Add read-only mount to play kube

add support for read-only volume mounts in podman play kube Signed-off-by: Ashley Cui <acui@redhat.com>
2025-06-22 18:08:11 +08:00 · 2020-09-10 14:56:47 -04:00
parent be7778df6c
commit 20f73b857f
2 changed files with 48 additions and 2 deletions
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@ -556,6 +556,7 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
 	containerConfig.Env = envs

 	for _, volume := range containerYAML.VolumeMounts {
+		var readonly string
 		hostPath, exists := volumes[volume.Name]
 		if !exists {
 			return nil, errors.Errorf("Volume mount %s specified for container but not configured in volumes", volume.Name)
@ -563,7 +564,10 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
 		if err := parse.ValidateVolumeCtrDir(volume.MountPath); err != nil {
 			return nil, errors.Wrapf(err, "error in parsing MountPath")
 		}
-		containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s", hostPath, volume.MountPath))
+		if volume.ReadOnly {
+			readonly = ":ro"
+		}
+		containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s%s", hostPath, volume.MountPath, readonly))
 	}
 	return &containerConfig, nil
 }
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@ -99,6 +99,12 @@ spec:
      hostPort: {{ .Port }}
      protocol: TCP
    workingDir: /
+    volumeMounts:
+    {{ if .VolumeMount }}
+    - name: {{.VolumeName}}
+      mountPath: {{ .VolumeMountPath }}
+      readonly: {{.VolumeReadOnly}}
+      {{ end }}
    {{ end }}
  {{ end }}
 {{ end }}
@ -383,12 +389,16 @@ type Ctr struct {
 	PullPolicy      string
 	HostIP          string
 	Port            string
+	VolumeMount     bool
+	VolumeMountPath string
+	VolumeName      string
+	VolumeReadOnly  bool
 }

 // getCtr takes a list of ctrOptions and returns a Ctr with sane defaults
 // and the configured options
 func getCtr(options ...ctrOption) *Ctr {
-	c := Ctr{defaultCtrName, defaultCtrImage, defaultCtrCmd, defaultCtrArg, true, false, nil, nil, "", "", ""}
+	c := Ctr{defaultCtrName, defaultCtrImage, defaultCtrCmd, defaultCtrArg, true, false, nil, nil, "", "", "", false, "", "", false}
 	for _, option := range options {
 		option(&c)
 	}
@ -448,6 +458,15 @@ func withHostIP(ip string, port string) ctrOption {
 	}
 }

+func withVolumeMount(mountPath string, readonly bool) ctrOption {
+	return func(c *Ctr) {
+		c.VolumeMountPath = mountPath
+		c.VolumeName = defaultVolName
+		c.VolumeReadOnly = readonly
+		c.VolumeMount = true
+	}
+}
+
 func getCtrNameInPod(pod *Pod) string {
 	return fmt.Sprintf("%s-%s", pod.Name, defaultCtrName)
 }
@ -1035,4 +1054,27 @@ spec:
 		kube.WaitWithDefaultTimeout()
 		Expect(kube.ExitCode()).NotTo(Equal(0))
 	})
+
+	It("podman play kube test with read only volume", func() {
+		hostPathLocation := filepath.Join(tempdir, "file")
+		f, err := os.Create(hostPathLocation)
+		Expect(err).To(BeNil())
+		f.Close()
+
+		ctr := getCtr(withVolumeMount(hostPathLocation, true), withImage(BB))
+		pod := getPod(withVolume(getVolume("File", hostPathLocation)), withCtr(ctr))
+		err = generatePodKubeYaml(pod, kubeYaml)
+		Expect(err).To(BeNil())
+
+		kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube.ExitCode()).To(Equal(0))
+
+		inspect := podmanTest.Podman([]string{"inspect", getCtrNameInPod(pod), "--format", "'{{.HostConfig.Binds}}'"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+
+		correct := fmt.Sprintf("%s:%s:%s", hostPathLocation, hostPathLocation, "ro")
+		Expect(inspect.OutputToString()).To(ContainSubstring(correct))
+	})
 })