+++ This bug was initially created as a clone of Bug #1554670 +++ Description of problem: Version-Release number of selected component (if applicable): 3.9.7-1 How reproducible: Always Steps to Reproduce: 1. Create a pod with a secret, configmap, downwardAPI and projected volume 2. Create volume mounts for each of those volumes that make use of the subPath feature Actual results: The pod will not start with errors like failed to prepare subPath for volumeMount "config" of container "mumble": subpath "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config/..2018_03_13_03_19_55.572152209/mumble.ini" not within volume path "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config" Expected results: Pod starts properly and volume mounts work Regression introduced as part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1519365 Upstream issue: https://github.com/kubernetes/kubernetes/issues/61076#issuecomment-372554309 The security fix was backported all the way to 3.3, which means this regression was as well. --- Additional comment from Jordan Liggitt on 2018-03-13 09:10:27 EDT --- this affects use of subPath volume mounts with any secret, configmap, projected, or downwardAPI volume --- Additional comment from Jordan Liggitt on 2018-03-13 09:13:45 EDT --- upstream fix in https://github.com/kubernetes/kubernetes/pull/61080
OSE PR: https://github.com/openshift/ose/pull/1114
# oc version oc v3.6.173.0.113 kubernetes v1.6.1+5115d708d7 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://qe-lxia-36-master-nfs-1:8443 openshift v3.6.173.0.113 kubernetes v1.6.1+5115d708d7 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 (Maipo) # uname -a Linux qe-lxia-36-master-nfs-1 3.10.0-514.26.1.el7.x86_64 #1 SMP Tue Jun 20 01:16:02 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux Pod with secret, configmap, downwardAPI and projected volume can be up and running. Move bug to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1233