Prevent unauthorised volume mode conversion

Status

StatusMin K8s VersionMax K8s Versionexternal-snapshotter Versionexternal-provisioner Version
Alpha1.24-6.0.1+3.2.1+
Beta1.28-7.0.0+4.0.0+
GA1.30-8.0.1+5.0.1+

Overview

Malicious users can populate the spec.volumeMode field of a PersistentVolumeClaim with a Volume Mode that differs from the original volume's mode to potentially exploit an as-yet-unknown vulnerability in the host operating system. This feature allows cluster administrators to prevent unauthorized users from converting the mode of a volume when a PersistentVolumeClaim is being created from an existing VolumeSnapshot instance.

See the Kubernetes Enhancement Proposal for more details on the background, design and discussions.

Usage

This feature is enabled by default and moved to GA with the Kubernetes 1.30 release. To use this feature, cluster administrators must:

  • Create VolumeSnapshot APIs with a minimum version of v8.0.1.
  • Use snapshot-controller and snapshot-validation-webhook with a minimum version of v8.0.1.
  • Use external-provisioner with a minimum version of v5.0.1.

For more information about how to use the feature, visit the Kubernetes blog page.