d2495b8329
Automatic merge from submit-queue (batch tested with PRs 63348, 63839, 63143, 64447, 64567). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Containerized subpath **What this PR does / why we need it**: Containerized kubelet needs a different implementation of `PrepareSafeSubpath` than kubelet running directly on the host. On the host we safely open the subpath and then bind-mount `/proc/<pidof kubelet>/fd/<descriptor of opened subpath>`. With kubelet running in a container, `/proc/xxx/fd/yy` on the host contains path that works only inside the container, i.e. `/rootfs/path/to/subpath` and thus any bind-mount on the host fails. Solution: - safely open the subpath and gets its device ID and inode number - blindly bind-mount the subpath to `/var/lib/kubelet/pods/<uid>/volume-subpaths/<name of container>/<id of mount>`. This is potentially unsafe, because user can change the subpath source to a link to a bad place (say `/run/docker.sock`) just before the bind-mount. - get device ID and inode number of the destination. Typical users can't modify this file, as it lies on /var/lib/kubelet on the host. - compare these device IDs and inode numbers. **Which issue(s) this PR fixes** Fixes #61456 **Special notes for your reviewer**: The PR contains some refactoring of `doBindSubPath` to extract the common code. New `doNsEnterBindSubPath` is added for the nsenter related parts. **Release note**: ```release-note NONE ``` |
||
|---|---|---|
| .. | ||
| BUILD | ||
| doc.go | ||
| exec_mount_test.go | ||
| exec_mount_unsupported.go | ||
| exec_mount.go | ||
| exec.go | ||
| fake.go | ||
| mount_linux_test.go | ||
| mount_linux.go | ||
| mount_unsupported.go | ||
| mount_windows_test.go | ||
| mount_windows.go | ||
| mount.go | ||
| nsenter_mount_test.go | ||
| nsenter_mount_unsupported.go | ||
| nsenter_mount.go | ||
| OWNERS | ||
| safe_format_and_mount_test.go | ||