Description of problem: When a Windows Pod is created with a Projected Volume, the pod is stuck in ContainerCreating How reproducible: Always Steps to Reproduce: 1. Create a Windows Pod with a Projected Volume Actual results: Pod is stuck in ContainerCreating Expected results: Pod should go to Running Additional info: The KEP [0] and implementation [1] for setting proper file permission for projected volumes did not take Windows into account. The introduction of os.Chown(), which is not supported in Windows, caused this issue to happen. [0] https://github.com/kubernetes/enhancements/pull/1598/commits/73188e85c48dce815ddae6cb109ecf17fa72a687# [1] https://github.com/kubernetes/kubernetes/commit/3db7275b549559696c42c0b5f51c9a2397e9571d#diff-f4218ebfe0ced84087844da9d87b126752414e347e727c0455687d69e8e3d912
This is a blocker bug for WMCO 3.0.0 release
Upstream issue: https://github.com/kubernetes/kubernetes/issues/102849 Upstream WIP PR: https://github.com/kubernetes/kubernetes/pull/102868
In Windows there does not seem to be a clear equivalent of chown. From my reading, the SetNamedSecurityInfoA call for a file needs a list of entries where you specify a user and permission like GENERIC_READ, GENERIC_WRITE. This almost seems like a chown+chomod. I am not able to figure out if there is a way to call SetNamedSecurityInfoA with a GRANT_ACCESS entry without specifying permissions. Docs I have read so far: SetEntriesInAclW [0], SetNamedSecurityInfoW [1], ACCESS_MODE enumeration[2], Generic Access Rights[3]. I have reached out to MSFT folks on sig-windows on direction and waiting to hear back. The upstream PR has been updated to account for RunAsUsername being specified in a Windows Pod and I have added a comment to the spot where we have to do the Windows equivalent of chown(). [0] https://docs.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-setentriesinaclw [1] https://docs.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-setnamedsecurityinfow [2] https://docs.microsoft.com/en-us/windows/win32/api/accctrl/ne-accctrl-access_mode [3] https://docs.microsoft.com/en-us/windows/win32/secauthz/generic-access-rights
This bug has been verified on OCP 4.9.0-0.nightly-2021-06-21-191858 and passed, thanks. Version-Release number of selected component (if applicable): WMCO commit: 2043f8e518dd2f73498bde9f044ecda97f2f853e OCP build: 4.9.0-0.nightly-2021-06-21-191858 Steps: 1, Build WMCO from master branch and install the operator on OCP 4.9 2, Bootstrap Windows node 3, Create the Secrets for Projected Volume oc new-project winc-test echo -n "admin" > ./username.txt echo -n "1f2d1e2e67df" > ./password.txt oc create secret generic user --from-file=./username.txt oc create secret generic pass --from-file=./password.txt 4, Create Windows Pod with Projected Volume e.g. oc create -f https://raw.githubusercontent.com/sgaoshang/winc-test/master/data/WinWebServer_Projected_Volume.yaml 5, Check creating Windows pod with a Projected Volume succeed and the projected-volume directory contains your projected sources # oc get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES win-webserver-796c99c67-kgzs6 1/1 Running 0 21m 10.132.0.2 ip-10-0-147-116.us-east-2.compute.internal <none> <none> # oc exec -it win-webserver-796c99c67-kgzs6 powershell kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\> ls .\projected-volume\ Directory: C:\projected-volume Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/22/2021 9:25 AM ..2021_06_22_09_25_06.072795943 d----l 6/22/2021 9:25 AM ..data -a---l 6/22/2021 9:25 AM 0 password.txt -a---l 6/22/2021 9:25 AM 0 username.txt PS C:\> cat .\projected-volume\username.txt admin PS C:\> cat .\projected-volume\password.txt 1f2d1e2e67df
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenShift Container Platform for Windows Containers 3.0.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3001