fcos: Mount /:/rootfs:ro to Kubelet

Kubelet fails to handle SELinux labelling of Cinder PV without presenting the rootfs to Kubelet and as a result, an unprivileged container lacks the ability to access the path. With this patch, Kubelet handles the correct labelling automatically when a Cinder PV is attached to a pod. The default behaviour using system containers in Fedora Atomic is to mount rootfs [1] but we did not implement the same behaviour in Fedora CoreOS which was a mistake as this was a missing piece of code. [1] https://github.com/openstack/magnum/blob/master/dockerfiles/kubernetes-kubelet/config.json.template#L335 Story: 2007413 Task: 39129 Change-Id: Id59c604928244bf49773b7519fa756d5b2814b69 (cherry picked from commit 1994e9448a)
2020-03-28 09:13:57 +00:00 · 2020-03-28 09:13:57 +00:00 · 0feb2b1851
parent e9d56fd85d
commit 0feb2b1851
2 changed files with 2 additions and 0 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@ -187,6 +187,7 @@ ExecStart=/bin/bash -c '/usr/bin/podman run --name kubelet \\
    --pid host \\
    --network host \\
    --entrypoint /hyperkube \\
+    --volume /:/rootfs:ro \\
    --volume /etc/cni/net.d:/etc/cni/net.d:ro,z \\
    --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
    --volume /usr/lib/os-release:/usr/lib/os-release:ro \\
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
@ -81,6 +81,7 @@ ExecStart=/bin/bash -c '/usr/bin/podman run --name kubelet \\
    --pid host \\
    --network host \\
    --entrypoint /hyperkube \\
+    --volume /:/rootfs:ro \\
    --volume /etc/cni/net.d:/etc/cni/net.d:ro,z \\
    --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
    --volume /usr/lib/os-release:/usr/lib/os-release:ro \\