Mount host path directories instead of sockets

So far we’ve tried to mount individual host files which are needed in the containers, to limit the exposure. However this doesn’t work well for sockets: because the consuming end can’t create them, they need to be mounted as files, and because Kubernetes (or CRI) doesn’t support “opportunistic” mounts, their type can’t be specified; as a result, if the container starts before the process which opens the socket, the mount ends up being created as a directory, and the process trying to open the socket then fails. There are two potential fixes for this: * if the operator could determine conclusively which socket mounts are required for a container, it could define only the necessary mounts, and have the container block waiting for them to be available; * as done in ovnkubernetes, the containers can mount the containing directories. The first approach seems preferable but creates a strong dependency on specific behaviours from the cluster environment (specific paths used by specific versions of OpenShift components in specific scenarios). The second isn’t great from a security perspective but seems like the best compromise. /var/run is a symlink to /run; this also changes the various paths to use canonical paths and merges the duplicates. Signed-off-by: Stephen Kitt <skitt@redhat.com>
submariner-io · Oct 17, 2023 · 74aaef5 · 74aaef5
1 parent 94c0e44
commit 74aaef5
Showing 1 changed file with 10 additions and 14 deletions.
diff --git a/controllers/submariner/route_agent_resources.go b/controllers/submariner/route_agent_resources.go
@@ -73,23 +73,21 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon
 				Spec: corev1.PodSpec{
 					TerminationGracePeriodSeconds: ptr.To(int64(1)),
 					Volumes: []corev1.Volume{
-						// We need to share /run/xtables.lock with the host for iptables
+						// Share /run/xtables.lock with the host for iptables
 						{Name: "host-run-xtables-lock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
 							Path: "/run/xtables.lock", Type: ptr.To(corev1.HostPathFileOrCreate),
 						}}},
-						// We need to share /run/openvswitch/db.sock with the host for OVS
-						{Name: "host-run-openvswitch-db-sock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
-							Path: "/run/openvswitch/db.sock",
+						// Share /run/openvswitch/db.sock and /run/openvswitch/ovnnb_db.sock with the host for OVS/OVN
+						{Name: "host-run-openvswitch", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
+							Path: "/run/openvswitch", Type: ptr.To(corev1.HostPathDirectoryOrCreate),
 						}}},
+						// Share /sys with the host for OVS/OVN
 						{Name: "host-sys", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
 							Path: "/sys",
 						}}},
-						{Name: "host-var-run-openvswitch-nbdb-sock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
-							Path: "/var/run/openvswitch/ovnnb_db.sock",
-						}}},
-						// Path used by Openshift
-						{Name: "host-var-run-ovn-ic-nbdb-sock", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
-							Path: "/var/run/ovn-ic/ovnnb_db.sock",
+						// Share /run/ovn-ic with the host for OVN (this is a transitional path used by OpenShift for upgrades)
+						{Name: "host-run-ovn-ic", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{
+							Path: "/run/ovn-ic", Type: ptr.To(corev1.HostPathDirectoryOrCreate),
 						}}},
 					},
 					// The route agent needs to wait for the node to be ready before starting,
@@ -127,10 +125,8 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon
 							VolumeMounts: []corev1.VolumeMount{
 								{Name: "host-sys", MountPath: "/sys", ReadOnly: true},
 								{Name: "host-run-xtables-lock", MountPath: "/run/xtables.lock"},
-								{Name: "host-run-openvswitch-db-sock", MountPath: "/run/openvswitch/db.sock"},
-								{Name: "host-var-run-openvswitch-nbdb-sock", MountPath: "/var/run/openvswitch/ovnnb_db.sock"},
-								// Path used by Openshift
-								{Name: "host-var-run-ovn-ic-nbdb-sock", MountPath: "/var/run/ovn-ic/ovnnb_db.sock"},
+								{Name: "host-run-openvswitch", MountPath: "/run/openvswitch"},
+								{Name: "host-run-ovn-ic", MountPath: "/run/ovn-ic"},
 							},
 							Env: []corev1.EnvVar{
 								{Name: "SUBMARINER_NAMESPACE", Value: cr.Spec.Namespace},