-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
daemon: Bind /run/secrets/ in so we can see SA tokens #370
Conversation
(Not tested locally yet, just tossing this up as I was thinking about a fix) |
pkg/daemon/daemon.go
Outdated
// BindPodMounts ensures that the daemon can still see e.g. /run/secrets/kubernetes.io | ||
// service account tokens after chrooting. This function must be called before chroot. | ||
func (dn *Daemon) BindPodMounts() error { | ||
targetSecrets := dn.rootMount + "/run/secrets" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: filepath.Join
Just a utopic point here, cause of the complexity maybe, but is there any way we can add a test for this to make sure we won't regress in the future? (my understanding is also that this was working before). I'm seeing the errors everywhere on my clusters as well though. |
This appears to not have worked, I still see the error in the mcd logs in this PR.
Yeah...I think we could scrape the MCD logs in
Not sure...but I doubt it, I suspect the rebase added an error message? Nothing in how the MCD works here changed recently. |
55f179d
to
e88bf8d
Compare
Yeah, I think that makes sense. Actually, given that we mount the whole rootfs and chroot, we're not really making use of the other mountpoints defined in the daemonset either. We should probably document that. Related: #6 |
Because we `chroot()` we need to ensure that we can still see the service account tokens injected into our pod. Closes: openshift#358
e88bf8d
to
2cef241
Compare
OK, figured it out I think - we needed |
/lgtm |
🎊 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ashcrow, cgwalters, jlebon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Confirm fixes: #358
/retest |
Because we
chroot()
we need to ensure that we can still seethe service account tokens injected into our pod.
Closes: #358