kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10547 from justinsb/cos_var_lib_kubelet 

COS/GCE: exec on kubelet/flexvolume dirs
This commit is contained in:
Kubernetes Prow Robot 2021-01-10 08:23:17 -08:00 committed by GitHub
parent ac082bd091 e9f6623a80
commit 4ee8936d63
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
nodeup/pkg/model/directories.go
View File

@ -52,6 +52,33 @@ func (b *DirectoryBuilder) Build(c *fi.ModelBuilderContext) error {
// We try to put things into /opt/kops // We try to put things into /opt/kops
// On some OSes though, /opt/ is not writeable, and we can't even create the mountpoint // On some OSes though, /opt/ is not writeable, and we can't even create the mountpoint
if b.Distribution == distributions.DistributionContainerOS { if b.Distribution == distributions.DistributionContainerOS {
// Ensure /var/lib/kubelet has suitable permissions (it's used for emptyDirs, in particular)
c.EnsureTask(&nodetasks.File{
Path: "/var/lib/kubelet",
Type: nodetasks.FileType_Directory,
Mode: s("0755"),
})
c.AddTask(&nodetasks.BindMount{
Source: "/var/lib/kubelet",
Mountpoint: "/var/lib/kubelet",
Options: []string{"exec", "suid", "dev"},
})
// Need exec permissions on /home/kubernetes/flexvolume, used for flexvolume drivers
c.EnsureTask(&nodetasks.File{
Path: "/home/kubernetes/flexvolume",
Type: nodetasks.FileType_Directory,
Mode: s("0755"),
})
c.AddTask(&nodetasks.BindMount{
Source: "/home/kubernetes/flexvolume",
Mountpoint: "/home/kubernetes/flexvolume",
Options: []string{"exec", "nosuid", "nodev"},
})
// Create /opt
src := "/mnt/stateful_partition/opt/" src := "/mnt/stateful_partition/opt/"
c.AddTask(&nodetasks.File{ c.AddTask(&nodetasks.File{
@ -60,7 +87,7 @@ func (b *DirectoryBuilder) Build(c *fi.ModelBuilderContext) error {
Mode: s("0755"), Mode: s("0755"),
}) })
// Rebuild things we are masking // Rebuild things we are masking by mounting /opt on top
c.AddTask(&nodetasks.File{ c.AddTask(&nodetasks.File{
Path: filepath.Join(src, "google"), Path: filepath.Join(src, "google"),
Type: nodetasks.FileType_Directory, Type: nodetasks.FileType_Directory,

4
nodeup/pkg/model/kubelet.go
View File

@ -109,8 +109,8 @@ func (b *KubeletBuilder) Build(c *fi.ModelBuilderContext) error {
} }
{ {
// We always create the directory, avoids circular dependency on a bind-mount // We always create the directory, avoids circular dependency on a bind-mount
c.AddTask(&nodetasks.File{ c.EnsureTask(&nodetasks.File{
Path: filepath.Dir(b.KubeletKubeConfig()), Path: filepath.Dir(b.KubeletKubeConfig()), // e.g. "/var/lib/kubelet"
Type: nodetasks.FileType_Directory, Type: nodetasks.FileType_Directory,
Mode: s("0755"), Mode: s("0755"),
}) })

2
upup/pkg/fi/nodeup/nodetasks/bindmount.go
View File

@ -201,7 +201,7 @@ func (e *BindMount) execute(t Executor) error {
case "rshared": case "rshared":
makeOptions = append(makeOptions, "--make-rshared") makeOptions = append(makeOptions, "--make-rshared")
case "exec", "noexec", "nosuid", "nodev": case "exec", "noexec", "suid", "nosuid", "dev", "nodev":
remountOptions = append(remountOptions, option) remountOptions = append(remountOptions, option)
default: default: