I want to utilize data from a persistent volume as readOnly
inside a container.
What is the difference of setting the readOnly
flag under the volumeMounts
vs the deployment volumes.persistentVolumeClaim
?
The results seems to be the same. Is one of the two redundant?
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: ${ORDERER_ORG_NAME}-delpoyment
namespace: ${NS}
labels:
app: ${ORDERER_ORG_NAME}
spec:
replicas: 1
selector:
matchLabels:
app: ${ORDERER_ORG_NAME}
template:
metadata:
labels:
app: ${ORDERER_ORG_NAME}
spec:
initContainers:
- name: prepare-tls-certs
image: busybox
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "wait-for-certs.sh"]
volumeMounts:
- name: fabric-volume
mountPath: ${ORDERER_ORG_PATH}
subPath: var/hyperledger/config/tls
readOnly: true
containers: # other containers
volumes:
- name: fabric-volume
persistentVolumeClaim:
readOnly: true
claimName: fabric-pvc
CodePudding user response:
In your case, yes, the outcome is the same. But this functionality is not redundant, because the readOnly
on a volume and readOnly
on a mountPoint
have different implications. For example,
readOnly: true
on avolumeMount
means that thero
mount option is set when mounting your endpoint. This is on thecontainer level
. You can read more aboutmount options
here.readOnly: true
on a volume means the volume is readonly. Even if you don't mount it asreadOnly
, you cannot write to it. This is on a pod level and any container that will mount this volume will not have the ability to write. However, it doesn't have to bereadOnly
. You can setreadOnly:false
as well, where yourvolume
will bewriteable
but the mountedfilesystem
can bereadOnly
. This way, other containers can mount this volume asreadOnly: false
and be able to write to it. This can be used, for instance, to ensure certain containers are not allowed to modify a volume, but others are.
To take it a level further "down the stack", you can have PersistentVolumes
that can be shared across multiple pods (across multiple nodes). Here, the readOnly
field plays a role in conjunction with the AccessMode
of the PersistentVolume
. You can have an AccessMode
of WriteOnceReadMany
meaning that 1 node
can have pods attaching this volume for writing
and many can read
from it only. More than 1 node
will not be able to have its pods write to this volume. You can read more about AccessModes
of PersistentVolumes
here.
In summary, the permissions are always AND
ed together with the most restrictive permission generally up the stack
. So, generally, an AccessMode
will be more permissive, a Volume
permission will be less permissive and the volumeMount
permissions will be least permissive by design. That's the way you design access to your resources.