Skip to content

Commit

Permalink
fix: read/write mount mode for init / wait containers. Fixes #7755
Browse files Browse the repository at this point in the history
As discussed in #7755, the `init` / `wait` containers surrounding a
workflow container mount the same volumes as the `main` container, but
without respecting their read/write mode. For environments using PSPs
with read-only allowed host paths, it becomes impossible to run workflows
that use volume mounts (as sidecar containers will violate the PSP).

The original code author (@jessesuen) claims that mounts need to be
read/write to allow overlapping mount paths. However, the `main`
container will already need to mount paths in read/write mode if they
overlap, so there does not seem to be a good reason for keeping this.

Fixes #7755

Signed-off-by: Louis Blin <[email protected]>
  • Loading branch information
louisblin committed Mar 10, 2022
1 parent 972a4e9 commit cc9f6a3
Showing 1 changed file with 0 additions and 2 deletions.
2 changes: 0 additions & 2 deletions workflow/controller/workflowpod.go
Original file line number Diff line number Diff line change
Expand Up @@ -1018,8 +1018,6 @@ func addOutputArtifactsVolumes(pod *apiv1.Pod, tmpl *wfv1.Template) {
continue
}
mnt.MountPath = filepath.Join(common.ExecutorMainFilesystemDir, mnt.MountPath)
// ReadOnly is needed to be false for overlapping volume mounts
mnt.ReadOnly = false
waitCtr.VolumeMounts = append(waitCtr.VolumeMounts, mnt)
}
}
Expand Down

0 comments on commit cc9f6a3

Please sign in to comment.