)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"ca18fb7b55bed3a8c6665d3c58407d518cfc309b","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5e0db7de_0aecfa33","updated":"2024-09-18 16:07:21.000000000","message":"It was decided that we default to \"open\" PV mount attributes, i.e. do not set nosuid, nodev or noexec in the default storage class. Then we add another storage class for people who want to lock down their PVs.","commit_id":"dddafd161612b3f12e7d8bae1553da850bf7778f"},{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"2b55a12ce85f3d94767d5dcfb6fbaaaa87040f0b","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"d0f5a2b1_69859888","updated":"2024-09-16 15:20:10.000000000","message":"This needs an architectural decision what behavior we expect from the PV interface as K8s is refusing to specify this.","commit_id":"dddafd161612b3f12e7d8bae1553da850bf7778f"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"b6b885ef1d12771a1b6cea3e785b26cadeb2ad47","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"9c644b27_4f785634","in_reply_to":"1fb98b02_d8e560df","updated":"2024-09-17 13:07:25.000000000","message":"Done","commit_id":"dddafd161612b3f12e7d8bae1553da850bf7778f"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"20f76c4e61aaaf0e1d65ad4d13ae619c74b7bd4d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"ff621860_7223429c","in_reply_to":"5e0db7de_0aecfa33","updated":"2024-09-18 23:48:05.000000000","message":"Done","commit_id":"dddafd161612b3f12e7d8bae1553da850bf7778f"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"ba3e365d5dc642f3f9c1f0e10d50e0eced12a091","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1fb98b02_d8e560df","in_reply_to":"d0f5a2b1_69859888","updated":"2024-09-17 02:10:20.000000000","message":"This CL will keep the current behavior and I would propose to make the default even stricter as soon as we can and allow users to release this strictness on a per PV/SC basis","commit_id":"dddafd161612b3f12e7d8bae1553da850bf7778f"}],"metropolis/node/core/localstorage/directory_data.go":[{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"c4e73736fb71a8ef28c53fb230f400499c2efde4","unresolved":true,"context_lines":[{"line_number":188,"context_line":"func (d *DataDirectory) mount(path string) error {"},{"line_number":189,"context_line":"\t// TODO(T965): MS_NODEV should definitely be set on the data partition, but as long as the kubelet root"},{"line_number":190,"context_line":"\t// is on there, we can\u0027t do it."},{"line_number":191,"context_line":"\tif err :\u003d unix.Mount(path, d.FullPath(), \"xfs\", unix.MS_NOEXEC|unix.MS_NOSUID, \"pquota\"); err !\u003d nil {"},{"line_number":192,"context_line":"\t\treturn fmt.Errorf(\"mounting data directory: %w\", err)"},{"line_number":193,"context_line":"\t}"},{"line_number":194,"context_line":"\treturn nil"}],"source_content_type":"text/x-go","patch_set":4,"id":"fab5ef74_e821680f","line":191,"range":{"start_line":191,"start_character":64,"end_line":191,"end_character":78},"updated":"2024-09-30 13:53:56.000000000","message":"This is not necessary for it to work and I don\u0027t want to think about all the effects of this right now. Leave it, we can deal with that another time.","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"4adfaeea1ee49b7329597fd6516a5aee44c2438b","unresolved":false,"context_lines":[{"line_number":188,"context_line":"func (d *DataDirectory) mount(path string) error {"},{"line_number":189,"context_line":"\t// TODO(T965): MS_NODEV should definitely be set on the data partition, but as long as the kubelet root"},{"line_number":190,"context_line":"\t// is on there, we can\u0027t do it."},{"line_number":191,"context_line":"\tif err :\u003d unix.Mount(path, d.FullPath(), \"xfs\", unix.MS_NOEXEC|unix.MS_NOSUID, \"pquota\"); err !