Bug 1554866

Summary: [3.6] subpath volume mounts do not work with secret, configmap, projected, or downwardAPI volumes
Product: OpenShift Container Platform Reporter: Jan Safranek <jsafrane>
Component: StorageAssignee: Jan Safranek <jsafrane>
Status: CLOSED ERRATA QA Contact: Liang Xia <lxia>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.6.1CC: ansverma, aos-bugs, aos-storage-staff, bbilgin, bchilds, dma, jhou, jliggitt, lxia, mifiedle, mmariyan, smunilla, vwalek
Target Milestone: ---   
Target Release: 3.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1554670 Environment:
Last Closed: 2018-04-30 04:00:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1554670, 1663260    
Bug Blocks:    

Description Jan Safranek 2018-03-13 13:40:31 UTC 
+++ This bug was initially created as a clone of Bug #1554670 +++

Description of problem:

Version-Release number of selected component (if applicable):

3.9.7-1

How reproducible:

Always

Steps to Reproduce:
1. Create a pod with a secret, configmap, downwardAPI and projected volume
2. Create volume mounts for each of those volumes that make use of the subPath feature

Actual results:

The pod will not start with errors like 

failed to prepare subPath for volumeMount "config" of container "mumble": subpath "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config/..2018_03_13_03_19_55.572152209/mumble.ini" not within volume path "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config"


Expected results:

Pod starts properly and volume mounts work


Regression introduced as part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1519365

Upstream issue: https://github.com/kubernetes/kubernetes/issues/61076#issuecomment-372554309

The security fix was backported all the way to 3.3, which means this regression was as well.

--- Additional comment from Jordan Liggitt on 2018-03-13 09:10:27 EDT ---

this affects use of subPath volume mounts with any secret, configmap, projected, or downwardAPI volume

--- Additional comment from Jordan Liggitt on 2018-03-13 09:13:45 EDT ---

upstream fix in https://github.com/kubernetes/kubernetes/pull/61080
Comment 1 Jan Safranek 2018-03-13 18:26:32 UTC 
OSE PR: https://github.com/openshift/ose/pull/1114
Comment 7 Liang Xia 2018-04-20 06:54:09 UTC 
# oc version
oc v3.6.173.0.113
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://qe-lxia-36-master-nfs-1:8443
openshift v3.6.173.0.113
kubernetes v1.6.1+5115d708d7


# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)


# uname -a
Linux qe-lxia-36-master-nfs-1 3.10.0-514.26.1.el7.x86_64 #1 SMP Tue Jun 20 01:16:02 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux


Pod with secret, configmap, downwardAPI and projected volume can be up and running.

Move bug to verified.
Comment 16 errata-xmlrpc 2018-04-30 04:00:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1233