Mark Downward API VolumeMount as readonly.

This is effectively a no-op change, since the Downwards API Volume is
already readonly. This simply updates the VolumeMount to also mark the
volume as read-only for completeness.

pkg/pod/entrypoint.go

@@ -99,6 +99,9 @@ var (
 	downwardMount = corev1.VolumeMount{
 		Name:      downwardVolumeName,
 		MountPath: downwardMountPoint,
+		// Marking this volume mount readonly is technically redundant,
+		// since the volume itself is readonly, but including for completeness.
+		ReadOnly: true,
 	}
 )
 

pkg/reconciler/taskrun/taskrun_test.go

@@ -514,7 +514,7 @@ func TestReconcile_ExplicitDefaultSA(t *testing.T) {
 					),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -564,7 +564,7 @@ func TestReconcile_ExplicitDefaultSA(t *testing.T) {
 					),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -704,7 +704,7 @@ func TestReconcile_FeatureFlags(t *testing.T) {
 					tb.EnvVar("foo", "bar"),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -755,7 +755,7 @@ func TestReconcile_FeatureFlags(t *testing.T) {
 					),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -1111,7 +1111,7 @@ func TestReconcile(t *testing.T) {
 					),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -1164,7 +1164,7 @@ func TestReconcile(t *testing.T) {
 					),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -1246,7 +1246,7 @@ func TestReconcile(t *testing.T) {
 						"/workspace/output/myimage"),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -1416,7 +1416,7 @@ func TestReconcile(t *testing.T) {
 					tb.WorkingDir("/workspace"),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -1493,7 +1493,7 @@ func TestReconcile(t *testing.T) {
 					),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -1556,7 +1556,7 @@ func TestReconcile(t *testing.T) {
 					tb.WorkingDir("/workspace"),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -1631,7 +1631,7 @@ func TestReconcile(t *testing.T) {
 						"--"),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -1683,7 +1683,7 @@ func TestReconcile(t *testing.T) {
 						"--"),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),
@@ -1736,7 +1736,7 @@ func TestReconcile(t *testing.T) {
 					),
 					tb.VolumeMount("tekton-internal-bin", "/tekton/bin", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-internal-run", "/tekton/run"),
-					tb.VolumeMount("tekton-internal-downward", "/tekton/downward"),
+					tb.VolumeMount("tekton-internal-downward", "/tekton/downward", tb.VolumeMountRO),
 					tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"),
 					tb.VolumeMount("tekton-internal-workspace", workspaceDir),
 					tb.VolumeMount("tekton-internal-home", "/tekton/home"),