\u003d nil {"},{"line_number":192,"context_line":"\t\treturn fmt.Errorf(\"mounting data directory: %w\", err)"},{"line_number":193,"context_line":"\t}"},{"line_number":194,"context_line":"\treturn nil"}],"source_content_type":"text/x-go","patch_set":4,"id":"c965f56f_bb35c469","line":191,"range":{"start_line":191,"start_character":64,"end_line":191,"end_character":78},"in_reply_to":"fab5ef74_e821680f","updated":"2024-09-30 23:29:35.000000000","message":"Done","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"}],"metropolis/node/kubernetes/csi.go":[{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"c4e73736fb71a8ef28c53fb230f400499c2efde4","unresolved":true,"context_lines":[{"line_number":108,"context_line":"\tcase *csi.VolumeCapability_Mount:"},{"line_number":109,"context_line":"\t\tvar mountFlags uintptr \u003d unix.MS_BIND"},{"line_number":110,"context_line":"\t\tif req.Readonly {"},{"line_number":111,"context_line":"\t\t\tmountFlags |\u003d unix.MS_RDONLY"},{"line_number":112,"context_line":"\t\t}"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"\t\terr :\u003d unix.Mount(volumePath, req.TargetPath, \"\", mountFlags, \"\")"}],"source_content_type":"text/x-go","patch_set":4,"id":"9d3d741a_3d0848db","line":111,"range":{"start_line":111,"start_character":17,"end_line":111,"end_character":31},"updated":"2024-09-30 13:53:56.000000000","message":"Have you verified that RO mounts still mount as RO?","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"4adfaeea1ee49b7329597fd6516a5aee44c2438b","unresolved":false,"context_lines":[{"line_number":108,"context_line":"\tcase *csi.VolumeCapability_Mount:"},{"line_number":109,"context_line":"\t\tvar mountFlags uintptr \u003d unix.MS_BIND"},{"line_number":110,"context_line":"\t\tif req.Readonly {"},{"line_number":111,"context_line":"\t\t\tmountFlags |\u003d unix.MS_RDONLY"},{"line_number":112,"context_line":"\t\t}"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"\t\terr :\u003d unix.Mount(volumePath, req.TargetPath, \"\", mountFlags, \"\")"}],"source_content_type":"text/x-go","patch_set":4,"id":"1d194d4e_fb35a060","line":111,"range":{"start_line":111,"start_character":17,"end_line":111,"end_character":31},"in_reply_to":"9d3d741a_3d0848db","updated":"2024-09-30 23:29:35.000000000","message":"Yes","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"}],"metropolis/node/kubernetes/reconciler/resources_storageclass.go":[{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"d14ad6950b9be881da7d99778555d486dafb1766","unresolved":true,"context_lines":[{"line_number":83,"context_line":"\t\t\t\tName:   \"local-strict\","},{"line_number":84,"context_line":"\t\t\t\tLabels: builtinLabels(nil),"},{"line_number":85,"context_line":"\t\t\t\tAnnotations: map[string]string{"},{"line_number":86,"context_line":"\t\t\t\t\t\"storageclass.kubernetes.io/is-default-class\": \"false\","},{"line_number":87,"context_line":"\t\t\t\t},"},{"line_number":88,"context_line":"\t\t\t},"},{"line_number":89,"context_line":"\t\t\tAllowVolumeExpansion: True(),"}],"source_content_type":"text/x-go","patch_set":3,"id":"616cfedf_a3e668fb","line":86,"range":{"start_line":86,"start_character":6,"end_line":86,"end_character":18},"updated":"2024-09-19 11:55:34.000000000","message":"Put a kubernetes.io/description annotation in here with a description of this storage class, especially what makes it \"strict\", i.e. different than the other one.","commit_id":"bb231a00881811ee7a41a15a91fd7062692e07df"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"9879e72e1820a00c5874b7da1c905f522cfa6a8d","unresolved":false,"context_lines":[{"line_number":83,"context_line":"\t\t\t\tName:   \"local-strict\","},{"line_number":84,"context_line":"\t\t\t\tLabels: builtinLabels(nil),"},{"line_number":85,"context_line":"\t\t\t\tAnnotations: map[string]string{"},{"line_number":86,"context_line":"\t\t\t\t\t\"storageclass.kubernetes.io/is-default-class\": \"false\","},{"line_number":87,"context_line":"\t\t\t\t},"},{"line_number":88,"context_line":"\t\t\t},"},{"line_number":89,"context_line":"\t\t\tAllowVolumeExpansion: True(),"}],"source_content_type":"text/x-go","patch_set":3,"id":"0128e3cc_8ceadd17","line":86,"range":{"start_line":86,"start_character":6,"end_line":86,"end_character":18},"in_reply_to":"616cfedf_a3e668fb","updated":"2024-09-19 12:10:22.000000000","message":"Done","commit_id":"bb231a00881811ee7a41a15a91fd7062692e07df"},{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"c4e73736fb71a8ef28c53fb230f400499c2efde4","unresolved":true,"context_lines":[{"line_number":66,"context_line":"\t\t\t\tLabels: builtinLabels(nil),"},{"line_number":67,"context_line":"\t\t\t\tAnnotations: map[string]string{"},{"line_number":68,"context_line":"\t\t\t\t\t\"storageclass.kubernetes.io/is-default-class\": \"true\","},{"line_number":69,"context_line":"\t\t\t\t\t\"kubernetes.io/description\":                   \"Localstorage with exec,dev,suid attributes.