upgrade to latest dependencies (#2070)

bumping knative.dev/serving 880ea71...7f044f1:
  > 7f044f1 Enable Mount Propagation as a Optional Feature (# 15758)
  > 5653ad0 Update net-gateway-api nightly (# 15853)
  > ae7b265 Update net-kourier nightly (# 15855)
  > 4730c99 Update net-istio nightly (# 15854)

Signed-off-by: Knative Automation <automation@knative.team>

Author: knative-automation

go.mod

@@ -25,7 +25,7 @@ require (
 	knative.dev/hack v0.0.0-20250331013814-c577ed9f7775
 	knative.dev/pkg v0.0.0-20250415155312-ed3e2158b883
 	knative.dev/reconciler-test v0.0.0-20250415170512-23f86169156f
-	knative.dev/serving v0.44.1-0.20250418122003-880ea71a0c15
+	knative.dev/serving v0.44.1-0.20250421011706-7f044f16a11a
 	sigs.k8s.io/yaml v1.4.0
 )
 

go.sum

@@ -1726,8 +1726,8 @@ knative.dev/pkg v0.0.0-20250415155312-ed3e2158b883 h1:UeOY7009M0EHwdyW3P35Fc1U6F
 knative.dev/pkg v0.0.0-20250415155312-ed3e2158b883/go.mod h1:ptwLYr04MAyeoRvhnhhz0FFkVZTdYJV2QWnw9sZyFSM=
 knative.dev/reconciler-test v0.0.0-20250415170512-23f86169156f h1:4JZHD997Yav2K6JJU93sjxvcPXNHVY4lC1dWhzyeBXg=
 knative.dev/reconciler-test v0.0.0-20250415170512-23f86169156f/go.mod h1:jrNdg5OPDhfxYxXDLqA4iv9zvfLhNYpYKmaQvz4ZpRM=
-knative.dev/serving v0.44.1-0.20250418122003-880ea71a0c15 h1:pXqh4Q2QOiUNteaQqrHEDOKjLDywJuF1F7I8K7Amt+k=
-knative.dev/serving v0.44.1-0.20250418122003-880ea71a0c15/go.mod h1:yXmbxEHxO4O+CmRBq7HFZ0ZNMg+/WRbLio7759Qe5/I=
+knative.dev/serving v0.44.1-0.20250421011706-7f044f16a11a h1:qINmwJNLUkSb/iBaKTS0YtzKfnPyMZ/lD3/VsYZJN7s=
+knative.dev/serving v0.44.1-0.20250421011706-7f044f16a11a/go.mod h1:yXmbxEHxO4O+CmRBq7HFZ0ZNMg+/WRbLio7759Qe5/I=
 nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
 pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
 pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=

vendor/knative.dev/serving/pkg/apis/config/features.go

@@ -65,8 +65,9 @@ const (
 	FeaturePodSpecHostNetwork               = "kubernetes.podspec-hostnetwork"
 	FeaturePodSpecHostPID                   = "kubernetes.podspec-hostpid"
 	FeaturePodSpecHostPath                  = "kubernetes.podspec-volumes-hostpath"
-	FeaturePodSpecCSI                       = "kubernetes.podspec-volumes-csi"
+	FeaturePodSpecVolumesCSI                = "kubernetes.podspec-volumes-csi"
 	FeaturePodSpecInitContainers            = "kubernetes.podspec-init-containers"
+	FeaturePodSpecVolumesMountPropagation   = "kubernetes.podspec-volumes-mount-propagation"
 	FeaturePodSpecNodeSelector              = "kubernetes.podspec-nodeselector"
 	FeaturePodSpecPVClaim                   = "kubernetes.podspec-persistent-volume-claim"
 	FeaturePodSpecPriorityClassName         = "kubernetes.podspec-priorityclassname"
@@ -100,6 +101,7 @@ func defaultFeaturesConfig() *Features {
 		PodSpecTolerations:               Disabled,
 		PodSpecVolumesEmptyDir:           Enabled,
 		PodSpecVolumesHostPath:           Disabled,
+		PodSpecVolumesMountPropagation:   Disabled,
 		PodSpecVolumesCSI:                Disabled,
 		PodSpecPersistentVolumeClaim:     Disabled,
 		PodSpecPersistentVolumeWrite:     Disabled,
@@ -139,8 +141,9 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) {
 		asFlag(FeaturePodSpecHostNetwork, &nc.PodSpecHostNetwork),
 		asFlag(FeaturePodSpecHostPID, &nc.PodSpecHostPID),
 		asFlag(FeaturePodSpecHostPath, &nc.PodSpecVolumesHostPath),
-		asFlag(FeaturePodSpecCSI, &nc.PodSpecVolumesCSI),
+		asFlag(FeaturePodSpecVolumesCSI, &nc.PodSpecVolumesCSI),
 		asFlag(FeaturePodSpecInitContainers, &nc.PodSpecInitContainers),
+		asFlag(FeaturePodSpecVolumesMountPropagation, &nc.PodSpecVolumesMountPropagation),
 		asFlag(FeaturePodSpecNodeSelector, &nc.PodSpecNodeSelector),
 		asFlag(FeaturePodSpecPVClaim, &nc.PodSpecPersistentVolumeClaim),
 		asFlag(FeaturePodSpecPriorityClassName, &nc.PodSpecPriorityClassName),
@@ -183,6 +186,7 @@ type Features struct {
 	PodSpecTolerations               Flag
 	PodSpecVolumesEmptyDir           Flag
 	PodSpecVolumesHostPath           Flag
+	PodSpecVolumesMountPropagation   Flag
 	PodSpecVolumesCSI                Flag
 	PodSpecInitContainers            Flag
 	PodSpecPersistentVolumeClaim     Flag

vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go

@@ -337,22 +337,28 @@ func ContainerMask(in *corev1.Container) *corev1.Container {
 // VolumeMountMask performs a _shallow_ copy of the Kubernetes VolumeMount object to a new
 // Kubernetes VolumeMount object bringing over only the fields allowed in the Knative API. This
 // does not validate the contents or the bounds of the provided fields.
-func VolumeMountMask(in *corev1.VolumeMount) *corev1.VolumeMount {
+func VolumeMountMask(ctx context.Context, in *corev1.VolumeMount) *corev1.VolumeMount {
 	if in == nil {
 		return nil
 	}
 
+	cfg := config.FromContextOrDefaults(ctx)
 	out := new(corev1.VolumeMount)
 
 	// Allowed fields
 	out.Name = in.Name
 	out.ReadOnly = in.ReadOnly
 	out.MountPath = in.MountPath
 	out.SubPath = in.SubPath
+	if cfg.Features.PodSpecVolumesMountPropagation != config.Disabled {
+		out.MountPropagation = in.MountPropagation
+	} else {
+		out.MountPropagation = nil
+	}
 
 	// Disallowed fields
 	// This list is unnecessary, but added here for clarity
-	out.MountPropagation = nil
+	out.RecursiveReadOnly = nil
 
 	return out
 }

vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go

@@ -627,7 +627,7 @@ func validate(ctx context.Context, container corev1.Container, volumes map[strin
 		errs = errs.Also(apis.ErrInvalidValue(container.TerminationMessagePolicy, "terminationMessagePolicy"))
 	}
 	// VolumeMounts
-	errs = errs.Also(validateVolumeMounts(container.VolumeMounts, volumes).ViaField("volumeMounts"))
+	errs = errs.Also(validateVolumeMounts(ctx, container.VolumeMounts, volumes).ViaField("volumeMounts"))
 
 	return errs
 }
@@ -670,15 +670,16 @@ func validateSecurityContext(ctx context.Context, sc *corev1.SecurityContext) *a
 	return errs
 }
 
-func validateVolumeMounts(mounts []corev1.VolumeMount, volumes map[string]corev1.Volume) *apis.FieldError {
+func validateVolumeMounts(ctx context.Context, mounts []corev1.VolumeMount, volumes map[string]corev1.Volume) *apis.FieldError {
 	var errs *apis.FieldError
 	// Check that volume mounts match names in "volumes", that "volumes" has 100%
 	// coverage, and the field restrictions.
+	features := config.FromContextOrDefaults(ctx).Features
 	seenName := make(sets.Set[string], len(mounts))
 	seenMountPath := make(sets.Set[string], len(mounts))
 	for i := range mounts {
 		vm := mounts[i]
-		errs = errs.Also(apis.CheckDisallowedFields(vm, *VolumeMountMask(&vm)).ViaIndex(i))
+		errs = errs.Also(apis.CheckDisallowedFields(vm, *VolumeMountMask(ctx, &vm)).ViaIndex(i))
 		// This effectively checks that Name is non-empty because Volume name must be non-empty.
 		if _, ok := volumes[vm.Name]; !ok {
 			errs = errs.Also((&apis.FieldError{
@@ -710,6 +711,19 @@ func validateVolumeMounts(mounts []corev1.VolumeMount, volumes map[string]corev1
 				Paths:   []string{"readOnly"},
 			}).ViaIndex(i))
 		}
+		if vm.MountPropagation != nil {
+			if features.PodSpecVolumesMountPropagation != config.Enabled {
+				errs = errs.Also((&apis.FieldError{
+					Message: fmt.Sprintf("Volume Mount Propagation support is disabled, but found volume mount %s with mount propagation", vm.Name),
+				}).ViaIndex(i))
+			}
+			if *vm.MountPropagation != corev1.MountPropagationNone && *vm.MountPropagation != corev1.MountPropagationHostToContainer {
+				errs = errs.Also((&apis.FieldError{
+					Message: "mount propagation should be set to None or HostToContainer",
+					Paths:   []string{"mountPropagation"},
+				}).ViaIndex(i))
+			}
+		}
 
 		if volumes[vm.Name].PersistentVolumeClaim != nil {
 			if volumes[vm.Name].PersistentVolumeClaim.ReadOnly && !vm.ReadOnly {

vendor/modules.txt

@@ -1659,7 +1659,7 @@ knative.dev/reconciler-test/pkg/resources/service
 knative.dev/reconciler-test/pkg/resources/serviceaccount
 knative.dev/reconciler-test/pkg/state
 knative.dev/reconciler-test/resources/certificate
-# knative.dev/serving v0.44.1-0.20250418122003-880ea71a0c15
+# knative.dev/serving v0.44.1-0.20250421011706-7f044f16a11a
 ## explicit; go 1.23.0
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1