1403244 – [ocp3.4] Secrets getting mounted in container with out rootcontext getting added to mount.

Bug 1403244 - [ocp3.4] Secrets getting mounted in container with out rootcontext getting added to mount.

Summary: [ocp3.4] Secrets getting mounted in container with out rootcontext getting ad...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Node
Sub Component:
Version:	3.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Paul Morie
QA Contact:	DeShuai Ma
Docs Contact:
URL:
Whiteboard:
Depends On:	1401131
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-09 13:58 UTC by Scott Dodson
Modified:	2017-03-08 18:43 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1401131
Environment:
Last Closed:	2017-01-18 12:57:14 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0066	0	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.4 RPM Release Advisory	2017-01-18 17:23:26 UTC

Comment 2 Derek Carr 2016-12-12 22:34:16 UTC

origin/release-1.4 pr merged, moving to modified.

Comment 3 Troy Dawson 2016-12-12 22:45:10 UTC

This has been merged into ocp and is in OCP v3.4.0.35 or newer.

Comment 5 DeShuai Ma 2016-12-13 09:12:03 UTC

Verify on v3.4.0.35+86b11df

Steps:
1. Create a rc
oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/k8s/rc-with-emptdir.yaml

2. Scale rc replicas=5 and wait all pod is running
[root@ip-172-18-5-253 ~]# oc scale rc/hello-pod --replicas=5
replicationcontroller "hello-pod" scaled
[root@ip-172-18-5-253 ~]# oc get po
NAME              READY     STATUS    RESTARTS   AGE
hello-pod-e9guz   1/1       Running   0          3m
hello-pod-efabj   1/1       Running   0          3m
hello-pod-h1zv9   1/1       Running   0          3m
hello-pod-ky1ac   1/1       Running   0          3m
hello-pod-pq55f   1/1       Running   0          3m

3. On node check all mounted secrets has correct context
[root@ip-172-18-4-204 ~]# mount|grep pods
tmpfs on /var/lib/origin/openshift.local.volumes/pods/5e00942a-c0dc-11e6-9432-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-rtl9j type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c2,c8",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/150fa5eb-c0dd-11e6-9432-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-rtl9j type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c2,c8",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/95cff1c9-c10c-11e6-9f1f-0e5dea3886e8/volumes/kubernetes.io~secret/registry-token-n6pyt type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c0,c6",seclabel)
/dev/xvdba on /var/lib/origin/openshift.local.volumes/pods/95cff1c9-c10c-11e6-9f1f-0e5dea3886e8/volumes/kubernetes.io~aws-ebs/pvc-fe83a40b-c0db-11e6-9432-0e5dea3886e8 type ext4 (rw,relatime,seclabel,data=ordered)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/1fce9af5-c10d-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/router-token-ry6h7 type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c0,c6",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/1fce9af5-c10d-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/server-certificate type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c0,c6",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25baca2e-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25bad685-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25baad1b-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25bc87d8-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/25babd8e-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-fdloo type tmpfs (rw,relatime,rootcontext="system_u:object_r:svirt_sandbox_file_t:s0:c12,c13",seclabel)
tmpfs on /var/lib/origin/openshift.local.volumes/pods/dfb735ff-c112-11e6-823a-0e5dea3886e8/volumes/kubernetes.io~secret/default-token-6hynu type tmpfs (rw,relatime,rootcontext=system_u:object_r:svirt_sandbox_file_t:s0,seclabel)

Comment 7 errata-xmlrpc 2017-01-18 12:57:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066

Note You need to log in before you can comment on or make changes to this bug.