Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove readOnly: false mode for init / wait overlapping volume mounts. Fixes #7755 #8128

Closed
wants to merge 2 commits into from
Closed

fix: remove readOnly: false mode for init / wait overlapping volume mounts. Fixes #7755 #8128

wants to merge 2 commits into from

Conversation

louisblin
Copy link

@louisblin louisblin commented Mar 10, 2022
edited by agilgur5
Loading

As discussed in #7755, the init / wait containers surrounding a workflow container mount the same volumes as the main container, but without respecting their read/write mode. For environments using PSPs with read-only allowed host paths, it becomes impossible to run workflows that use volume mounts (as sidecar containers will violate the PSP).

The original code author (@jessesuen) claims that mounts need to be read/write to allow overlapping mount paths. However, the main container will already need to mount paths in read/write mode if they overlap, so there does not seem to be a good reason for keeping this.

Fixes #7755

@louisblin
fix: read/write mount mode for init / wait containers. Fixes argoproj…
cc9f6a3 
…#7755

As discussed in argoproj#7755, the `init` / `wait` containers surrounding a
workflow container mount the same volumes as the `main` container, but
without respecting their read/write mode. For environments using PSPs
with read-only allowed host paths, it becomes impossible to run workflows
that use volume mounts (as sidecar containers will violate the PSP).

The original code author (@jessesuen) claims that mounts need to be
read/write to allow overlapping mount paths. However, the `main`
container will already need to mount paths in read/write mode if they
overlap, so there does not seem to be a good reason for keeping this.

Fixes argoproj#7755

Signed-off-by: Louis Blin <[email protected]>
@louisblin louisblin force-pushed the fix/sidecar-containers-readonly-psps branch from 2599b3f to cc9f6a3 Compare March 10, 2022 20:12
@lbpdt lbpdt mentioned this pull request Mar 10, 2022
Open
@alexec
Copy link
Contributor

alexec commented Mar 10, 2022

I think it needs a test with overlapping volume mount.

@stale
Copy link

stale bot commented Apr 16, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the problem/stale This has not had a response in some time label Apr 16, 2022
@stale stale bot closed this Apr 19, 2022
@louisblin
Copy link
Author

Still planning to work on this in the next couple weeks fyi

@tooptoop4
Copy link
Contributor

where @louisblin

@agilgur5 agilgur5 added area/controller Controller issues, panics area/executor labels Oct 22, 2024
@agilgur5 agilgur5 changed the title fix: read/write mount mode for init / wait containers. Fixes #7755 fix: remove readOnly: false mode for init / wait overlapping volume mounts. Fixes #7755 Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/controller Controller issues, panics area/executor problem/stale This has not had a response in some time
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incompatibility with PSPs using read-only allowed host paths
4 participants
@louisblin @alexec @tooptoop4 @agilgur5