+++ This bug was initially created as a clone of Bug #1554670 +++
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a pod with a secret, configmap, downwardAPI and projected volume
2. Create volume mounts for each of those volumes that make use of the subPath feature
The pod will not start with errors like
failed to prepare subPath for volumeMount "config" of container "mumble": subpath "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config/..2018_03_13_03_19_55.572152209/mumble.ini" not within volume path "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config"
Pod starts properly and volume mounts work
Regression introduced as part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1519365
Upstream issue: https://github.com/kubernetes/kubernetes/issues/61076#issuecomment-372554309
The security fix was backported all the way to 3.3, which means this regression was as well.
--- Additional comment from Jordan Liggitt on 2018-03-13 09:10:27 EDT ---
this affects use of subPath volume mounts with any secret, configmap, projected, or downwardAPI volume
--- Additional comment from Jordan Liggitt on 2018-03-13 09:13:45 EDT ---
upstream fix in https://github.com/kubernetes/kubernetes/pull/61080
OSE PR: https://github.com/openshift/ose/pull/1114
# oc version
features: Basic-Auth GSSAPI Kerberos SPNEGO
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)
# uname -a
Linux qe-lxia-36-master-nfs-1 3.10.0-514.26.1.el7.x86_64 #1 SMP Tue Jun 20 01:16:02 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
Pod with secret, configmap, downwardAPI and projected volume can be up and running.
Move bug to verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.