Prevent unauthorised volume mode conversion


StatusMin K8s VersionMax K8s Versionexternal-snapshotter Versionexternal-provisioner Version


Malicious users can populate the spec.volumeMode field of a PersistentVolumeClaim with a Volume Mode that differs from the original volume's mode to potentially exploit an as-yet-unknown vulnerability in the host operating system. This feature allows cluster administrators to prevent unauthorized users from converting the mode of a volume when a PersistentVolumeClaim is being created from an existing VolumeSnapshot instance.

See the Kubernetes Enhancement Proposal for more details on the background, design and discussions.


To enable this feature, cluster administrators must:

  • Create VolumeSnapshot APIs with a minimum version of v6.0.1.
  • Use snapshot-controller and snapshot-validation-webhook with a minimum version of v6.0.1.
  • Use external-provisioner with a minimum version of v3.2.1.
  • Set --prevent-volume-mode-conversion=true flag in snapshot-controller, snapshot-validation-webhook and external-provisioner.

For more information about how to use the feature, visit the Kubernetes blog page.