-
Notifications
You must be signed in to change notification settings - Fork 39.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubelet silently deletes any files written to secret volume #58719
Labels
area/usability
kind/bug
Categorizes issue or PR as related to a bug.
sig/node
Categorizes an issue or PR as relevant to SIG Node.
sig/storage
Categorizes an issue or PR as relevant to SIG Storage.
Comments
k8s-ci-robot
added
needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
kind/bug
Categorizes issue or PR as related to a bug.
labels
Jan 23, 2018
/assign |
/sig node |
k8s-ci-robot
added
sig/node
Categorizes an issue or PR as relevant to SIG Node.
sig/storage
Categorizes an issue or PR as relevant to SIG Storage.
and removed
needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
labels
Jan 23, 2018
Config volumes and secret volumes on a subdirectory of the config mount path also have this side effect, see ref 458
Secrets will first appear in your program and then disappear |
@gertcuykens I think that should be fixed now that #57422 has merged. I don't know what you mean by ref 458. (Edit: oh, you're referring to an issue in another repo). |
k8s-github-robot
pushed a commit
that referenced
this issue
Feb 2, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Ensure that the runtime mounts RO volumes read-only **What this PR does / why we need it**: This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs. It also adds a feature gate `ReadOnlyAPIDataVolumes` to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional. Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc. **Which issue(s) this PR fixes** Fixes #58719 **Release note**: ```release-note Containers now mount secret, configMap, downwardAPI and projected volumes read-only. Previously, container modifications to files in these types of volumes were temporary and reverted by the kubelet during volume sync. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will preserve the old behavior. ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/usability
kind/bug
Categorizes issue or PR as related to a bug.
sig/node
Categorizes an issue or PR as relevant to SIG Node.
sig/storage
Categorizes an issue or PR as relevant to SIG Storage.
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
When a container has a secret volume and creates or updates a file on the secret volume, the changes disappear within a minute or two. This behavior is confusing and surprising to container creators. Because the volume acts read-only (by reverting any changes made), a better solution would be do disallow writes to the volume so that applications can fail early if they attempt to write to the volume.
What you expected to happen:
Containers should be prevented from writing to secret volumes (and other volumes like them like downwardApi, configMap or projected volumes).
How to reproduce it (as minimally and precisely as possible):
Create a file
pod.yaml
with this content:Then create a secret and pod via
kubectl create -f pod.yml
Watch the logs for 2 minutes via
kubectl logs -f busybox-pod
You should see the pod create
myfile
and then 2 minutes later when it checks again,myfile
will be gone.Environment:
kubectl version
):The text was updated successfully, but these errors were encountered: