New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
subPath in volumeMount is not writable for non-root users #41638
Comments
Could someone from @kubernetes/sig-node-bugs please take a look? Thanks! cc: @kubernetes/sig-storage-bugs |
@pmorie @kubernetes/sig-storage-misc |
cc/ @saad-ali |
attempted fix created here #43775 |
Automatic merge from submit-queue Create subPaths and set their permissions like we do mountPaths fixes #41638 If a subPath does not exist at the time MountVolume.Setup happens, SetVolumeOwnership will not have walked to the subPath and set appropriate permissions on it, leading to the above issue So later, at makeMounts when we are parsing subPaths, let's create all subPaths and set their permissions according to how the parent mountPath looks. ```release-note NONE ```
Mount the PVC used for workspaces to the Che server to allow the server to create directory that is mounted in the workspace. This is necessary because directories created by kubernetes when mounting a subpath are created with root permissions and cannot be modified by a non-root user. See: kubernetes/kubernetes#41638 Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Mount the PVC used for workspaces to the Che server to allow the server to create directory that is mounted in the workspace. This is necessary because directories created by kubernetes when mounting a subpath are created with root permissions and cannot be modified by a non-root user. See: kubernetes/kubernetes#41638 Signed-off-by: Angel Misevski <amisevsk@redhat.com>
I created a cherrypick PR for 1.6 here: #44782 since this bug is against 1.6. Could someone (who agrees this could be cherrypicked) please add the cherrypick-candidate label + milestone to the original PR #43775, thank you! edit: sorry, it's against 1.5. Should it be cherrypicked back to that as well? |
I'm still facing this issue with Kubernetes version 1.12.8 on a AKS cluster when I mount a Azure Storage as azureFile share. |
same issue on GCP @ k8s 1.14 |
k8s 1.17 via eks as well |
So what's the recommendation? Not using subPath? |
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see http://kubernetes.io/docs/troubleshooting/.): no
What keywords did you search in Kubernetes issues before filing this one? (If you have found any duplicates, you should instead reply there.): subpath, emptyDir, mode, permissions
Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT
Kubernetes version (use
kubectl version
):Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"08e099554f3c31f6e6f07b448ab3ed78d0520507", GitTreeState:"clean", BuildDate:"2017-01-12T04:57:25Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"08e099554f3c31f6e6f07b448ab3ed78d0520507", GitTreeState:"clean", BuildDate:"2017-01-12T04:52:34Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Environment:
uname -a
): 4.8.0-0.bpo.2-amd64What happened: When I mount an
emptyDir
volume using a subpath, I'm unable to write into it if my process is not running asroot
. When I leave out the subpath, I can.What you expected to happen: I can write to the directory in both cases.
How to reproduce it (as minimally and precisely as possible):
Output is:
Anything else we need to know:
This issue is related to #39474. I know this is caused by the Docker daemon creating those directories on a bind mount. Nevertheless, I expect Kubernetes to abstract this away, since this behavior is neither documented nor IMHO intuitive.
The text was updated successfully, but these errors were encountered: