From c028b41daa59f332e0007f2b7f6cb6eb650f0cd5 Mon Sep 17 00:00:00 2001 From: Billy Lynch Date: Thu, 16 Sep 2021 14:05:38 -0400 Subject: [PATCH] Mark Downward API VolumeMount as readonly. This is effectively a no-op change, since the Downwards API Volume is already readonly. This simply updates the VolumeMount to also mark the volume as read-only for completeness. --- pkg/pod/entrypoint.go | 3 +++ pkg/reconciler/taskrun/taskrun_test.go | 26 +++++++++++++------------- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/pkg/pod/entrypoint.go b/pkg/pod/entrypoint.go index 091135aa979..c989c41ff71 100644 --- a/pkg/pod/entrypoint.go +++ b/pkg/pod/entrypoint.go @@ -82,6 +82,9 @@ var ( downwardMount = corev1.VolumeMount{ Name: downwardVolumeName, MountPath: downwardMountPoint, + // Marking this volume mountreadonly is technically redundant, + // since the volume itself is readonly, but including for completeness. + ReadOnly: true, } ) diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go index f6618aff38e..4353ddd6d6f 100644 --- a/pkg/reconciler/taskrun/taskrun_test.go +++ b/pkg/reconciler/taskrun/taskrun_test.go @@ -508,7 +508,7 @@ func TestReconcile_ExplicitDefaultSA(t *testing.T) { "--", ), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -557,7 +557,7 @@ func TestReconcile_ExplicitDefaultSA(t *testing.T) { "--", ), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -696,7 +696,7 @@ func TestReconcile_FeatureFlags(t *testing.T) { ), tb.EnvVar("foo", "bar"), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -746,7 +746,7 @@ func TestReconcile_FeatureFlags(t *testing.T) { "--", ), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -1101,7 +1101,7 @@ func TestReconcile(t *testing.T) { "--", ), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -1153,7 +1153,7 @@ func TestReconcile(t *testing.T) { "--", ), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -1234,7 +1234,7 @@ func TestReconcile(t *testing.T) { "-p", "/workspace/output/myimage"), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -1399,7 +1399,7 @@ func TestReconcile(t *testing.T) { tb.EnvVar("HOME", "/tekton/home"), tb.WorkingDir("/workspace"), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -1474,7 +1474,7 @@ func TestReconcile(t *testing.T) { "--", ), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -1536,7 +1536,7 @@ func TestReconcile(t *testing.T) { tb.EnvVar("HOME", "/tekton/home"), tb.WorkingDir("/workspace"), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -1609,7 +1609,7 @@ func TestReconcile(t *testing.T) { "/mycmd", "--"), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -1660,7 +1660,7 @@ func TestReconcile(t *testing.T) { "/mycmd /tekton/creds", "--"), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"), @@ -1712,7 +1712,7 @@ func TestReconcile(t *testing.T) { "--", ), tb.VolumeMount("tekton-internal-tools", "/tekton/tools"), - tb.VolumeMount("tekton-internal-downward", "/tekton/downward"), + tb.VolumeMount("tekton-internal-downward", "/tekton/downward", func(vm *corev1.VolumeMount) { vm.ReadOnly = true }), tb.VolumeMount("tekton-creds-init-home-0", "/tekton/creds"), tb.VolumeMount("tekton-internal-workspace", workspaceDir), tb.VolumeMount("tekton-internal-home", "/tekton/home"),