New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Subpath volumes don't receive set-GID flag #61283

Closed
jsafrane opened this Issue Mar 16, 2018 · 9 comments

Comments

Projects
None yet
8 participants
@jsafrane
Member

jsafrane commented Mar 16, 2018

Fix status:

  • fixed in master in #61284, will be in 1.10.0
  • fixed in release-1.9 branch in #61308, will be in 1.9.7
  • fixed in release-1.8 branch in #61309, will be in 1.8.11
  • fixed in release-1.7 branch in #61310, will be in 1.7.16

Subpaths of volumes with fsGroup may be mounted into a container without SGID bit on themselves:

$ kubectl create -f - <<EOF                                                                                                                kind: Pod
apiVersion: v1
metadata: { name: "subpath" }
spec:
  volumes:
    - { name: "direct",  emptyDir: {}}
    - { name: "subpath", emptyDir: {}}
  securityContext:
    fsGroup: 100
    runAsUser: 35
  containers:
    - image: aosqe/hello-openshift
      name: show
      volumeMounts:
        - name: "direct"
          mountPath: "/mnt/direct"
        - name: "subpath"
          mountPath: "/mnt/subpath"
          subPath: "a"
EOF

$ kubectl exec -ti subpath -- ls /mnt -la
drwxrwsrwx    2 root     users            6 Mar 16 15:13 direct
drwxrwxrwx    2 root     users            6 Mar 16 15:13 subpath

The mode of subpath should be drwxrwsrwx instead of drwxrwxrwx.

Reason for this is fchmod at

if err = syscall.Fchmod(parentFD, uint32(perm)&uint32(os.ModePerm)); err != nil {
:

	if err = syscall.Fchmod(parentFD, uint32(perm)&uint32(os.ModePerm)); err != nil {
		return fmt.Errorf("chmod %q failed: %s", currentPath, err)
	}
  1. it should not filter out sgid/suid/sticky flags with &os.ModePerm
  2. Fchmod() int32 argument expects suid/sgid/sticky flags on different bits than os.FileMode.

/kind bug
/sig storage
@liggitt

@jberkus

This comment has been minimized.

jberkus commented Mar 16, 2018

Moved into 1.10 for tracking purposes

/priority critical-urgent
/status in-progress

@k8s-ci-robot

This comment has been minimized.

Contributor

k8s-ci-robot commented Mar 16, 2018

You must be a member of the kubernetes/kubernetes-milestone-maintainers github team to add status labels.

@childsb

This comment has been minimized.

Member

childsb commented Mar 16, 2018

/status approved-for-milestone

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Mar 16, 2018

[MILESTONENOTIFIER] Milestone Issue: Up-to-date for process

@childsb @jsafrane @saad-ali

Note: This issue is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
ETA: DD/MM/YYYY
Risks: Complicated fix required
Issue Labels
  • sig/storage: Issue will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move issue out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/bug: Fixes a bug discovered during the current release.
Help
@liggitt

This comment has been minimized.

Member

liggitt commented Mar 16, 2018

reopening to track fixed in to 1.7, 1.8, 1.9 branches

@liggitt

This comment has been minimized.

Member

liggitt commented Mar 16, 2018

/milestone clear

@dims

This comment has been minimized.

Member

dims commented Mar 17, 2018

/milestone v1.10

@k8s-ci-robot k8s-ci-robot added this to the v1.10 milestone Mar 17, 2018

@liggitt

This comment has been minimized.

Member

liggitt commented Mar 17, 2018

/milestone clear

No longer blocking 1.10. See #61283 (comment)

@k8s-ci-robot k8s-ci-robot removed this from the v1.10 milestone Mar 17, 2018

@liggitt liggitt referenced this issue Mar 22, 2018

Closed

subPath volume mount umbrella issue #61563

6 of 8 tasks complete

k8s-merge-robot added a commit that referenced this issue Mar 22, 2018

Merge pull request #61310 from rootfs/automated-cherry-pick-of-#61284-…
…upstream-release-1.7

Automatic merge from submit-queue.

Automated cherry pick of #61284 upstream release 1.7

**What this PR does / why we need it**:
cherrypick #61284 into 1.7
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #61283

**Special notes for your reviewer**:
@jsafrane @liggitt 
**Release note**:
```release-note
Fix a regression preventing subpath mounts in pods using fsGroup from having set-GID bits set properly
```

k8s-merge-robot added a commit that referenced this issue Mar 26, 2018

Merge pull request #61308 from rootfs/automated-cherry-pick-of-#61284-…
…upstream-release-1.9

Automatic merge from submit-queue.

Automated cherry pick of #61284 upstream release 1.9

**What this PR does / why we need it**:
cherrypick #61824 into 1.9
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #61283

**Special notes for your reviewer**:
@jsafrane @liggitt 
**Release note**:

```release-note
Fix a regression preventing subpath mounts in pods using fsGroup from having set-GID bits set properly
```
@jsafrane

This comment has been minimized.

Member

jsafrane commented Apr 6, 2018

Should this issue be closed? Fixes have been merged into all maintained branches.

@liggitt liggitt closed this Apr 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment