0.0` onwards. -The volume mode can be either `Filesystem` or `Block`. If not specified, it indicates the volume mode is unknown. -If you want to allow users to create a `PersistentVolumeClaim` from an existing `VolumeSnapshot`, but with a -different volume mode than the source, the annotation `snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"` -needs to be added to the `VolumeSnapshotContent` that corresponds to the `VolumeSnapshot`. For pre-provisioned snapshots, -`Spec.SourceVolumeMode` needs to be populated by the cluster administrator. +This feature is only present for `VolumeSnapshots` API with version `v6.0.0` onwards. To check if your +cluster has capability for this feature, run the following command: + +```yaml +$ kubectl get crd volumesnapshotcontent -o yaml +``` + +If a field called `sourceVolumeMode` is present in the output, then the API supports this feature. + +If you want to allow users to create a `PersistentVolumeClaim` from an existing +`VolumeSnapshot`, but with a different volume mode than the source, the annotation +`snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"`needs to be added to +the `VolumeSnapshotContent` that corresponds to the `VolumeSnapshot`. + +For pre-provisioned snapshots, `Spec.SourceVolumeMode` needs to be populated +by the cluster administrator. + An example `VolumeSnapshotContent` resource with this feature enabled would look like: ```yaml From 66a191109c41693d310e62442c345e8e06801497 Mon Sep 17 00:00:00 2001 From: Raunak Pradip Shah Date: Wed, 20 Apr 2022 01:41:01 +0530 Subject: [PATCH 3/5] Remove v6 reference --- content/en/docs/concepts/storage/volume-snapshots.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/content/en/docs/concepts/storage/volume-snapshots.md b/content/en/docs/concepts/storage/volume-snapshots.md index 437defd30ffdf..b39e5a74d4862 100644 --- a/content/en/docs/concepts/storage/volume-snapshots.md +++ b/content/en/docs/concepts/storage/volume-snapshots.md @@ -158,15 +158,16 @@ source volume's mode is unknown. Support for this field can only be enabled in ## Converting the volume mode of a Snapshot {#convert-volume-mode} -This feature is only present for `VolumeSnapshots` API with version `v6.0.0` onwards. To check if your -cluster has capability for this feature, run the following command: +If the `VolumeSnapshots` API installed on your cluster supports the `sourceVolumeMode` +field, then the API has the capability to prevent unauthorized users from converting +the mode of a volume. + +To check if your cluster has capability for this feature, run the following command: ```yaml $ kubectl get crd volumesnapshotcontent -o yaml ``` -If a field called `sourceVolumeMode` is present in the output, then the API supports this feature. - If you want to allow users to create a `PersistentVolumeClaim` from an existing `VolumeSnapshot`, but with a different volume mode than the source, the annotation `snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"`needs to be added to From 02c43d28cfcfbd2c86cb1715ea4c4d1f34633d32 Mon Sep 17 00:00:00 2001 From: Raunak Pradip Shah Date: Wed, 20 Apr 2022 01:42:46 +0530 Subject: [PATCH 4/5] Remove v6 reference --- content/en/docs/concepts/storage/volume-snapshots.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/en/docs/concepts/storage/volume-snapshots.md b/content/en/docs/concepts/storage/volume-snapshots.md index b39e5a74d4862..0b4d2c2f2be62 100644 --- a/content/en/docs/concepts/storage/volume-snapshots.md +++ b/content/en/docs/concepts/storage/volume-snapshots.md @@ -153,8 +153,7 @@ spec: `sourceVolumeMode` is the mode of the volume whose snapshot is taken. The value of the `sourceVolumeMode` field can be either `Filesystem` or `Block`. If the source volume mode is not specified, Kubernetes treats the snapshot as if the -source volume's mode is unknown. Support for this field can only be enabled in -`VolumeSnapshot` API v6.0.0 and higher. Visit the [VolumeSnapshot Release page](https://github.com/kubernetes-csi/external-snapshotter/releases) for more information. +source volume's mode is unknown. ## Converting the volume mode of a Snapshot {#convert-volume-mode} From b656cd8d5524a2f1fe222fcd5fdcd958dbe94afb Mon Sep 17 00:00:00 2001 From: Raunak Pradip Shah Date: Fri, 22 Apr 2022 15:31:49 +0530 Subject: [PATCH 5/5] Some formatting changes --- .../docs/reference/labels-annotations-taints/_index.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md index 85877feb4d11c..116df78522d35 100644 --- a/content/en/docs/reference/labels-annotations-taints/_index.md +++ b/content/en/docs/reference/labels-annotations-taints/_index.md @@ -510,15 +510,17 @@ based on setting `securityContext` within the Pod's `.spec`. ### snapshot.storage.kubernetes.io/allowVolumeModeChange -Example: `snapshot.storage.kubernetes.io/allowVolumeModeChange: true` +Example: `snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"` Used on: VolumeSnapshotContent Value can either be `true` or `false`. -This determines whether a user can modify the mode of the source volume when a `PVC` is being created from a `VolumeSnapshot`. - -See [Converting the volume mode of a Snapshot](/docs/concepts/storage/volume-snapshots/#convert-volume-mode) for more information. +This determines whether a user can modify the mode of the source volume when a +{{< glossary_tooltip text="PersistentVolumeClaim" term_id="persistent-volume-claim" >}} is being +created from a VolumeSnapshot. +Refer to [Converting the volume mode of a Snapshot](/docs/concepts/storage/volume-snapshots/#convert-volume-mode) +and the [Kubernetes CSI Developer Documentation](https://kubernetes-csi.github.io/docs/) for more information. ## Annotations used for audit