Description of problem:
When a Windows Pod is created with a Projected Volume, the pod is stuck in ContainerCreating
How reproducible: Always
Steps to Reproduce:
1. Create a Windows Pod with a Projected Volume
Actual results: Pod is stuck in ContainerCreating
Expected results: Pod should go to Running
The KEP  and implementation  for setting proper file permission for projected volumes did not take Windows into account. The introduction of os.Chown(), which is not supported in Windows, caused this issue to happen.
This is a blocker bug for WMCO 3.0.0 release
Upstream issue: https://github.com/kubernetes/kubernetes/issues/102849
Upstream WIP PR: https://github.com/kubernetes/kubernetes/pull/102868
In Windows there does not seem to be a clear equivalent of chown. From my reading, the SetNamedSecurityInfoA call for a file needs a list of entries where you specify a user and permission like GENERIC_READ, GENERIC_WRITE. This almost seems like a chown+chomod. I am not able to figure out if there is a way to call SetNamedSecurityInfoA with a GRANT_ACCESS entry without specifying permissions.
Docs I have read so far: SetEntriesInAclW , SetNamedSecurityInfoW , ACCESS_MODE enumeration, Generic Access Rights.
I have reached out to MSFT folks on sig-windows on direction and waiting to hear back. The upstream PR has been updated to account for RunAsUsername being specified in a Windows Pod and I have added a comment to the spot where we have to do the Windows equivalent of chown().
This bug has been verified on OCP 4.9.0-0.nightly-2021-06-21-191858 and passed, thanks.
Version-Release number of selected component (if applicable):
WMCO commit: 2043f8e518dd2f73498bde9f044ecda97f2f853e
OCP build: 4.9.0-0.nightly-2021-06-21-191858
1, Build WMCO from master branch and install the operator on OCP 4.9
2, Bootstrap Windows node
3, Create the Secrets for Projected Volume
oc new-project winc-test
echo -n "admin" > ./username.txt
echo -n "1f2d1e2e67df" > ./password.txt
oc create secret generic user --from-file=./username.txt
oc create secret generic pass --from-file=./password.txt
4, Create Windows Pod with Projected Volume
oc create -f https://raw.githubusercontent.com/sgaoshang/winc-test/master/data/WinWebServer_Projected_Volume.yaml
5, Check creating Windows pod with a Projected Volume succeed and the projected-volume directory contains your projected sources
# oc get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
win-webserver-796c99c67-kgzs6 1/1 Running 0 21m 10.132.0.2 ip-10-0-147-116.us-east-2.compute.internal <none> <none>
# oc exec -it win-webserver-796c99c67-kgzs6 powershell
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\> ls .\projected-volume\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/22/2021 9:25 AM ..2021_06_22_09_25_06.072795943
d----l 6/22/2021 9:25 AM ..data
-a---l 6/22/2021 9:25 AM 0 password.txt
-a---l 6/22/2021 9:25 AM 0 username.txt
PS C:\> cat .\projected-volume\username.txt
PS C:\> cat .\projected-volume\password.txt
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: Red Hat OpenShift Container Platform for Windows Containers 3.0.0 security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.