Skip to content

Commit 6bc7eaa

Browse files
RaunakShahRaunakShah
committed
Documentation to prevent volume mode conversion
1 parent 081156d commit 6bc7eaa

File tree

2 files changed

+33
-2
lines changed

2 files changed

+33
-2
lines changed

book/src/prevent-volume-mode-conversion.md

+31
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
# Prevent unauthorised volume mode conversion
2+
3+
## Status
4+
5+
Status | Min K8s Version | Max K8s Version | external-snapshotter Version | external-provisioner Version
6+
--|--|--|--|--
7+
Alpha | 1.24 | - | 6.0.1+ | 3.2.1+
8+
9+
## Overview
10+
11+
Malicious users can populate the `spec.volumeMode` field of a `PersistentVolumeClaim`
12+
with a [Volume Mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#volume-mode)
13+
that differs from the original volume's mode to potentially exploit an as-yet-unknown
14+
vulnerability in the host operating system.
15+
This feature allows cluster administrators to prevent unauthorized users from converting
16+
the mode of a volume when a `PersistentVolumeClaim` is being created from an existing
17+
`VolumeSnapshot` instance.
18+
19+
> See the [Kubernetes Enhancement Proposal](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3141-prevent-volume-mode-conversion)
20+
> for more details on the background, design and discussions.
21+
22+
## Usage
23+
24+
To enable this feature, cluster administrators must:
25+
26+
* Create `VolumeSnapshot` APIs with a minimum version of [`v6.0.1`](https://github.com/kubernetes-csi/external-snapshotter/releases/tag/client%2Fv6.0.1).
27+
* Use `snapshot-controller` and `snapshot-validation-webhook` with a minimum version of `v6.0.1`.
28+
* Use `external-provisioner` with a minimum version of [`v3.2.1`](https://github.com/kubernetes-csi/external-provisioner/releases/tag/v3.2.1).
29+
* Set `--prevent-volume-mode-conversion=true` flag in `snapshot-controller`, `snapshot-validation-webhook` and `external-provisioner`.
30+
31+
> For more information about how to use the feature, visit the [Kubernetes blog](https://kubernetes.io/blog/2022/05/18/prevent-unauthorised-volume-mode-conversion-alpha/) page.

hack/gen-api.sh

+2-2
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,11 @@ git clone [email protected]:ahmetb/gen-crd-api-reference-docs.git "$gen_tool_dir"
2828
git clone [email protected]:kubernetes-csi/external-snapshotter.git "$csi_dir"
2929

3030
cd "$gen_tool_dir"
31-
git co "$GEN_TOOL_REF"
31+
git checkout "$GEN_TOOL_REF"
3232
go build "$gen_tool_dir"
3333

3434
cd "$csi_dir"
35-
git co "$CSI_REF"
35+
git checkout "$CSI_REF"
3636
$gen_tool_dir/gen-crd-api-reference-docs \
3737
-config="$curr_dir/$config_path" \
3838
-api-dir="./client/apis/volumesnapshot/v1" \

0 commit comments

Comments
 (0)