Kubernetes has released version 1.30, featuring significant security upgrades in volume mode management for PersistentVolumeClaims (PVCs). A key highlight is the transition of the feature that prevents unauthorized volume mode conversions to General Availability (GA).
In Kubernetes, PVCs can be configured in either filesystem mode or raw block device mode. The introduction of the VolumeSnapshot feature allows for the creation of PVCs from existing VolumeSnapshots. However, earlier versions didn’t validate the volume mode of the original volume against that of the new PVC, which posed potential security risks.
With this new release, only authorized users—those with the right access to update VolumeSnapshotContents—can change the volume mode during PVC creation. This step helps reduce risks linked to unauthorized modifications. Authorized users must adhere to a defined process that includes:
- Annotating the VolumeSnapshotContent to permit mode changes.
By default, the feature that restricts volume mode alterations is enabled in both the external-provisioner and external-snapshotter components. Users should ensure they comply with these new requirements to prevent any issues during PVC creation from VolumeSnapshots.
For more details and updates, check the Kubernetes documentation and community forums.
