BestHub
Sign in
Cloud Native 4 min read

Recursive ReadOnly Volume Mounts in Kubernetes 1.30

Kubernetes 1.30 introduces the recursiveReadOnly mount option, turning previously imperfect read‑only volume mounts into fully recursive read‑only mounts, while explaining compatibility requirements, required component versions, and usage examples with YAML manifests.

Cloud Native Technology Community
Cloud Native Technology Community
Cloud Native Technology Community
Recursive ReadOnly Volume Mounts in Kubernetes 1.30

Read‑only volume mounts have been a Kubernetes feature from the start, but under certain Linux conditions they were not truly read‑only. Starting with version 1.30, recursive read‑only mounts are supported as an Alpha feature, making the mounts fully read‑only.

Default read‑only mounts are not truly read‑only

Volume mounts can be confusing. You might expect the following manifest to make everything under /mnt read‑only inside the container:

---
apiVersion: v1
kind: Pod
spec:
  volumes:
    - name: mnt
      hostPath:
        path: /mnt
  containers:
    - volumeMounts:
        - name: mnt
          mountPath: /mnt
          readOnly: true

However, any sub‑mounts under /mnt may still be writable. For example, if /mnt/my-nfs-server is writable on the host, writes to /mnt/* are denied in the container, but writes to /mnt/my-nfs-server/* remain allowed.

New mount option: recursive read‑only

Kubernetes 1.30 adds a new mount option recursiveReadOnly that makes sub‑mounts recursively read‑only.

You can enable it as follows:

---
apiVersion: v1
kind: Pod
spec:
  volumes:
    - name: mnt
      hostPath:
        path: /mnt
  containers:
    - volumeMounts:
        - name: mnt
          mountPath: /mnt
          readOnly: true
          # NEW
          # possible values are `Enabled`, `IfPossible` and `Disabled`.
          # must be specified together with `readOnly: true`.
          recursiveReadOnly: Enabled

This is implemented using the Linux kernel v5.12 mount_setattr(2) system call with the AT_RECURSIVE flag and the MOUNT_ATTR_RDONLY attribute.

For backward compatibility, the recursiveReadOnly field is not a replacement for readOnly ; both must be set to obtain correct recursive read‑only behavior.

Feature availability

To enable recursiveReadOnly mounts you need the following components:

Kubernetes v1.30 or newer with the RecursiveReadOnlyMounts feature gate enabled (Alpha from v1.30).

CRI runtime: containerd v2.0+.

OCI runtime: runc v1.1+ or crun v1.8.6+.

Linux kernel v5.12 or newer.

What’s next

The Kubernetes SIG Node hopes the feature will graduate to Beta and eventually GA, so users will no longer need to manually enable the feature gate.

For backward compatibility, the default value of recursiveReadOnly will remain Disabled .

CloudNativeKubernetesContainerSecurityReadOnlyMountRecursiveReadOnly
Cloud Native Technology Community
Written by

Cloud Native Technology Community

The Cloud Native Technology Community, part of the CNBPA Cloud Native Technology Practice Alliance, focuses on evangelizing cutting‑edge cloud‑native technologies and practical implementations. It shares in‑depth content, case studies, and event/meetup information on containers, Kubernetes, DevOps, Service Mesh, and other cloud‑native tech, along with updates from the CNBPA alliance.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment