From e9f6623a80451226fd3738a0d1dc995e0a4c6d9a Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justinsb@google.com>
Date: Sat, 9 Jan 2021 07:50:15 -0500
Subject: [PATCH] COS/GCE: exec on kubelet/flexvolume dirs

Upstream bind mounts /var/lib/kubelet with exec, dev and suid
permissions, because emptyDirs end up inheriting these permissions.

Similarly, /home/kubernetes/flexvolume needs exec permission to
support flexdrivers.
---
 nodeup/pkg/model/directories.go           | 29 ++++++++++++++++++++++-
 nodeup/pkg/model/kubelet.go               |  4 ++--
 upup/pkg/fi/nodeup/nodetasks/bindmount.go |  2 +-
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/nodeup/pkg/model/directories.go b/nodeup/pkg/model/directories.go
index 38c3afab66..a54f41f1ed 100644
--- a/nodeup/pkg/model/directories.go
+++ b/nodeup/pkg/model/directories.go
@@ -52,6 +52,33 @@ func (b *DirectoryBuilder) Build(c *fi.ModelBuilderContext) error {
 	// We try to put things into /opt/kops
 	// On some OSes though, /opt/ is not writeable, and we can't even create the mountpoint
 	if b.Distribution == distributions.DistributionContainerOS {
+		// Ensure /var/lib/kubelet has suitable permissions (it's used for emptyDirs, in particular)
+		c.EnsureTask(&nodetasks.File{
+			Path: "/var/lib/kubelet",
+			Type: nodetasks.FileType_Directory,
+			Mode: s("0755"),
+		})
+
+		c.AddTask(&nodetasks.BindMount{
+			Source:     "/var/lib/kubelet",
+			Mountpoint: "/var/lib/kubelet",
+			Options:    []string{"exec", "suid", "dev"},
+		})
+
+		// Need exec permissions on /home/kubernetes/flexvolume, used for flexvolume drivers
+		c.EnsureTask(&nodetasks.File{
+			Path: "/home/kubernetes/flexvolume",
+			Type: nodetasks.FileType_Directory,
+			Mode: s("0755"),
+		})
+
+		c.AddTask(&nodetasks.BindMount{
+			Source:     "/home/kubernetes/flexvolume",
+			Mountpoint: "/home/kubernetes/flexvolume",
+			Options:    []string{"exec", "nosuid", "nodev"},
+		})
+
+		// Create /opt
 		src := "/mnt/stateful_partition/opt/"
 
 		c.AddTask(&nodetasks.File{
@@ -60,7 +87,7 @@ func (b *DirectoryBuilder) Build(c *fi.ModelBuilderContext) error {
 			Mode: s("0755"),
 		})
 
-		// Rebuild things we are masking
+		// Rebuild things we are masking by mounting /opt on top
 		c.AddTask(&nodetasks.File{
 			Path: filepath.Join(src, "google"),
 			Type: nodetasks.FileType_Directory,
diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go
index 71e5cc3625..d9680b5f24 100644
--- a/nodeup/pkg/model/kubelet.go
+++ b/nodeup/pkg/model/kubelet.go
@@ -109,8 +109,8 @@ func (b *KubeletBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 	{
 		// We always create the directory, avoids circular dependency on a bind-mount
-		c.AddTask(&nodetasks.File{
-			Path: filepath.Dir(b.KubeletKubeConfig()),
+		c.EnsureTask(&nodetasks.File{
+			Path: filepath.Dir(b.KubeletKubeConfig()), // e.g. "/var/lib/kubelet"
 			Type: nodetasks.FileType_Directory,
 			Mode: s("0755"),
 		})
diff --git a/upup/pkg/fi/nodeup/nodetasks/bindmount.go b/upup/pkg/fi/nodeup/nodetasks/bindmount.go
index 0eca8ce485..55889d8a55 100644
--- a/upup/pkg/fi/nodeup/nodetasks/bindmount.go
+++ b/upup/pkg/fi/nodeup/nodetasks/bindmount.go
@@ -201,7 +201,7 @@ func (e *BindMount) execute(t Executor) error {
 		case "rshared":
 			makeOptions = append(makeOptions, "--make-rshared")
 
-		case "exec", "noexec", "nosuid", "nodev":
+		case "exec", "noexec", "suid", "nosuid", "dev", "nodev":
 			remountOptions = append(remountOptions, option)
 
 		default: