From 2dd818802041f2c0043892aa026ed3ef2c9e01c5 Mon Sep 17 00:00:00 2001
From: Hannah DeFazio <h2defazio@gmail.com>
Date: Fri, 19 Jul 2024 19:39:17 -0400
Subject: [PATCH] Set the volume mount's readonly annotation based on the ISVC
 annotation

---
 pkg/constants/constants.go                     |  1 +
 .../inferenceservice/components/predictor.go   |  6 ++++++
 .../pod/storage_initializer_injector.go        | 18 +++++++++++++++++-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
index 390ac4088bb..58b59f7feb9 100644
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@@ -91,6 +91,7 @@ var (
 	KServeContainerPrometheusPathKey            = "prometheus.kserve.io/path"
 	PrometheusPortAnnotationKey                 = "prometheus.io/port"
 	PrometheusPathAnnotationKey                 = "prometheus.io/path"
+	StorageReadonly                             = "storage.kserve.io/readyonly"
 	DefaultPrometheusPath                       = "/metrics"
 	QueueProxyAggregatePrometheusMetricsPort    = 9088
 	DefaultPodPrometheusPort                    = "9091"
diff --git a/pkg/controller/v1beta1/inferenceservice/components/predictor.go b/pkg/controller/v1beta1/inferenceservice/components/predictor.go
index 0b6aa623f6f..a5d8e5a0725 100644
--- a/pkg/controller/v1beta1/inferenceservice/components/predictor.go
+++ b/pkg/controller/v1beta1/inferenceservice/components/predictor.go
@@ -352,6 +352,12 @@ func (p *Predictor) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, erro
 	if err != nil {
 		return ctrl.Result{}, errors.Wrapf(err, "fails to list inferenceservice pods by label")
 	}
+
+	// Update pod's readonly status based on the ISVC annotation
+	for _, pod := range predictorPods.Items {
+		pod.Annotations[constants.StorageReadonly] = isvc.Annotations[constants.StorageReadonly]
+	}
+
 	isvc.Status.PropagateModelStatus(statusSpec, predictorPods, rawDeployment)
 	return ctrl.Result{}, nil
 }
diff --git a/pkg/webhook/admission/pod/storage_initializer_injector.go b/pkg/webhook/admission/pod/storage_initializer_injector.go
index 176ff03b045..ce4e9f78e0a 100644
--- a/pkg/webhook/admission/pod/storage_initializer_injector.go
+++ b/pkg/webhook/admission/pod/storage_initializer_injector.go
@@ -243,6 +243,22 @@ func (mi *StorageInitializerInjector) InjectStorageInitializer(pod *v1.Pod) erro
 		// check if using direct volume mount to mount the pvc
 		// if yes, mount the pvc to model local mount path and return
 		if mi.config.EnableDirectPvcVolumeMount {
+			// Grab the StorageReadonly annotation value and convert it to a boolean if it is set
+			isvc_readonly := pod.Annotations[constants.StorageReadonly]
+			if isvc_readonly != nil {
+				isvc_readonly, err := strconv.ParseBool(pod.Annotations[constants.StorageReadonly])
+
+				if err != nil {
+					return err
+				}
+			}
+
+			// If StorageReadonly is set to false, the readOnly field in the volume mount's annotation is also set to false
+			// Otherwise, if it is true or unset, use the default behavior
+			readonly := true
+			if isvc_readonly != nil && isvc_readonly == false {
+				readonly = isvc_readonly
+				
 			// add a corresponding pvc volume mount to the userContainer
 			// pvc will be mount to /mnt/models rather than /mnt/pvc
 			// pvcPath will be injected via SubPath, pvcPath must be a root or Dir
@@ -252,7 +268,7 @@ func (mi *StorageInitializerInjector) InjectStorageInitializer(pod *v1.Pod) erro
 				MountPath: constants.DefaultModelLocalMountPath,
 				// only path to volume's root ("") or folder is supported
 				SubPath:  pvcPath,
-				ReadOnly: true,
+				ReadOnly: readonly,
 			}
 
 			// Check if PVC source URIs is already mounted