\","},{"line_number":70,"context_line":"\t\t\t\t},"},{"line_number":71,"context_line":"\t\t\t},"},{"line_number":72,"context_line":"\t\t\tAllowVolumeExpansion: True(),"}],"source_content_type":"text/x-go","patch_set":4,"id":"e6404ecc_eeb19b11","line":69,"range":{"start_line":69,"start_character":53,"end_line":69,"end_character":96},"updated":"2024-09-30 13:53:56.000000000","message":"```\nlocal is the default storage class on Metropolis. It stores data on the node root disk and supports space limits, resizing and oversubscription but no snapshots. It is backed by XFS and uses permissive mounting options (exec,dev,suid). If you want more strict mounting options, chose the `local-strict` storage class.\n```","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"4adfaeea1ee49b7329597fd6516a5aee44c2438b","unresolved":false,"context_lines":[{"line_number":66,"context_line":"\t\t\t\tLabels: builtinLabels(nil),"},{"line_number":67,"context_line":"\t\t\t\tAnnotations: map[string]string{"},{"line_number":68,"context_line":"\t\t\t\t\t\"storageclass.kubernetes.io/is-default-class\": \"true\","},{"line_number":69,"context_line":"\t\t\t\t\t\"kubernetes.io/description\":                   \"Localstorage with exec,dev,suid attributes.\","},{"line_number":70,"context_line":"\t\t\t\t},"},{"line_number":71,"context_line":"\t\t\t},"},{"line_number":72,"context_line":"\t\t\tAllowVolumeExpansion: True(),"}],"source_content_type":"text/x-go","patch_set":4,"id":"539a5718_a55fcc77","line":69,"range":{"start_line":69,"start_character":53,"end_line":69,"end_character":96},"in_reply_to":"e6404ecc_eeb19b11","updated":"2024-09-30 23:29:35.000000000","message":"Done","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"c4e73736fb71a8ef28c53fb230f400499c2efde4","unresolved":true,"context_lines":[{"line_number":74,"context_line":"\t\t\tReclaimPolicy:        \u0026reclaimPolicyDelete,"},{"line_number":75,"context_line":"\t\t\tVolumeBindingMode:    \u0026waitForConsumerBinding,"},{"line_number":76,"context_line":"\t\t\tMountOptions: []string{"},{"line_number":77,"context_line":"\t\t\t\t\"exec\","},{"line_number":78,"context_line":"\t\t\t\t\"dev\","},{"line_number":79,"context_line":"\t\t\t\t\"suid\","},{"line_number":80,"context_line":"\t\t\t},"},{"line_number":81,"context_line":"\t\t},"},{"line_number":82,"context_line":"\t\t\u0026storage.StorageClass{"},{"line_number":83,"context_line":"\t\t\tObjectMeta: meta.ObjectMeta{"}],"source_content_type":"text/x-go","patch_set":4,"id":"6eb86cd0_e97658f4","line":80,"range":{"start_line":77,"start_character":0,"end_line":80,"end_character":0},"updated":"2024-09-30 13:53:56.000000000","message":"This construction still allows leaking the underlying mount properties by making a storageclass which has no mount options specified.","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"4adfaeea1ee49b7329597fd6516a5aee44c2438b","unresolved":true,"context_lines":[{"line_number":74,"context_line":"\t\t\tReclaimPolicy:        \u0026reclaimPolicyDelete,"},{"line_number":75,"context_line":"\t\t\tVolumeBindingMode:    \u0026waitForConsumerBinding,"},{"line_number":76,"context_line":"\t\t\tMountOptions: []string{"},{"line_number":77,"context_line":"\t\t\t\t\"exec\","},{"line_number":78,"context_line":"\t\t\t\t\"dev\","},{"line_number":79,"context_line":"\t\t\t\t\"suid\","},{"line_number":80,"context_line":"\t\t\t},"},{"line_number":81,"context_line":"\t\t},"},{"line_number":82,"context_line":"\t\t\u0026storage.StorageClass{"},{"line_number":83,"context_line":"\t\t\tObjectMeta: