1554869 – [3.3] subpath volume mounts do not work with secret, configmap, projected, or downwardAPI volumes

Bug 1554869 - [3.3] subpath volume mounts do not work with secret, configmap, projected, or downwardAPI volumes

Summary: [3.3] subpath volume mounts do not work with secret, configmap, projected, or...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	3.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.3.1
Assignee:	Jan Safranek
QA Contact:	Liang Xia
Docs Contact:
URL:
Whiteboard:
Depends On:	1554670 1663260
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-13 13:40 UTC by Jan Safranek
Modified:	2019-08-07 15:01 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: OpenShift did not check correctly for parent directories when creating SubPath. Consequence: Secrets, ConfigMap, DownwardAPI and Projected volumes could not be used with SubPaths in pods. Fix: OpenShift correctly evaluates parent directories. Result: Secrets, ConfigMap, DownwardAPI and Projected volumes can be used with SubPaths in pods.
Clone Of:	1554670
Environment:
Last Closed:	2019-08-07 15:01:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jan Safranek 2018-03-13 13:40:47 UTC

+++ This bug was initially created as a clone of Bug #1554670 +++

Description of problem:

Version-Release number of selected component (if applicable):

3.9.7-1

How reproducible:

Always

Steps to Reproduce:
1. Create a pod with a secret, configmap, downwardAPI and projected volume
2. Create volume mounts for each of those volumes that make use of the subPath feature

Actual results:

The pod will not start with errors like 

failed to prepare subPath for volumeMount "config" of container "mumble": subpath "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config/..2018_03_13_03_19_55.572152209/mumble.ini" not within volume path "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config"


Expected results:

Pod starts properly and volume mounts work


Regression introduced as part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1519365

Upstream issue: https://github.com/kubernetes/kubernetes/issues/61076#issuecomment-372554309

The security fix was backported all the way to 3.3, which means this regression was as well.

--- Additional comment from Jordan Liggitt on 2018-03-13 09:10:27 EDT ---

this affects use of subPath volume mounts with any secret, configmap, projected, or downwardAPI volume

--- Additional comment from Jordan Liggitt on 2018-03-13 09:13:45 EDT ---

upstream fix in https://github.com/kubernetes/kubernetes/pull/61080

Comment 1 Jan Safranek 2018-03-14 11:15:22 UTC

OSE PR: https://github.com/openshift/ose/pull/1124

Comment 3 Liang Xia 2018-12-27 11:08:00 UTC

The code has been in since 3.3.1.46.40, move to QE to test.

Comment 4 Wenqi He 2018-12-28 07:14:40 UTC

Tested on below version:
openshift v3.3.1.46.45
kubernetes v1.3.0+52492b4

# uname -a
Linux ip-172-18-5-133.ec2.internal 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 15 17:36:42 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 (Maipo)


Subpath works well with configmap, secret and downwardAPI.

Note You need to log in before you can comment on or make changes to this bug.