Kubernetes has launched version 1.30, featuring important updates to its read-only volume mounts. These improvements boost security for containerized applications. Earlier versions offered read-only mounts, yet they allowed writes to sub-mounts, risking unauthorized data changes.
New Features in Kubernetes 1.30
The latest release introduces a recursiveReadOnly mount option that lets users enforce read-only permissions throughout all sub-mounts. This update guarantees that not just the designated mount point, but also any nested directories remain read-only, significantly enhancing the security framework for applications running on Kubernetes.
How to Implement the New Feature
To take advantage of this feature, users must include:
readOnly: truerecursiveReadOnly: Enabled
in their pod specifications. This implementation requires:
- Linux kernel version 5.12 or later
- Compatible container runtimes like containerd version 2.0 or later
- OCI runtimes such as runc version 1.1 or later
Currently, the recursiveReadOnly feature is in its alpha stage but will likely move to beta and eventually to general availability. Users looking to utilize this capability need to manually enable the feature gate, as the default setting remains disabled for compatibility purposes.
For comprehensive guidance on using recursive read-only mounts, the Kubernetes documentation offers extensive resources.