meta.ObjectMeta{"}],"source_content_type":"text/x-go","patch_set":4,"id":"b96f7867_95f31edd","line":80,"range":{"start_line":77,"start_character":0,"end_line":80,"end_character":0},"in_reply_to":"6eb86cd0_e97658f4","updated":"2024-09-30 23:29:35.000000000","message":"I don\u0027t see this as an issue as that would be a User thing. If a User decides to create his own StorageClass with our CSI, it is already undefined behavior. We could add defaults to the mount options but I would argue that this would also be the same unexpected behavior as with exposing the underlying mount options.","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"11372c6893c1caf4835ca4767a15353783e1e1ec","unresolved":false,"context_lines":[{"line_number":74,"context_line":"\t\t\tReclaimPolicy:        \u0026reclaimPolicyDelete,"},{"line_number":75,"context_line":"\t\t\tVolumeBindingMode:    \u0026waitForConsumerBinding,"},{"line_number":76,"context_line":"\t\t\tMountOptions: []string{"},{"line_number":77,"context_line":"\t\t\t\t\"exec\","},{"line_number":78,"context_line":"\t\t\t\t\"dev\","},{"line_number":79,"context_line":"\t\t\t\t\"suid\","},{"line_number":80,"context_line":"\t\t\t},"},{"line_number":81,"context_line":"\t\t},"},{"line_number":82,"context_line":"\t\t\u0026storage.StorageClass{"},{"line_number":83,"context_line":"\t\t\tObjectMeta: meta.ObjectMeta{"}],"source_content_type":"text/x-go","patch_set":4,"id":"09726370_0f3af882","line":80,"range":{"start_line":77,"start_character":0,"end_line":80,"end_character":0},"in_reply_to":"9f95fda1_895fd7e7","updated":"2024-11-05 05:03:47.000000000","message":"It will now default to strict flags if none are given.","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"d713a2e9cda7578ce90b2aceb7c4b8ec9c8fee7e","unresolved":true,"context_lines":[{"line_number":74,"context_line":"\t\t\tReclaimPolicy:        \u0026reclaimPolicyDelete,"},{"line_number":75,"context_line":"\t\t\tVolumeBindingMode:    \u0026waitForConsumerBinding,"},{"line_number":76,"context_line":"\t\t\tMountOptions: []string{"},{"line_number":77,"context_line":"\t\t\t\t\"exec\","},{"line_number":78,"context_line":"\t\t\t\t\"dev\","},{"line_number":79,"context_line":"\t\t\t\t\"suid\","},{"line_number":80,"context_line":"\t\t\t},"},{"line_number":81,"context_line":"\t\t},"},{"line_number":82,"context_line":"\t\t\u0026storage.StorageClass{"},{"line_number":83,"context_line":"\t\t\tObjectMeta: meta.ObjectMeta{"}],"source_content_type":"text/x-go","patch_set":4,"id":"9f95fda1_895fd7e7","line":80,"range":{"start_line":77,"start_character":0,"end_line":80,"end_character":0},"in_reply_to":"b96f7867_95f31edd","updated":"2024-10-02 09:32:18.000000000","message":"Why is creating your own StorageClass with our CSI undefined behavior? You\u0027re allowed to do that. In general if we do not prevent you from doing something it is considered supported. There are currently still some exceptions to this (we need an admission controller for some of it still and using privileged pod admission is exempted), but in general this holds.\n\nIf we lock this down in CSI code the behavior is explicitly defined within our code and cannot change at a distance (via kernel defaults or via other changes to our mounting infrastructure). Otherwise we need some test to make sure that we do not accidentally change this.","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"c4e73736fb71a8ef28c53fb230f400499c2efde4","unresolved":true,"context_lines":[{"line_number":85,"context_line":"\t\t\t\tLabels: builtinLabels(nil),"},{"line_number":86,"context_line":"\t\t\t\tAnnotations: map[string]string{"},{"line_number":87,"context_line":"\t\t\t\t\t\"storageclass.kubernetes.io/is-default-class\": \"false\","},{"line_number":88,"context_line":"\t\t\t\t\t\"kubernetes.io/description\":                   \"Localstorage with noexec,nodev,nosuid attributes.\","},{"line_number":89,"context_line":"\t\t\t\t},"},{"line_number":90,"context_line":"\t\t\t},"},{"line_number":91,"context_line":"\t\t\tAllowVolumeExpansion: True(),"}],"source_content_type":"text/x-go","patch_set":4,"id":"a35165fa_55f2da0f","line":88,"range":{"start_line":88,"start_character":53,"end_line":88,"end_character":102},"updated":"2024-09-30 13:53:56.000000000","message":"```\nlocal-strict is the same as local (see its description) but uses strict mount options (noexec, nodev, nosuid). It is best used together with readOnlyRoot to restict exploitation vectors.