Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure that the runtime mounts RO volumes read-only #58720

Merged
merged 1 commit into from
Feb 2, 2018

Conversation

joelsmith
Copy link
Contributor

@joelsmith joelsmith commented Jan 23, 2018

What this PR does / why we need it:

This change is part of the fix to address CVE-2017-1002102 (#60814).

This change makes it so that containers cannot write to secret, configMap, downwardAPI and projected volumes since the runtime will now mount them read-only. This change makes things less confusing for a user since any attempt to update a secret volume will result in an error rather than a successful change followed by a revert by the kubelet when the volume next syncs.

It also adds a feature gate ReadOnlyAPIDataVolumes to a provide a way to disable the new behavior in 1.10, but for 1.11, the new behavior will become non-optional.

Also, E2E tests for downwardAPI and projected volumes are updated to mount the volumes somewhere other than /etc.

Which issue(s) this PR fixes
Fixes #58719

Fixes #60814 for master / 1.10

Release note:

Changes secret, configMap, downwardAPI and projected volumes to mount read-only, instead of allowing applications to write data and then reverting it automatically. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will preserve the old behavior.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 23, 2018
@k8s-ci-robot k8s-ci-robot requested review from dims and yujuhong January 23, 2018 23:24
@joelsmith
Copy link
Contributor Author

/unassign @dims
/unassign @yujuhong
/assign @jsafrane
/assign @derekwaynecarr
/kind bug
/sig storage
/sig node

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. sig/storage Categorizes an issue or PR as relevant to SIG Storage. sig/node Categorizes an issue or PR as relevant to SIG Node. labels Jan 23, 2018
@derekwaynecarr
Copy link
Member

/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 24, 2018
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 24, 2018
@joelsmith
Copy link
Contributor Author

/retest

@jsafrane
Copy link
Member

I am afraid this is behavior change. Volumes that were not read-only are read-only now. As you can see in e2e test updates, it can break existing applications.

IMO it is the right way to go, however I am not sure a small release note is enough.

@saad-ali, what do you think?

@joelsmith
Copy link
Contributor Author

/retest

@joelsmith
Copy link
Contributor Author

Due to the issues raised by @jsafrane we should probably hold this PR until we get a 👍 from @smarterclayton and/or @saad-ali .

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 25, 2018
@liggitt
Copy link
Member

liggitt commented Jan 25, 2018

I am afraid this is behavior change. Volumes that were not read-only are read-only now. As you can see in e2e test updates, it can break existing applications.

IMO it is the right way to go, however I am not sure a small release note is enough.

Applications that relied on persisting data in these locations were already broken, since the volume sync would remove that data at a later point in time. A release note seems sufficient to me (updated the release note with additional context)

@liggitt
Copy link
Member

liggitt commented Jan 25, 2018

/retest

@joelsmith
Copy link
Contributor Author

The pull-kubernetes-e2e-gke is not marked "Required" and seems to be failing for everyone right now.

ichtar pushed a commit to Bestmile/charts that referenced this pull request May 15, 2018
* Update statefulset.yaml

ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume.

* Update Chart.yaml

Bump version

* Update statefulset.yaml
ichtar pushed a commit to Bestmile/charts that referenced this pull request May 15, 2018
…refactor (helm#4281)

* Rename manifests to align with best practices

* Refactor minio chart

- add ingress resource
- consolidate svc resource to support all deployment modes
- update labels and selectors to align with helm best practices
- general cleanup to align with helm best practices/patterns observed in `helm create`
- update values, README and _helpers accordingly
- bump image tag
- bump chart version

* Fix issue caused by ConfigMaps now being mounted ReadOnly

Tested on:
k8s 1.8.10 and 1.9.6

Related:
kubernetes/kubernetes#58720

Fixes:
helm#4272

* Bump chart version to 1.0.0
ichtar pushed a commit to Bestmile/charts that referenced this pull request May 15, 2018
…figMap to an EmptyDir (helm#4271)

* Update deployment.yaml

ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to helm#4169. Fixes helm#4267.

* bump Chart version
theinrichs pushed a commit to theinrichs/gitlab that referenced this pull request May 25, 2018
See kubernetes/kubernetes#58720
The chown breaks the gitlab startup in k8s 1.9 and is not necessary.
theinrichs pushed a commit to inovex/gitlab that referenced this pull request May 25, 2018
See kubernetes/kubernetes#58720
The chown breaks the gitlab startup in k8s 1.9 and is not necessary.
@jstriebel jstriebel mentioned this pull request Jul 19, 2018
@ludwikbukowski
Copy link

How can I create executable files with configMap now?

voron pushed a commit to dysnix/helm-charts that referenced this pull request Sep 5, 2018
* Update statefulset.yaml

ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume.

* Update Chart.yaml

Bump version

* Update statefulset.yaml

Signed-off-by: voron <[email protected]>
voron pushed a commit to dysnix/helm-charts that referenced this pull request Sep 5, 2018
…refactor (helm#4281)

* Rename manifests to align with best practices

* Refactor minio chart

- add ingress resource
- consolidate svc resource to support all deployment modes
- update labels and selectors to align with helm best practices
- general cleanup to align with helm best practices/patterns observed in `helm create`
- update values, README and _helpers accordingly
- bump image tag
- bump chart version

* Fix issue caused by ConfigMaps now being mounted ReadOnly

Tested on:
k8s 1.8.10 and 1.9.6

Related:
kubernetes/kubernetes#58720

Fixes:
helm#4272

* Bump chart version to 1.0.0

Signed-off-by: voron <[email protected]>
voron pushed a commit to dysnix/helm-charts that referenced this pull request Sep 5, 2018
…figMap to an EmptyDir (helm#4271)

* Update deployment.yaml

ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to helm#4169. Fixes helm#4267.

* bump Chart version

Signed-off-by: voron <[email protected]>
manics pushed a commit to ome/minio-helm-chart that referenced this pull request Oct 8, 2018
…refactor (#4281)

* Rename manifests to align with best practices

* Refactor minio chart

- add ingress resource
- consolidate svc resource to support all deployment modes
- update labels and selectors to align with helm best practices
- general cleanup to align with helm best practices/patterns observed in `helm create`
- update values, README and _helpers accordingly
- bump image tag
- bump chart version

* Fix issue caused by ConfigMaps now being mounted ReadOnly

Tested on:
k8s 1.8.10 and 1.9.6

Related:
kubernetes/kubernetes#58720

Fixes:
helm/charts#4272

* Bump chart version to 1.0.0
gochist pushed a commit to gochist/charts that referenced this pull request Mar 27, 2019
* Update statefulset.yaml

ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume.

* Update Chart.yaml

Bump version

* Update statefulset.yaml
endrec pushed a commit to Rungway/charts-we-use that referenced this pull request Aug 14, 2020
…figMap to an EmptyDir (#4271)

* Update deployment.yaml

ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to #4169. Fixes #4267.

* bump Chart version
endrec pushed a commit to Rungway/charts-we-use that referenced this pull request Aug 14, 2020
* Update statefulset.yaml

ConfigMaps are read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The rabbitmq-ha Chart uses a ConfigMap to provision /etc/rabbitmq. The official RabbitMQ docker image modifies these files in its docker-entrypoint.sh. This PR adds an initContainer to the StatefulSet to copy the configs from the ConfigMap to a new emptyDir volume.

* Update Chart.yaml

Bump version

* Update statefulset.yaml
torstenwalter pushed a commit to grafana/helm-charts that referenced this pull request Sep 4, 2020
…figMap to an EmptyDir (#4271)

* Update deployment.yaml

ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to #4169. Fixes #4267.

* bump Chart version
torstenwalter pushed a commit to grafana/helm-charts that referenced this pull request Sep 4, 2020
…figMap to an EmptyDir (#4271)

* Update deployment.yaml

ConfigMaps are mounted read-only since Kubernetes 1.9.4 (kubernetes/kubernetes#58720). The Grafana Chart uses a ConfigMap to provision the config- and dashboard directories. Grafana tries to create/modify files in these directories, which is not allowed anymore. This PR adds an busybox initContainer to the Deployment that copies the files from the ConfigMap to a new emptyDir, similar to #4169. Fixes #4267.

* bump Chart version
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/security cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet