Details
-
Bug
-
Resolution: Not a Bug
-
Normal
-
None
-
4.12.z
-
Moderate
-
No
-
Rejected
-
False
-
-
4/18: telco reviewed
Description
Description of problem:
The subPath volume permission is not correctly set for CephFS volume
Version-Release number of selected component (if applicable):
OCP 4.12 ODF 4.12
How reproducible:
50%-90%
Steps to Reproduce:
1. oc adm policy add-scc-to-user privileged -z default 2. Create the Pod and the CephFS CSI PVC $ cat /tmp/test-pv.yaml apiVersion: v1 kind: Pod metadata: name: rhel7 labels: app: rhel7 spec: containers: - name: myapp-container image: registry.access.redhat.com/ubi7/ubi command: ['sh', '-c', 'mkdir /etc/healing-controller.d -p && echo The app is running! && sleep 3600'] securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: level: s0 volumeMounts: - mountPath: /etc/healing-controller.d/record name: local-disks subPath: record - mountPath: /etc/healing-controller.d/critical-containers-logs name: local-disks subPath: critical-containers-logs volumes: - name: local-disks persistentVolumeClaim: claimName: local-pvc-name securityContext: fsGroup: 9999 runAsGroup: 9999 runAsUser: 9999 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: local-pvc-name namespace: test-pv spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: ocs-storagecluster-cephfs volumeMode: Filesystem 3. Login to the Pod and check /etc/healing-controller.d/* permissions sh-4.2$ ls -l /etc/healing-controller.d/
Actual results:
sh-4.2$ ls -l /etc/healing-controller.d/ total 0 drwxrwsr-x. 2 root 9999 0 Mar 30 01:49 critical-containers-logs drwxrwsr-x. 2 root root 0 Mar 30 01:49 record
Expected results:
sh-4.2$ ls -l /etc/healing-controller.d/ total 0 drwxrwsr-x. 2 root 9999 0 Mar 30 01:47 critical-containers-logs drwxrwsr-x. 2 root 9999 0 Mar 30 01:47 record
Additional info:
Delete the Pod (not PVC) and recreate the Pod will make the permission correct