Merge pull request #10547 from justinsb/cos_var_lib_kubelet

COS/GCE: exec on kubelet/flexvolume dirs
2021-01-10 08:23:17 -08:00 · 2021-01-10 08:23:17 -08:00 · 4ee8936d63
parent ac082bd091 e9f6623a80
commit 4ee8936d63
3 changed files with 31 additions and 4 deletions
--- a/nodeup/pkg/model/directories.go
+++ b/nodeup/pkg/model/directories.go
@ -52,6 +52,33 @@ func (b *DirectoryBuilder) Build(c *fi.ModelBuilderContext) error {
 	// We try to put things into /opt/kops
 	// On some OSes though, /opt/ is not writeable, and we can't even create the mountpoint
 	if b.Distribution == distributions.DistributionContainerOS {
+		// Ensure /var/lib/kubelet has suitable permissions (it's used for emptyDirs, in particular)
+		c.EnsureTask(&nodetasks.File{
+			Path: "/var/lib/kubelet",
+			Type: nodetasks.FileType_Directory,
+			Mode: s("0755"),
+		})
+
+		c.AddTask(&nodetasks.BindMount{
+			Source:     "/var/lib/kubelet",
+			Mountpoint: "/var/lib/kubelet",
+			Options:    []string{"exec", "suid", "dev"},
+		})
+
+		// Need exec permissions on /home/kubernetes/flexvolume, used for flexvolume drivers
+		c.EnsureTask(&nodetasks.File{
+			Path: "/home/kubernetes/flexvolume",
+			Type: nodetasks.FileType_Directory,
+			Mode: s("0755"),
+		})
+
+		c.AddTask(&nodetasks.BindMount{
+			Source:     "/home/kubernetes/flexvolume",
+			Mountpoint: "/home/kubernetes/flexvolume",
+			Options:    []string{"exec", "nosuid", "nodev"},
+		})
+
+		// Create /opt
 		src := "/mnt/stateful_partition/opt/"

 		c.AddTask(&nodetasks.File{
@ -60,7 +87,7 @@ func (b *DirectoryBuilder) Build(c *fi.ModelBuilderContext) error {
 			Mode: s("0755"),
 		})

-		// Rebuild things we are masking
+		// Rebuild things we are masking by mounting /opt on top
 		c.AddTask(&nodetasks.File{
 			Path: filepath.Join(src, "google"),
 			Type: nodetasks.FileType_Directory,
--- a/nodeup/pkg/model/kubelet.go
+++ b/nodeup/pkg/model/kubelet.go
@ -109,8 +109,8 @@ func (b *KubeletBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 	{
 		// We always create the directory, avoids circular dependency on a bind-mount
-		c.AddTask(&nodetasks.File{
-			Path: filepath.Dir(b.KubeletKubeConfig()),
+		c.EnsureTask(&nodetasks.File{
+			Path: filepath.Dir(b.KubeletKubeConfig()), // e.g. "/var/lib/kubelet"
 			Type: nodetasks.FileType_Directory,
 			Mode: s("0755"),
 		})
--- a/upup/pkg/fi/nodeup/nodetasks/bindmount.go
+++ b/upup/pkg/fi/nodeup/nodetasks/bindmount.go
@ -201,7 +201,7 @@ func (e *BindMount) execute(t Executor) error {
 		case "rshared":
 			makeOptions = append(makeOptions, "--make-rshared")

-		case "exec", "noexec", "nosuid", "nodev":
+		case "exec", "noexec", "suid", "nosuid", "dev", "nodev":
 			remountOptions = append(remountOptions, option)

 		default: