πŸ“šBook Signing at KubeCon EU 2026Meet us at Booking.com HQ (Mon 18:30-21:00) & vCluster booth #521 (Tue 24 Mar, 12:30-1:30pm) β€” free book giveaway!RSVP Booking.com Event
KubernetesRecipes
Configuration beginner ⏱ 15 minutes K8s 1.28+

Migrate from gitRepo Volume in Kubernetes 1.36

The gitRepo volume plugin is permanently removed in Kubernetes 1.36. Migrate to init containers or OCI volumes to avoid broken deployments.

By Luca Berton β€’ β€’ πŸ“– 5 min read

πŸ’‘ Quick Answer: The gitRepo volume plugin is permanently disabled in Kubernetes 1.36. Pods using gitRepo volumes will fail to start. Migrate to init containers or the new OCI VolumeSource immediately.

The Problem

The gitRepo volume type allowed cloning a Git repository directly into a Pod volume. It was deprecated because:

  • Security vulnerability: It ran git clone as root on the host node, allowing malicious repos to execute arbitrary code with root privileges
  • No authentication support: Couldn’t use SSH keys or tokens for private repos
  • Shallow implementation: No branch selection, sparse checkout, or LFS support
  • No updates: Volume was cloned once at Pod start and never refreshed

In Kubernetes 1.36, the plugin is permanently disabled. This YAML will break:

# ❌ THIS NO LONGER WORKS IN 1.36
volumes:
  - name: config
    gitRepo:
      repository: "https://github.com/example/config.git"
      revision: "abc123"

The Solution

Option 1: Init Container (Drop-in Replacement)

apiVersion: v1
kind: Pod
metadata:
  name: app-with-git
spec:
  initContainers:
    - name: git-clone
      image: bitnami/git:2.45
      command:
        - git
        - clone
        - --depth=1
        - --branch=main
        - https://github.com/example/config.git
        - /repo
      volumeMounts:
        - name: git-repo
          mountPath: /repo
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
  containers:
    - name: app
      image: registry.example.com/app:v2.0
      volumeMounts:
        - name: git-repo
          mountPath: /config
          readOnly: true
  volumes:
    - name: git-repo
      emptyDir: {}

Option 2: Init Container with Private Repo

apiVersion: v1
kind: Pod
metadata:
  name: app-private-repo
spec:
  initContainers:
    - name: git-clone
      image: bitnami/git:2.45
      command:
        - /bin/sh
        - -c
        - |
          git clone --depth=1 \
            https://${GIT_TOKEN}@github.com/example/private-config.git \
            /repo
      env:
        - name: GIT_TOKEN
          valueFrom:
            secretKeyRef:
              name: git-credentials
              key: token
      volumeMounts:
        - name: git-repo
          mountPath: /repo
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
  containers:
    - name: app
      image: registry.example.com/app:v2.0
      volumeMounts:
        - name: git-repo
          mountPath: /config
          readOnly: true
  volumes:
    - name: git-repo
      emptyDir: {}

Option 3: OCI VolumeSource (Kubernetes 1.36+)

Package your config as an OCI artifact and mount it directly:

# Push config to registry
oras push registry.example.com/configs/app:v1.0 \
  ./config-dir/:application/octet-stream
apiVersion: v1
kind: Pod
metadata:
  name: app-oci-config
spec:
  containers:
    - name: app
      image: registry.example.com/app:v2.0
      volumeMounts:
        - name: config
          mountPath: /config
          readOnly: true
  volumes:
    - name: config
      image:
        reference: registry.example.com/configs/app:v1.0
        pullPolicy: IfNotPresent

Find Affected Workloads

# Search for gitRepo usage in your cluster
kubectl get pods -A -o json | jq -r '
  .items[] |
  select(.spec.volumes[]?.gitRepo != null) |
  "\(.metadata.namespace)/\(.metadata.name)"'

# Search in manifests
grep -rn "gitRepo:" manifests/ charts/ k8s/

Common Issues

Pod fails with β€œgitRepo volume type is disabled”

  • Cause: Running Kubernetes 1.36 with gitRepo volumes
  • Fix: Migrate to init container or OCI volume (see above)

Init container can’t clone (permission denied)

  • Cause: runAsNonRoot with wrong UID for the emptyDir
  • Fix: Ensure runAsUser has write permissions, or use securityContext.fsGroup

Best Practices

  1. Audit all manifests now β€” grep -rn "gitRepo:" . in your repos
  2. Use OCI volumes for static config bundles β€” simpler than init containers
  3. Use init containers when you need branch selection or authentication
  4. Run git as non-root β€” unlike gitRepo, init containers respect security contexts
  5. Pin git image tags β€” use specific versions, not latest

Key Takeaways

  • gitRepo volumes are permanently disabled in Kubernetes 1.36
  • Pods using gitRepo will fail to start β€” no grace period
  • Replace with init containers (flexible) or OCI volumes (simple)
  • Init containers are more secure β€” run as non-root, support private repos
  • Search your manifests and Helm charts for gitRepo: before upgrading
#kubernetes-1.36 #migration #volumes #deprecation #security
Luca Berton
Written by Luca Berton

Principal Solutions Architect specializing in Kubernetes, AI/GPU infrastructure, and cloud-native platforms. Author of Kubernetes Recipes and creator of CopyPasteLearn courses.

🌐 πŸ’Ό πŸ’»

πŸŽ“ Deepen Your Skills β€” Hands-on Courses

⚑
Ansible Quickstart

Automate Kubernetes node configuration and cluster bootstrapping with Ansible.

Start Learning β†’

Courses by CopyPasteLearn.com β€” Learn IT by Doing

Kubernetes Recipes book cover

Want More Kubernetes Recipes?

This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.

Get the Book β†’ ← More Configuration Recipes
← Back to All Recipes
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens