From 2599b3fbd7338e61953a62a4985e771306d18f85 Mon Sep 17 00:00:00 2001
From: Louis Blin <louis-blin@hotmail.fr>
Date: Thu, 3 Feb 2022 12:57:08 +0000
Subject: [PATCH] fix: read/write mount mode for init / wait containers. Fixes
 #7755

As discussed in #7755, the `init` / `wait` containers surrounding a
workflow container mount the same volumes as the `main` container, but
without respecting their read/write mode. For environments using PSPs
with read-only allowed host paths, it becomes impossible to run workflows
that use volume mounts (as sidecar containers will violate the PSP).

The original code author (@jessesuen) claims that mounts need to be
read/write to allow overlapping mount paths. However, the `main`
container will already need to mount paths in read/write mode if they
overlap, so there does not seem to be a good reason for keeping this.

Fixes #7755

Signed-off-by: louisblin <louisblin@users.noreply.github.com>
---
 workflow/controller/workflowpod.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/workflow/controller/workflowpod.go b/workflow/controller/workflowpod.go
index 7816cb1ce1ae..db6fdb400c42 100644
--- a/workflow/controller/workflowpod.go
+++ b/workflow/controller/workflowpod.go
@@ -1018,8 +1018,6 @@ func addOutputArtifactsVolumes(pod *apiv1.Pod, tmpl *wfv1.Template) {
 				continue
 			}
 			mnt.MountPath = filepath.Join(common.ExecutorMainFilesystemDir, mnt.MountPath)
-			// ReadOnly is needed to be false for overlapping volume mounts
-			mnt.ReadOnly = false
 			waitCtr.VolumeMounts = append(waitCtr.VolumeMounts, mnt)
 		}
 	}