Bug 1554871 - [3.5] subpath volume mounts do not work with secret, configmap, projected, or downwardAPI volumes
Summary: [3.5] subpath volume mounts do not work with secret, configmap, projected, or...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 3.5.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.5.z
Assignee: Jan Safranek
QA Contact: Chao Yang
Depends On: 1554670 1663260
Blocks: 1554864
TreeView+ depends on / blocked
Reported: 2018-03-13 13:41 UTC by Jan Safranek
Modified: 2019-01-03 15:12 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1554670
Last Closed: 2018-04-30 05:00:57 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1235 None None None 2018-04-30 05:01:54 UTC

Description Jan Safranek 2018-03-13 13:41:10 UTC
+++ This bug was initially created as a clone of Bug #1554670 +++

Description of problem:

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a pod with a secret, configmap, downwardAPI and projected volume
2. Create volume mounts for each of those volumes that make use of the subPath feature

Actual results:

The pod will not start with errors like 

failed to prepare subPath for volumeMount "config" of container "mumble": subpath "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config/..2018_03_13_03_19_55.572152209/mumble.ini" not within volume path "/var/lib/kubelet/pods/66fa673c-266d-11e8-8ebf-00155d00a406/volumes/kubernetes.io~configmap/config"

Expected results:

Pod starts properly and volume mounts work

Regression introduced as part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1519365

Upstream issue: https://github.com/kubernetes/kubernetes/issues/61076#issuecomment-372554309

The security fix was backported all the way to 3.3, which means this regression was as well.

--- Additional comment from Jordan Liggitt on 2018-03-13 09:10:27 EDT ---

this affects use of subPath volume mounts with any secret, configmap, projected, or downwardAPI volume

--- Additional comment from Jordan Liggitt on 2018-03-13 09:13:45 EDT ---

upstream fix in https://github.com/kubernetes/kubernetes/pull/61080

Comment 1 Jan Safranek 2018-03-14 11:15:48 UTC
OSE PR: https://github.com/openshift/ose/pull/1122

Comment 3 Chao Yang 2018-04-17 05:56:57 UTC
This is verified with 
openshift v3.
kubernetes v1.5.2+43a9be4

Subpath mounts worked with secret, configmap, projected, and downwardAPI volumes

Comment 8 errata-xmlrpc 2018-04-30 05:00:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.