Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubelet silently deletes any files written to secret volume #58719

Closed
joelsmith opened this issue Jan 23, 2018 · 4 comments · Fixed by #58720
Closed

Kubelet silently deletes any files written to secret volume #58719

joelsmith opened this issue Jan 23, 2018 · 4 comments · Fixed by #58720
Assignees
@joelsmith
Labels
area/usability kind/bug Categorizes issue or PR as related to a bug. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage.

Comments

@joelsmith
Copy link
Contributor

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:
When a container has a secret volume and creates or updates a file on the secret volume, the changes disappear within a minute or two. This behavior is confusing and surprising to container creators. Because the volume acts read-only (by reverting any changes made), a better solution would be do disallow writes to the volume so that applications can fail early if they attempt to write to the volume.

What you expected to happen:
Containers should be prevented from writing to secret volumes (and other volumes like them like downwardApi, configMap or projected volumes).
How to reproduce it (as minimally and precisely as possible):

Create a file pod.yaml with this content:

apiVersion: v1
kind: List
items:
- apiVersion: v1
  kind: Secret
  data:
    secret: bXkgc2VjcmV0Cg==
  metadata:
    name: secrets
  type: Opaque
- apiVersion: v1
  kind: Pod
  metadata:
    name: busybox-pod
  spec:
    containers:
    - image: gcr.io/google_containers/busybox:latest
      name: busybox
      command: ["/bin/sh"]
      args: ["-c", "sleep 10; echo before; ls -l /secrets; touch /secrets/myfile; echo checking; ls -l /secrets; sleep 120; echo checking again; ls -l /secrets; while sleep 3600; do true; done"]
      volumeMounts:
      - mountPath: /secrets
        name: secrets
    restartPolicy: OnFailure
    volumes:
    - name: secrets
      secret:
        secretName: secrets

Then create a secret and pod via kubectl create -f pod.yml

Watch the logs for 2 minutes via kubectl logs -f busybox-pod
You should see the pod create myfile and then 2 minutes later when it checks again, myfile will be gone.

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.0-alpha.1.110+3d652cae0391cf-dirty", GitCommit:"3d652cae0391cfeff81f3e96f1ed7d558f171626", GitTreeState:"dirty", BuildDate:"2018-01-23T16:21:15Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.0-alpha.1.110+3d652cae0391cf-dirty", GitCommit:"3d652cae0391cfeff81f3e96f1ed7d558f171626", GitTreeState:"dirty", BuildDate:"2018-01-23T16:21:15Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. kind/bug Categorizes issue or PR as related to a bug. labels Jan 23, 2018
@joelsmith
Copy link
Contributor Author

/assign

@joelsmith
Copy link
Contributor Author

/sig node
/sig storage

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 23, 2018
@joelsmith joelsmith mentioned this issue Jan 23, 2018
Merged
@gertcuykens gertcuykens mentioned this issue Jan 26, 2018
Merged
@gertcuykens
Copy link

gertcuykens commented Jan 27, 2018
edited
Loading

Config volumes and secret volumes on a subdirectory of the config mount path also have this side effect, see ref 458

       volumeMounts:
        - name: tls-volume
          mountPath: /etc/nats/tls
        - name: config-volume
          mountPath: /etc/nats
      volumes:
      - name: tls-volume
        secret:
          secretName: tls-nats-server
      - name: config-volume
        configMap:
          name: nats-config

Secrets will first appear in your program and then disappear

@joelsmith
Copy link
Contributor Author

joelsmith commented Feb 1, 2018
edited
Loading

@gertcuykens I think that should be fixed now that #57422 has merged. I don't know what you mean by ref 458. (Edit: oh, you're referring to an issue in another repo).

k8s-github-robot pushed a commit that referenced this issue Feb 2, 2018
Merge pull request #58720 from joelsmith/ro-vol
8c6be65 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Ensure that the runtime mounts RO volumes read-only

**What this PR does / why we need it**:

This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs.

It also adds a feature gate `ReadOnlyAPIDataVolumes` to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional.

Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc.

**Which issue(s) this PR fixes**
Fixes #58719 

**Release note**:
```release-note
Containers now mount secret, configMap, downwardAPI and projected volumes read-only. Previously,
container modifications to files in these types of volumes were temporary and reverted by the kubelet
during volume sync. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will
preserve the old behavior.
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joelsmith joelsmith

Labels
area/usability kind/bug Categorizes issue or PR as related to a bug. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ensure that the runtime mounts RO volumes read-only joelsmith/kubernetes
4 participants
@joelsmith @gertcuykens @liggitt @k8s-ci-robot