New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Pod with RunAsUserName and a Projected Volume does not honor file permissions in the volume #102849
Comments
/sig windows |
/assign |
/triage accepted |
/retitle Windows Pod with RunAsUserName and a Projected Volume does not honor file permissions in the volume |
/milestone v1.22 |
Please follow sig-windows slack thread for current state. |
Currently investigating what is the current state of owner ship across users in different pods and containers. Created a simple ping container image with two users: FROM mcr.microsoft.com/windows/servercore:ltsc2019
RUN net user TestUser1 /add
RUN net user TestUser2 /add
CMD ["ping", "-t", "localhost"] Created the following pod: apiVersion: v1
kind: Pod
metadata:
name: win-ping
spec:
tolerations:
- key: "os"
value: "Windows"
Effect: "NoSchedule"
containers:
- name: ping1
image: quay.io/aravindh/win-ping
imagePullPolicy: Always
securityContext:
windowsOptions:
runAsUserName: TestUser1
volumeMounts:
- name: for-ping1
mountPath: /projected-volume
- name: c-volume
mountPath: /from-host
- name: ping2
image: quay.io/aravindh/win-ping
imagePullPolicy: Always
securityContext:
windowsOptions:
runAsUserName: TestUser2
volumeMounts:
- name: for-ping2
mountPath: /projected-volume
- name: c-volume
mountPath: /from-host
nodeSelector:
kubernetes.io/os: windows
volumes:
- name: for-ping1
projected:
sources:
- secret:
name: user
- name: for-ping2
projected:
sources:
- secret:
name: pass
- name: c-volume
hostPath:
path: / I then execed into container ping1: kubectl exec win-ping -it powershell.exe -c ping1 and ran the following: PS C:\> whoami
win-ping\testuser1
PS C:\> cat C:\from-host\var\lib\kubelet\pods\d10783ef-919d-46bf-ab38-2b951f063632\volumes\kubernetes.io~projected\for-ping2\password.txt
1f2d1e2e67df So |
I repeated the experiment with two pods running on the same host: apiVersion: v1
kind: Pod
metadata:
name: win-ping1
spec:
tolerations:
- key: "os"
value: "Windows"
Effect: "NoSchedule"
containers:
- name: ping1
image: quay.io/aravindh/win-ping
imagePullPolicy: Always
securityContext:
windowsOptions:
runAsUserName: TestUser1
volumeMounts:
- name: for-ping1
mountPath: /projected-volume
- name: c-volume
mountPath: /from-host
nodeSelector:
kubernetes.io/os: windows
volumes:
- name: for-ping1
projected:
sources:
- secret:
name: user
- name: c-volume
hostPath:
path: /
---
apiVersion: v1
kind: Pod
metadata:
name: win-ping2
spec:
tolerations:
- key: "os"
value: "Windows"
Effect: "NoSchedule"
containers:
- name: ping2
image: quay.io/aravindh/win-ping
imagePullPolicy: Always
securityContext:
windowsOptions:
runAsUserName: TestUser2
volumeMounts:
- name: for-ping2
mountPath: /projected-volume
- name: c-volume
mountPath: /from-host
nodeSelector:
kubernetes.io/os: windows
volumes:
- name: for-ping2
projected:
sources:
- secret:
name: pass
- name: c-volume
hostPath:
path: / I then execed into win-ping1 pod: kubectl exec win-ping1 -it powershell.exe and ran the following: PS C:\> whoami
win-ping1\testuser1
PS C:\> cat C:\from-host\var\lib\kubelet\pods\b701defa-6138-4375-a6ec-f0c155973348\volumes\kubernetes.io~projected\for-ping2\password.txt
1f2d1e2e67df Again, |
Hey there (@immuzz, @jsturtevant, @aravindhp), Bug-Triage here 👋 , |
@voigt - We'll move it to 1.23 thanks! |
/milestone v1.23 |
/milestone v1.25 |
Hi @aravindhp . My name is Marky Jackson and I am one of the k8s 1.25 bug triage shadow assigned to track this body of work. It looks like all PR’s have been merged. Just checking in to see if this is still on track for k8s 1.25? |
We don't have a clear long-term solution to issue. There has been some discussions to fix this at the OS layer but there are no timelines. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/lifecycle frozen This is a valid issue but requires OS level changes (which have been discussed in the past) to address. |
This issue is labeled with You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
Any Updates? Is this issue fixed? Facing a similar issue where the consul agent daemon set supposed to run on every node is failing on the Windows 2022 node since the security context is having |
No updates. It requires a significant change in the way the Windows Containers handles permissions and is under consideration but isn't something that we will be address in the short term.
You can checkout the PodOS field as this was designed to help with different fields that aren't relevant to the OS. Running the same DaemonSet configuration across nodes is something that sounds good as it reduces duplication but in practice we've found that it's best to have two separate DS specific for Windows or Linux since the configuration usually ends up being significantly different. |
What happened:
When a Windows Pod is created with a Projected Volume and
RunAsUserName
set, file permissions are not handled in the projected volume. In addition if a Windows Pod is created with a Projected Volume andRunAsUser
set,the Pod will be stuck at
ContainerCreating
:What you expected to happen:
The Pod should go to
Running
with the project volume files having the correct container user ownership.How to reproduce it (as minimally and precisely as possible):
Create a Windows Pod with a Projected Volume and
runAsUserName
set (optionally with runAsUser to cause the stuck atContainerCreating
issue).Anything else we need to know?:
The KEP, proposal for file permission handling in projected service account volume and its implementation did not take Windows in to account. An os.Chown() was introduced which is not supported on Windows. In addition
RunAsUserName
being set on Windows Pods was not taken into account.Environment:
kubectl version
): 1.21.1The text was updated successfully, but these errors were encountered: