Kubernetes 1.30: Preventing unauthorized volume mode conversion moves to GA

In Kubernetes 1.30, the feature preventing the modification of PersistentVolumeClaim (PVC) volume mode is now stable. When creating a PVC from a VolumeSnapshot, the volume mode of the original volume must match that of the new one to prevent security vulnerabilities. Unauthorized users cannot modify the volume mode, while authorized users with access to VolumeSnapshotContents can do so by adding an annotation to the VolumeSnapshotContent. For pre-provisioned VolumeSnapshotContents, the spec.sourceVolumeMode field must be set to either Filesystem or Block, depending on the original volume's mode. Kubernetes will not prevent volume mode conversion if the annotation is present on the VolumeSnapshotContent. The prevent-volume-mode-conversion feature flag is enabled by default in external-provisioner v4.0.0 and external-snapshotter v7.0.0. Volume mode changes will be rejected when creating a PVC from a VolumeSnapshot if the steps to allow conversion have not been taken. CSI external sidecar versions supporting this feature can be found in the CSI docs. For questions or issues, join Kubernetes on Slack (#csi or #sig-storage) or create an issue in the CSI external-snapshotter repository.