Merge pull request #8284 from sseago/selinux-readonly

only set spec.volumes readonly if PVC is readonly for datamover
2026-01-05 04:55:22 +00:00 · 2024-10-11 13:28:04 +08:00
parent b34e0116d7 de7a414511
commit f02613d2f7
2 changed files with 9 additions and 2 deletions
--- a/changelogs/unreleased/8284-sseago
+++ b/changelogs/unreleased/8284-sseago
@@ -0,0 +1 @@
+only set spec.volumes readonly if PVC is readonly for datamover
--- a/pkg/exposer/csi_snapshot.go
+++ b/pkg/exposer/csi_snapshot.go
@@ -202,6 +202,7 @@ func (e *csiSnapshotExposer) Expose(ctx context.Context, ownerObject corev1.Obje
 		csiExposeParam.HostingPodLabels,
 		csiExposeParam.Affinity,
 		csiExposeParam.Resources,
+		backupPVCReadOnly,
 	)
 	if err != nil {
 		return errors.Wrap(err, "error to create backup pod")
@@ -442,6 +443,7 @@ func (e *csiSnapshotExposer) createBackupPod(
 	label map[string]string,
 	affinity *kube.LoadAffinity,
 	resources corev1.ResourceRequirements,
+	backupPVCReadOnly bool,
 ) (*corev1.Pod, error) {
 	podName := ownerObject.Name

@@ -454,7 +456,7 @@ func (e *csiSnapshotExposer) createBackupPod(
 	}

 	var gracePeriod int64 = 0
-	volumeMounts, volumeDevices, volumePath := kube.MakePodPVCAttachment(volumeName, backupPVC.Spec.VolumeMode, true)
+	volumeMounts, volumeDevices, volumePath := kube.MakePodPVCAttachment(volumeName, backupPVC.Spec.VolumeMode, backupPVCReadOnly)
 	volumeMounts = append(volumeMounts, podInfo.volumeMounts...)

 	volumes := []corev1.Volume{{
@@ -462,10 +464,14 @@ func (e *csiSnapshotExposer) createBackupPod(
 		VolumeSource: corev1.VolumeSource{
 			PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
 				ClaimName: backupPVC.Name,
-				ReadOnly:  true,
 			},
 		},
 	}}
+
+	if backupPVCReadOnly {
+		volumes[0].VolumeSource.PersistentVolumeClaim.ReadOnly = true
+	}
+
 	volumes = append(volumes, podInfo.volumes...)

 	if label == nil {
				`@@ -0,0 +1 @@`
				`only set spec.volumes readonly if PVC is readonly for datamover`