subPath in volumeMount is not writable for non-root users #41638

Open
thriqon opened this Issue Feb 17, 2017 · 1 comment

Projects

None yet

2 participants

@thriqon
thriqon commented Feb 17, 2017

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see http://kubernetes.io/docs/troubleshooting/.): no

What keywords did you search in Kubernetes issues before filing this one? (If you have found any duplicates, you should instead reply there.): subpath, emptyDir, mode, permissions


Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"08e099554f3c31f6e6f07b448ab3ed78d0520507", GitTreeState:"clean", BuildDate:"2017-01-12T04:57:25Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"08e099554f3c31f6e6f07b448ab3ed78d0520507", GitTreeState:"clean", BuildDate:"2017-01-12T04:52:34Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: Bare metal, SSD, but also VMs
  • OS (e.g. from /etc/os-release): Debian GNU/Linux 8 (jessie)
  • Kernel (e.g. uname -a): 4.8.0-0.bpo.2-amd64
  • Install tools:
  • Others: Docker v1.12.6

What happened: When I mount an emptyDir volume using a subpath, I'm unable to write into it if my process is not running as root. When I leave out the subpath, I can.

What you expected to happen: I can write to the directory in both cases.

How to reproduce it (as minimally and precisely as possible):

kind: Pod
apiVersion: v1
metadata: { name: "test-modes" }
spec:
  volumes:
    - { name: "direct",  emptyDir: {}}
    - { name: "subpath", emptyDir: {}}
  securityContext:
    fsGroup: 100
    # games(35) is member in group users(100)
    runAsUser: 35
  containers:
    - image: alpine:latest
      name: show
      command: ["/bin/sh", "-c", "id && ls -dl /mnts/*"]
      volumeMounts:
        - name: "direct"
          mountPath: "/mnts/direct"
        - name: "subpath"
          mountPath: "/mnts/subpath"
          subPath: a/b/c

Output is:

uid=35(games) gid=35(games) groups=100(users)
drwxrwsrwx    2 root     users         4096 Feb 17 12:38 /mnts/direct
drwxr-sr-x    2 root     users         4096 Feb 17 12:38 /mnts/subpath

Anything else we need to know:

This issue is related to #39474. I know this is caused by the Docker daemon creating those directories on a bind mount. Nevertheless, I expect Kubernetes to abstract this away, since this behavior is neither documented nor IMHO intuitive.

@calebamiles
Member

Could someone from @kubernetes/sig-node-bugs please take a look? Thanks!

cc: @kubernetes/sig-storage-bugs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment