-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If Kubelet Tries To Chown Files Any Time It Sees fsGroup Then That Can Catastrophically Impact Shared File Systems #93802
Comments
/sig architecture |
I think this is covered by https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/695-skip-permission-change which is a feature in progress to allow controlling whether a permission change is attempted /remove-sig architecture |
@liggitt: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
It seems like most people are focusing on the performance issues and occasionally similar to the issue you link to under Motivation they mention that one pod that mounts a shared file system volume with fsGroup could impact another pod that uses that volume; but, it doesn't seem like people are thinking about the very bad consequences for companies that rely on shared file systems throughout their organization. In those cases, if a developer mounts an existing shared filesystem used by his/her entire organization into his/her container via a PersistentVolume and includes fsGroup, seemingly the consequence will be that all of the processes throughout the organization will be impacted. There are many github issues and docs that advise using fsGroup for various scenarios and they don't mention how dangerous setting this is for shared filesystem volumes. The AWS Docs themselves even advise setting fsGroup to be the nobody user so that non-root containers can read their projected service account token for pod IAM roles. In cases like that, a developer would correctly follow the doc and if he/she is also mounting an important nfs share, the result will be he/she will unwittingly changes the permissions to that share for the entire organization. I am not sure why this sort of thing is not considered to be more dangerous if that's really how this works--one developer can include fsGroup and impact an entire shared filesystem for an organization. |
To make one last comment, if the below two items are true then why isn't this considered to be a more critical problem (mistake?):
So, one developer could come across a tutorial that says to use fsGroup and include it (ie- to read a projected service account token) and the consequence will be that the entire organization's filesystem may become unreadable by many of their processes and people. It seems like I must be misunderstanding something if the community doesn't consider this to be a critical problem. So, if I am, please let me know before I try to design a way to prevent developers from including fsGroup when they are also mounting nfs volumes. |
Right now fsgroup support is implemented and decided on per plugin. So exactly for the reasons you specify, fsgroup is ignored for shared filesystems like nfs but enabled for rwo volume types like cloud block disks. Questions about your scenario:
@kubernetes/sig-storage-misc |
Thanks for your response! That is such a relief that fsgroup ignores nfs. Based on the behavior I see, I think it may not ignore the smb flex volume plugin we use to mount CIFS shares. Whenever a developer includes fsGroup in conjunction with a CIFS volume mounted via this plugin, the volume fails to mount due to a timeout. I think that the timeout is because Kubelet is trying to chown the volume's files. I am less nervous about this because I can't picture what it would mean to chown files on a Windows file share. However, it is still an issue because they can't use Pod IAM roles if they are also mounting CIFS shares (ie- they must include fsGroup to use pod IAM roles). To answer your questions:
|
@Mr-Howard-Roark for flexvolume plugins - a plugin can opt-out of fsgroup based permission change by returning |
Ok thanks for sharing @gnufied. I was not aware of that and will try to make the adjustment to the flexvolume plugin we're using. |
I am marking this as closed, hoping that k8s has enough hooks in place to ensure shared filesystems don't accidently get chwoned. /close |
@gnufied: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
i confirm we have the same issue on our side on 1.21 series. on a very very huge fileshare (millions of files) it chown for minutes, strace on kubelet process showed it.
patching our CIFS driver with FSGroup: false solved the issue |
What happened:
Based on the below references, I am concerned about the implications of including fsGroup in a pod that mounts shared file system volumes. Many companies have multiple workflows that utilize the same shared file system whether onprem, in the cloud, or in containers and if someone mounts a pod that utilizes a Volume for that shared file system and unwittingly includes fsGroup because he/she sees that you must do that to access IAM projected web identity tokens for example, if Kubelet chowns all of the files, that would potentially break processes across the company that utilize that share.
The purpose of this Issue is to confirm that the below references are correct that if fsGroup is included Kubelet will try to chown all of the files on the volume. I am unsure of whether that is true because when I use hostPath to mount CIFS and NFS shares, I don't see that happen. When I mount NFS Persistent Volumes I also don't see that happen (ie- the Pods run quickly and I don't see the file permissions change). When I mount CIFS Persistent Volumes, I do think I see that happen where Volumes timeout and cannot be mounted.
Overall, I have tried to understand this via the Kubernetes Discussion forum, StackOverflow, and calls with AWS Container representatives, and no one seems to know how this works. If that really is the case that it is trying to chown all of the files, I think that is very dangerous and it would impact my platform for my company where I would I guess need to use Gatekeeper to prevent people from including fsGroup when shared volumes are mounted.
Kubernetes Chowning Files References
https://docs.microsoft.com/en-us/azure/aks/troubleshooting
Kubernetes Chowning Files References
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
Environment:
kubectl version
): 1.15.11cat /etc/os-release
): Amazon Linux 2The text was updated successfully, but these errors were encountered: