storage: document Windows projected volume limitations #30366
Conversation
k8s-ci-robot
added
sig/storage
|
/cc @brasmith-ms |
|
@marosset: GitHub didn't allow me to request PR reviews from the following users: brasmith-ms. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: 4c296c6 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/61943c0b7b69390007d33a2e 😎 Browse the preview: https://deploy-preview-30366--kubernetes-io-main-staging.netlify.app |
| items: | ||
| - key: config | ||
| path: my-group/my-config | ||
| ``` |
There was a problem hiding this comment.
I'd suggest we move this and the following YAML files out of the page, into the 'examples' directory.
There was a problem hiding this comment.
OK, I will move the text into configure-projected-volume-storage.md with yaml in the storage examples folder.
There was a problem hiding this comment.
Looks like tasks are more like for trying out rather than just for explanations. I will just move the yaml to the examples folders and link to it.
There was a problem hiding this comment.
You can use a codenew shortcode rather than a link, if that's relevant / useful.
| * [`secret`](/docs/concepts/storage/volumes/#secret) | ||
| * [`downwardAPI`](/docs/concepts/storage/volumes/#downwardapi) | ||
| * [`configMap`](/docs/concepts/storage/volumes/#configmap) | ||
| * `serviceAccountToken` |
There was a problem hiding this comment.
is there a link for this one?
There was a problem hiding this comment.
I could not find a link for this in volumes so I just moved it over as is.
| In Windows pods that have a projected volume and `RunAsUsername` is set in the | ||
| Pod `SecurityContext`, the ownership is not enforced due to the way user | ||
| accounts are managed in Windows. Windows stores and manages local user and group | ||
| accounts in a database file called Security Account Manager (SAM). This database |
There was a problem hiding this comment.
@brasmith-ms should we use SID or account in this documentation?
There was a problem hiding this comment.
SAM tracks both, so either term is fine. In this case I would opt for account since the SIDs in the container are not necessarily unique between containers.
| read, write and execute access while, non-administrator users will have read and | ||
| execute access. | ||
|
|
||
| {{< note >}} |
There was a problem hiding this comment.
kubernetes/kubernetes#104693 (part ofhttps://github.com/kubernetes/enhancements/issues/2802) will deny pods with RunAsUser specified if os=windows is also set and the feature is enabled.
There was a problem hiding this comment.
kubernetes/kubernetes#104693 will not be backported. So my plan was to get this merged and backported and then open a PR removing or updating the note. WDYT?
Move inline examples into the examples folder
aravindhp
force-pushed
the
windows-projected-volume
branch
from
df866b4
to
e7ede28
Compare
|
@tengqm @marosset @jsturtevant @brasmith-ms I have addressed your comments. PTAL. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 71500498d9d844db0450113e63d10bfdad884263
|
|
LGTM! Thank you @aravindhp!! |
|
/lgtm |
aravindhp
force-pushed
the
windows-projected-volume
branch
from
e7ede28
to
4c296c6
Compare
k8s-ci-robot
removed
the
lgtm
|
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 46bd88d0cd209dde9a5001600d6c31ccc381b014
|
|
/lgtm |
| The [proposal for file permission handling in projected service account volume](https://github.com/kubernetes/enhancements/pull/1598) | ||
| enhancement introduced the projected files having the the correct owner | ||
| permissions set. |
There was a problem hiding this comment.
|
|
||
| By default, the projected files will have the following ownership as shown for | ||
| an example projected volume file: | ||
| ```powershell |
There was a problem hiding this comment.
This is not a valid PowerShell script.
| receive updates for those volume sources. | ||
| {{< /note >}} | ||
| A projected volume maps several existing volume sources into the same | ||
| directory. For more details, see [projected volumes](/docs/concepts/storage/projected-volumes/) |
There was a problem hiding this comment.
nit:
| directory. For more details, see [projected volumes](/docs/concepts/storage/projected-volumes/) | |
| directory. For more details, see [projected volumes](/docs/concepts/storage/projected-volumes/). |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Document the limitation wrt file ownership with Windows Pods that have a projected volume and
RunAsUsernameset in it'sSecurityContextxref: kubernetes/kubernetes#102849
/sig storage
/sig windows
/cc @sftim @marosset @jsturtevant @zshihang