Bug 1403244

Summary: [ocp3.4] Secrets getting mounted in container with out rootcontext getting added to mount.
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: NodeAssignee: Paul Morie <pmorie>
Status: CLOSED ERRATA QA Contact: DeShuai Ma <dma>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: agoldste, aos-bugs, decarr, dma, ekuric, eparis, jeder, jokerman, mmccomas, pmorie, rhowe, tdawson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1401131 Environment:
Last Closed: 2017-01-18 12:57:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1401131    
Bug Blocks:    

Comment 2 Derek Carr 2016-12-12 22:34:16 UTC 
origin/release-1.4 pr merged, moving to modified.
Comment 3 Troy Dawson 2016-12-12 22:45:10 UTC 
This has been merged into ocp and is in OCP v3.4.0.35 or newer.
Comment 5 DeShuai Ma 2016-12-13 09:12:03 UTC 
Verify on v3.4.0.35+86b11df

Steps:
1. Create a rc
oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/k8s/rc-with-emptdir.yaml

2. Scale rc replicas=5 and wait all pod is running
[root@ip-172-18-5-253 ~]# oc scale rc/hello-pod --replicas=5
replicationcontroller "hello-pod" scaled
[root@ip-172-18-5-253 ~]# oc get po
NAME              READY     STATUS    RESTARTS   AGE
hello-pod-e9guz   1/1       Running   0          3m
hello-pod-efabj   1/1       Running   0          3m
hello-pod-h1zv9   1/1       Running   0          3m
hello-pod-ky1ac   1/1       Running   0          3m
hello-pod-pq55f   1/1       Running   0          3m

3. On node check all mounted secrets has correct context
[root@ip-172-18-4-204 ~]# mount|grep pods
tmpfs on /var/lib/origin/openshift.local.volumes/pods/5e00942a-c0dc-11e6-9432-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-rtl9j type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c2,c8",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/150fa5eb-c0dd-11e6-9432-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-rtl9j type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c2,c8",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/95cff1c9-c10c-11e6-9f1f-0e5dea3886e8/volumes/kubernetes.io~secret/registry-token-n6pyt type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c0,c6",seclabel)
/dev/xvdba on /var/lib/origin/openshift.local.volumes/pods/95cff1c9-c10c-11e6-9f1f-0e5dea3886e8/volumes/kubernetes.io~aws-ebs/pvc-fe83a40b-c0db-11e6-9432-0e5dea3886e8 type ext4 (rw,relatime,seclabel,data=ordered)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/1fce9af5-c10d-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/router-token-ry6h7 type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c0,c6",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/1fce9af5-c10d-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/server-certificate type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c0,c6",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25baca2e-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25bad685-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25baad1b-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25bc87d8-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25babd8e-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/dfb735ff-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-6hynu type tmpfs (rw,relatime,rootcontext=system_u:object_r:svirt_sandbox_file_t:s0,seclabel)
Comment 7 errata-xmlrpc 2017-01-18 12:57:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066