Bug 1554866 - [3.6] subpath volume mounts do not work with secret, configmap, projected, or downwardAPI volumes
Summary: [3.6] subpath volume mounts do not work with secret, configmap, projected, or...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 3.6.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.6.z
Assignee: Jan Safranek
QA Contact: Liang Xia
URL:
Whiteboard:
Depends On: 1554670 1663260
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-13 13:40 UTC by Jan Safranek
Modified: 2019-01-03 15:12 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1554670
Environment:
Last Closed: 2018-04-30 04:00:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1233 0 None None None 2018-04-30 04:01:03 UTC

Description Jan Safranek 2018-03-13 13:40:31 UTC 
+++ This bug was initially created as a clone of Bug #1554670 +++

Description of problem:

Version-Release number of selected component (if applicable):

3.9.7-1

How reproducible:

Always

Steps to Reproduce:
1. Create a pod with a secret, configmap, downwardAPI and projected volume
2. Create volume mounts for each of those volumes that make use of the subPath feature

Actual results:

The pod will not start with errors like 

failed to prepare subPath for volumeMount "config" of container "mumble": subpath "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config/..2018_03_13_03_19_55.572152209/mumble.ini" not within volume path "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config"


Expected results:

Pod starts properly and volume mounts work


Regression introduced as part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1519365

Upstream issue: https://github.com/kubernetes/kubernetes/issues/61076#issuecomment-372554309

The security fix was backported all the way to 3.3, which means this regression was as well.

--- Additional comment from Jordan Liggitt on 2018-03-13 09:10:27 EDT ---

this affects use of subPath volume mounts with any secret, configmap, projected, or downwardAPI volume

--- Additional comment from Jordan Liggitt on 2018-03-13 09:13:45 EDT ---

upstream fix in https://github.com/kubernetes/kubernetes/pull/61080
Comment 1 Jan Safranek 2018-03-13 18:26:32 UTC 
OSE PR: https://github.com/openshift/ose/pull/1114
Comment 7 Liang Xia 2018-04-20 06:54:09 UTC 
# oc version
oc v3.6.173.0.113
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://qe-lxia-36-master-nfs-1:8443
openshift v3.6.173.0.113
kubernetes v1.6.1+5115d708d7


# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)


# uname -a
Linux qe-lxia-36-master-nfs-1 3.10.0-514.26.1.el7.x86_64 #1 SMP Tue Jun 20 01:16:02 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux


Pod with secret, configmap, downwardAPI and projected volume can be up and running.

Move bug to verified.
Comment 16 errata-xmlrpc 2018-04-30 04:00:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1233
Note You need to log in before you can comment on or make changes to this bug.