\n```","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"4adfaeea1ee49b7329597fd6516a5aee44c2438b","unresolved":false,"context_lines":[{"line_number":85,"context_line":"\t\t\t\tLabels: builtinLabels(nil),"},{"line_number":86,"context_line":"\t\t\t\tAnnotations: map[string]string{"},{"line_number":87,"context_line":"\t\t\t\t\t\"storageclass.kubernetes.io/is-default-class\": \"false\","},{"line_number":88,"context_line":"\t\t\t\t\t\"kubernetes.io/description\":                   \"Localstorage with noexec,nodev,nosuid attributes.\","},{"line_number":89,"context_line":"\t\t\t\t},"},{"line_number":90,"context_line":"\t\t\t},"},{"line_number":91,"context_line":"\t\t\tAllowVolumeExpansion: True(),"}],"source_content_type":"text/x-go","patch_set":4,"id":"18c364ed_df6dd1db","line":88,"range":{"start_line":88,"start_character":53,"end_line":88,"end_character":102},"in_reply_to":"a35165fa_55f2da0f","updated":"2024-09-30 23:29:35.000000000","message":"Done","commit_id":"3d17eb6f20059b537af2c118b17ecf90d7ea06a8"},{"author":{"_account_id":1000001,"name":"Lorenz Brun","display_name":"Lorenz","email":"lorenz@monogon.tech","username":"lorenz","avatars":[{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/75c04f6e9881c24ee621fba80667eed8.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"aba883a1ac1ad68b6c0d90abdf749d7ef3d64332","unresolved":true,"context_lines":[{"line_number":89,"context_line":"\t\t\t\tAnnotations: map[string]string{"},{"line_number":90,"context_line":"\t\t\t\t\t\"storageclass.kubernetes.io/is-default-class\": \"false\","},{"line_number":91,"context_line":"\t\t\t\t\t\"kubernetes.io/description\": \"local-strict is the same as local (see its description) but uses strict mount options (noexec, nodev, nosuid). \" +"},{"line_number":92,"context_line":"\t\t\t\t\t\t\"It is best used together with readOnlyRoot to restict exploitation vectors.\","},{"line_number":93,"context_line":"\t\t\t\t},"},{"line_number":94,"context_line":"\t\t\t},"},{"line_number":95,"context_line":"\t\t\tAllowVolumeExpansion: True(),"}],"source_content_type":"text/x-go","patch_set":5,"id":"7291da67_fbc63052","line":92,"range":{"start_line":92,"start_character":53,"end_line":92,"end_character":60},"updated":"2024-11-05 15:26:08.000000000","message":"```suggestion\n\t\t\t\t\t\t\"It is best used together with readOnlyRoot to restrict exploitation vectors.\",\n```\nSorry, that was my typo.","commit_id":"d2c188069806383a40c9211e0b2d0e4c714cd0da"},{"author":{"_account_id":1000019,"name":"Tim Windelschmidt","display_name":"Tim","email":"tim@monogon.tech","username":"fionera","avatars":[{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/57e6137fdb8185cd15ac27ba188780ff.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"5f61e212bbe17629064ff7659c9ac3579f209ecd","unresolved":false,"context_lines":[{"line_number":89,"context_line":"\t\t\t\tAnnotations: map[string]string{"},{"line_number":90,"context_line":"\t\t\t\t\t\"storageclass.kubernetes.io/is-default-class\": \"false\","},{"line_number":91,"context_line":"\t\t\t\t\t\"kubernetes.io/description\": \"local-strict is the same as local (see its description) but uses strict mount options (noexec, nodev, nosuid). \" +"},{"line_number":92,"context_line":"\t\t\t\t\t\t\"It is best used together with readOnlyRoot to restict exploitation vectors.\","},{"line_number":93,"context_line":"\t\t\t\t},"},{"line_number":94,"context_line":"\t\t\t},"},{"line_number":95,"context_line":"\t\t\tAllowVolumeExpansion: True(),"}],"source_content_type":"text/x-go","patch_set":5,"id":"3b9696c6_753e5198","line":92,"range":{"start_line":92,"start_character":53,"end_line":92,"end_character":60},"in_reply_to":"7291da67_fbc63052","updated":"2024-11-07 15:47:36.000000000","message":"I could have seen it, so my fault too 😊","commit_id":"d2c188069806383a40c9211e0b2d0e4c714cd0da"}]}