New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pod crashes if /run/secrets is used as a mount target #65835
Comments
/var/run/secrets/kubernetes.io/serviceaccount
without setting readOnly: true
/sig node |
/sig storage |
confirm with:
|
Same thing happens on 1.11 using minikube. In the dashboard I get the following error.
|
Same error on 1.11.1
|
This is my configuration apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
test: TS1oeUtKYkNrQWdZYlBZSGlnWF9kcWRNZUFiME9IdWlxN0xQTjFHWG9oUQo=
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
spec:
selector:
matchLabels:
app: test-nginx
replicas: 1
template:
metadata:
labels:
app: test-nginx
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: Always
volumeMounts:
- name: secret-volume
mountPath: "/run/secrets"
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: test-secret
items:
- key: test
path: test |
I think I found the reason for the crash. Since 1.9.4 secrets and configMaps will be mounted as read-only volumes. Since kubernetes needs to place its own secrets in I have been unable to find a workaround since |
Ok I have found a workaround using "subPath" apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
test: TS1oeUtKYkNrQWdZYlBZSGlnWF9kcWRNZUFiME9IdWlxN0xQTjFHWG9oUQo=
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
spec:
selector:
matchLabels:
app: test-nginx
replicas: 1
template:
metadata:
labels:
app: test-nginx
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: Always
volumeMounts:
- name: secret-volume
mountPath: "/run/secrets/test"
subPath: test
volumes:
- name: secret-volume
secret:
secretName: test-secret
items:
- key: test
path: "test" |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
This feels like a fairly critical bug to me, but we obviously made a workaround in our setup using a similar technique to what @AntonFriberg describes above. Still feels like this should at least be documented somewhere, since it breaks with the "docker standard" of placing things in |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Is there any timeline for fixing this? |
/remove-lifecycle rotten |
@AntonFriberg would this "solution" work, if the secret had multiple keys? Update: Nevermind, works this way:
|
@gunzl1ng3r using subpath as you did worked for me. cheers (Y) |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle rotten |
Any progress on this? |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale Still seeing this issue. |
Still happens.
|
So that means that docker secrets path is not compatible with kubernetes secrets path, doesnt it? Is it there a way to change at least docker secrets path so they can be the same? |
As noted in #65835 (comment), secrets are mounted as readonly. A mount location must be selected that will not cause problems if it is readonly, or subPath mounts can be used to inject particular files from a secret into an otherwise writeable directory /close |
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Kubernetes does not automatically mount a secret to the /var/run/secrets directory, the issue occurs when a deployment attempts to mount a single secret directly to |
/kind bug
What happened:
After upgrading from 1.9.0 to 1.10.2 / 1.10.5 (tried both), we started to get multiple containers in crash loop. This turned out to be caused by the fact that we usually map Kubernetes secrets to the container path
/run/secrets
and use company-internal libraries to populate application config from these secrets. I don't know what the change is from 1.9.0 to 1.10.x (the order of which the mounts are happening maybe?)What you expected to happen:
The pod should start
How to reproduce it (as minimally and precisely as possible):
create a Secret, mount it into
/run/secrets
on a podEnvironment:
kubectl version
): v1.10.2uname -a
): 4.4.0-1057-awslog output from
kubectl logs
:The text was updated successfully, but these errors were encountered: