diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index 523f4fbbf..14a2bcf72 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -603,6 +603,8 @@ func (c *criContainerdService) addOCIBindMounts(g *generate.Generator, mounts []
 			options = append(options, "rprivate")
 		}
 
+		// NOTE(random-liu): we don't change all mounts to `ro` when root filesystem
+		// is readonly. This is different from docker's behavior, but make more sense.
 		if mount.GetReadonly() {
 			options = append(options, "ro")
 		} else {