github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disallow subpath for ephemeral container mounts

Browse Source
This commit is contained in:
Lee Verberne
2021-10-16 07:02:10 -07:00
parent d1d7882186
commit f81c48cd0a
4 changed files with 50 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/apis/core/validation/validation.go
View File

@@ -2873,6 +2873,18 @@ func validateEphemeralContainers(ephemeralContainers []core.EphemeralContainer,
// Lifecycle, probes, resources and ports should be disallowed. This is implemented as a list
// of allowed fields so that new fields will be given consideration prior to inclusion in Ephemeral Containers.
allErrs = append(allErrs, validateFieldAllowList(ec.EphemeralContainerCommon, allowedEphemeralContainerFields, "cannot be set for an Ephemeral Container", idxPath)...)
// VolumeMount subpaths have the potential to leak resources since they're implemented with bind mounts
// that aren't cleaned up until the pod exits. Since they also imply that the container is being used
// as part of the workload, they're disallowed entirely.
for i, vm := range ec.VolumeMounts {
if vm.SubPath != "" {
allErrs = append(allErrs, field.Forbidden(idxPath.Child("volumeMounts").Index(i).Child("subPath"), "cannot be set for an Ephemeral Container"))
}
if vm.SubPathExpr != "" {
allErrs = append(allErrs, field.Forbidden(idxPath.Child("volumeMounts").Index(i).Child("subPathExpr"), "cannot be set for an Ephemeral Container"))
}
}
}
return allErrs