Bug 1971745

This is a blocker bug for WMCO 3.0.0 release

Upstream issue: https://github.com/kubernetes/kubernetes/issues/102849
Upstream WIP PR: https://github.com/kubernetes/kubernetes/pull/102868

In Windows there does not seem to be a clear equivalent of chown. From my reading, the SetNamedSecurityInfoA call for a file needs a list of entries where you specify a user and permission like GENERIC_READ, GENERIC_WRITE. This almost seems like a chown+chomod. I am not able to figure out if there is a way to call SetNamedSecurityInfoA with a GRANT_ACCESS entry without specifying permissions.

Docs I have read so far: SetEntriesInAclW [0], SetNamedSecurityInfoW [1], ACCESS_MODE enumeration[2], Generic Access Rights[3].

I have reached out to MSFT folks on sig-windows on direction and waiting to hear back. The upstream PR has been updated to account for RunAsUsername being specified in a Windows Pod and I have added a comment to the spot where we have to do the Windows equivalent of chown().

[0] https://docs.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-setentriesinaclw
[1] https://docs.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-setnamedsecurityinfow
[2] https://docs.microsoft.com/en-us/windows/win32/api/accctrl/ne-accctrl-access_mode
[3] https://docs.microsoft.com/en-us/windows/win32/secauthz/generic-access-rights

This bug has been verified on OCP 4.9.0-0.nightly-2021-06-21-191858 and passed, thanks.

Version-Release number of selected component (if applicable):
WMCO commit: 2043f8e518dd2f73498bde9f044ecda97f2f853e
OCP build: 4.9.0-0.nightly-2021-06-21-191858

Steps:
1, Build WMCO from master branch and install the operator on OCP 4.9
2, Bootstrap Windows node
3, Create the Secrets for Projected Volume
oc new-project winc-test
echo -n "admin" > ./username.txt
echo -n "1f2d1e2e67df" > ./password.txt
oc create secret generic user --from-file=./username.txt
oc create secret generic pass --from-file=./password.txt

4, Create Windows Pod with Projected Volume
e.g.
oc create -f https://raw.githubusercontent.com/sgaoshang/winc-test/master/data/WinWebServer_Projected_Volume.yaml

5, Check creating Windows pod with a Projected Volume succeed and the projected-volume directory contains your projected sources

# oc get pod -owide
NAME                            READY   STATUS    RESTARTS   AGE   IP           NODE                                         NOMINATED NODE   READINESS GATES
win-webserver-796c99c67-kgzs6   1/1     Running   0          21m   10.132.0.2   ip-10-0-147-116.us-east-2.compute.internal   <none>           <none>

# oc exec -it win-webserver-796c99c67-kgzs6 powershell
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved. 

PS C:\> ls .\projected-volume\ 

    Directory: C:\projected-volume

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/22/2021   9:25 AM                ..2021_06_22_09_25_06.072795943
d----l        6/22/2021   9:25 AM                ..data
-a---l        6/22/2021   9:25 AM              0 password.txt
-a---l        6/22/2021   9:25 AM              0 username.txt


PS C:\> cat .\projected-volume\username.txt 
admin 
PS C:\> cat .\projected-volume\password.txt 
1f2d1e2e67df

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenShift Container Platform for Windows Containers 3.0.0 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3001