mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-03-11 02:50:55 -04:00
d2495b8329
Automatic merge from submit-queue (batch tested with PRs 63348, 63839, 63143, 64447, 64567). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Containerized subpath **What this PR does / why we need it**: Containerized kubelet needs a different implementation of `PrepareSafeSubpath` than kubelet running directly on the host. On the host we safely open the subpath and then bind-mount `/proc/<pidof kubelet>/fd/<descriptor of opened subpath>`. With kubelet running in a container, `/proc/xxx/fd/yy` on the host contains path that works only inside the container, i.e. `/rootfs/path/to/subpath` and thus any bind-mount on the host fails. Solution: - safely open the subpath and gets its device ID and inode number - blindly bind-mount the subpath to `/var/lib/kubelet/pods/<uid>/volume-subpaths/<name of container>/<id of mount>`. This is potentially unsafe, because user can change the subpath source to a link to a bad place (say `/run/docker.sock`) just before the bind-mount. - get device ID and inode number of the destination. Typical users can't modify this file, as it lies on /var/lib/kubelet on the host. - compare these device IDs and inode numbers. **Which issue(s) this PR fixes** Fixes #61456 **Special notes for your reviewer**: The PR contains some refactoring of `doBindSubPath` to extract the common code. New `doNsEnterBindSubPath` is added for the nsenter related parts. **Release note**: ```release-note NONE ``` |
||
|---|---|---|
| .. | ||
| clicheck | ||
| cloud-controller-manager | ||
| controller-manager | ||
| gendocs | ||
| genkubedocs | ||
| genman | ||
| genswaggertypedocs | ||
| genutils | ||
| genyaml | ||
| hyperkube | ||
| importverifier | ||
| kube-apiserver | ||
| kube-controller-manager | ||
| kube-proxy | ||
| kube-scheduler | ||
| kubeadm | ||
| kubectl | ||
| kubelet | ||
| kubemark | ||
| linkcheck | ||
| BUILD | ||
| OWNERS | ||