From 387b59974f1c12f0a34fb08791df3fb7338f4d5d Mon Sep 17 00:00:00 2001 From: Stephen Kitt Date: Fri, 13 Oct 2023 13:54:54 +0200 Subject: [PATCH] Mount host path directories instead of sockets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit So far we’ve tried to mount individual host files which are needed in the containers, to limit the exposure. However this doesn’t work well for sockets: because the consuming end can’t create them, they need to be mounted as files, and because Kubernetes (or CRI) doesn’t support “opportunistic” mounts, their type can’t be specified; as a result, if the container starts before the process which opens the socket, the mount ends up being created as a directory, and the process trying to open the socket then fails. There are two potential fixes for this: * if the operator could determine conclusively which socket mounts are required for a container, it could define only the necessary mounts, and have the container block waiting for them to be available; * as done in ovnkubernetes, the containers can mount the containing directories. The first approach seems preferable but creates a strong dependency on specific behaviours from the cluster environment (specific paths used by specific versions of OpenShift components in specific scenarios). The second isn’t great from a security perspective but seems like the best compromise. /var/run is a symlink to /run; this also changes the various paths to use canonical paths and merges the duplicates. Signed-off-by: Stephen Kitt --- .../submariner/route_agent_resources.go | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/controllers/submariner/route_agent_resources.go b/controllers/submariner/route_agent_resources.go index 809428fc8..0923eb6db 100644 --- a/controllers/submariner/route_agent_resources.go +++ b/controllers/submariner/route_agent_resources.go @@ -73,23 +73,21 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon Spec: corev1.PodSpec{ TerminationGracePeriodSeconds: ptr.To(int64(1)), Volumes: []corev1.Volume{ - // We need to share /run/xtables.lock with the host for iptables + // Share /run/xtables.lock with the host for iptables {Name: "host-run-xtables-lock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{ Path: "/run/xtables.lock", Type: ptr.To(corev1.HostPathFileOrCreate), }}}, - // We need to share /run/openvswitch/db.sock with the host for OVS - {Name: "host-run-openvswitch-db-sock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/openvswitch/db.sock", + // Share /run/openvswitch/db.sock and /run/openvswitch/ovnnb_db.sock with the host for OVS/OVN + {Name: "host-run-openvswitch", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{ + Path: "/run/openvswitch", Type: ptr.To(corev1.HostPathDirectoryOrCreate), }}}, + // Share /sys with the host for OVS/OVN {Name: "host-sys", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{ Path: "/sys", }}}, - {Name: "host-var-run-openvswitch-nbdb-sock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/run/openvswitch/ovnnb_db.sock", - }}}, - // Path used by Openshift - {Name: "host-var-run-ovn-ic-nbdb-sock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{ - Path: "/var/run/ovn-ic/ovnnb_db.sock", + // Share /run/ovn-ic with the host for OVN (this is a transitional path used by OpenShift for upgrades) + {Name: "host-run-ovn-ic", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{ + Path: "/run/ovn-ic", Type: ptr.To(corev1.HostPathDirectoryOrCreate), }}}, }, // The route agent needs to wait for the node to be ready before starting, @@ -127,10 +125,8 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon VolumeMounts: []corev1.VolumeMount{ {Name: "host-sys", MountPath: "/sys", ReadOnly: true}, {Name: "host-run-xtables-lock", MountPath: "/run/xtables.lock"}, - {Name: "host-run-openvswitch-db-sock", MountPath: "/run/openvswitch/db.sock"}, - {Name: "host-var-run-openvswitch-nbdb-sock", MountPath: "/var/run/openvswitch/ovnnb_db.sock"}, - // Path used by Openshift - {Name: "host-var-run-ovn-ic-nbdb-sock", MountPath: "/var/run/ovn-ic/ovnnb_db.sock"}, + {Name: "host-run-openvswitch", MountPath: "/run/openvswitch"}, + {Name: "host-run-ovn-ic", MountPath: "/run/ovn-ic"}, }, Env: []corev1.EnvVar{ {Name: "SUBMARINER_NAMESPACE", Value: cr.Spec.Namespace},