mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-21 19:01:49 +00:00
Merge pull request #47236 from dixudx/not_allow_backsteps_in_local_volume
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792) not allow backsteps in local volume plugin **Which issue this PR fixes** : fixes #47207 **Special notes for your reviewer**: cc @msau42 @ddysher Just follow @liggitt [commented](https://github.com/kubernetes/kubernetes/issues/47107#issuecomment-306831175). **Release note**: ```release-note NONE ```
This commit is contained in:
Kubernetes Submit Queue
GitHub
commit
1184ce869a
@ -1133,7 +1133,10 @@ func validateLocalVolumeSource(ls *api.LocalVolumeSource, fldPath *field.Path) f
|
||||
allErrs := field.ErrorList{}
|
||||
if ls.Path == "" {
|
||||
allErrs = append(allErrs, field.Required(fldPath.Child("path"), ""))
|
||||
return allErrs
|
||||
}
|
||||
|
||||
allErrs = append(allErrs, validatePathNoBacksteps(ls.Path, fldPath.Child("path"))...)
|
||||
return allErrs
|
||||
}
|
||||
|
||||
|
||||
@ -281,6 +281,21 @@ func TestValidatePersistentVolumes(t *testing.T) {
|
||||
StorageClassName: "backstep-hostpath",
|
||||
}),
|
||||
},
|
||||
"bad-local-volume-backsteps": {
|
||||
isExpectedFailure: true,
|
||||
volume: testVolume("foo", "", api.PersistentVolumeSpec{
|
||||
Capacity: api.ResourceList{
|
||||
api.ResourceName(api.ResourceStorage): resource.MustParse("10G"),
|
||||
},
|
||||
AccessModes: []api.PersistentVolumeAccessMode{api.ReadWriteOnce},
|
||||
PersistentVolumeSource: api.PersistentVolumeSource{
|
||||
Local: &api.LocalVolumeSource{
|
||||
Path: "/foo/..",
|
||||
},
|
||||
},
|
||||
StorageClassName: "backstep-local",
|
||||
}),
|
||||
},
|
||||
}
|
||||
|
||||
for name, scenario := range scenarios {
|
||||
|
||||
@ -21,6 +21,7 @@ go_library(
|
||||
"//pkg/util/strings:go_default_library",
|
||||
"//pkg/volume:go_default_library",
|
||||
"//pkg/volume/util:go_default_library",
|
||||
"//pkg/volume/validation:go_default_library",
|
||||
"//vendor/github.com/golang/glog:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
|
||||
|
||||
@ -29,6 +29,7 @@ import (
|
||||
"k8s.io/kubernetes/pkg/util/strings"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
"k8s.io/kubernetes/pkg/volume/util"
|
||||
"k8s.io/kubernetes/pkg/volume/validation"
|
||||
)
|
||||
|
||||
// This is the primary entrypoint for volume plugins.
|
||||
@ -192,6 +193,11 @@ func (m *localVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) err
|
||||
return err
|
||||
}
|
||||
|
||||
err := validation.ValidatePathNoBacksteps(m.globalPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid path: %s %v", m.globalPath, err)
|
||||
}
|
||||
|
||||
notMnt, err := m.mounter.IsLikelyNotMountPoint(dir)
|
||||
glog.V(4).Infof("LocalVolume mount setup: PodDir(%s) VolDir(%s) Mounted(%t) Error(%v), ReadOnly(%t)", dir, m.globalPath, !notMnt, err, m.readOnly)
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
|
||||
@ -75,7 +75,7 @@ func getPersistentPlugin(t *testing.T) (string, volume.PersistentVolumePlugin) {
|
||||
return tmpDir, plug
|
||||
}
|
||||
|
||||
func getTestVolume(readOnly bool) *volume.Spec {
|
||||
func getTestVolume(readOnly bool, path string) *volume.Spec {
|
||||
pv := &v1.PersistentVolume{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: testPVName,
|
||||
@ -83,7 +83,7 @@ func getTestVolume(readOnly bool) *volume.Spec {
|
||||
Spec: v1.PersistentVolumeSpec{
|
||||
PersistentVolumeSource: v1.PersistentVolumeSource{
|
||||
Local: &v1.LocalVolumeSource{
|
||||
Path: "/test-vol",
|
||||
Path: path,
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -104,7 +104,7 @@ func TestCanSupport(t *testing.T) {
|
||||
tmpDir, plug := getPlugin(t)
|
||||
defer os.RemoveAll(tmpDir)
|
||||
|
||||
if !plug.CanSupport(getTestVolume(false)) {
|
||||
if !plug.CanSupport(getTestVolume(false, "/test-vol")) {
|
||||
t.Errorf("Expected true")
|
||||
}
|
||||
}
|
||||
@ -130,7 +130,7 @@ func TestGetVolumeName(t *testing.T) {
|
||||
tmpDir, plug := getPersistentPlugin(t)
|
||||
defer os.RemoveAll(tmpDir)
|
||||
|
||||
volName, err := plug.GetVolumeName(getTestVolume(false))
|
||||
volName, err := plug.GetVolumeName(getTestVolume(false, "/test-vol"))
|
||||
if err != nil {
|
||||
t.Errorf("Failed to get volume name: %v", err)
|
||||
}
|
||||
@ -139,12 +139,29 @@ func TestGetVolumeName(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestInvalidLocalPath(t *testing.T) {
|
||||
tmpDir, plug := getPlugin(t)
|
||||
defer os.RemoveAll(tmpDir)
|
||||
|
||||
pod := &v1.Pod{ObjectMeta: metav1.ObjectMeta{UID: types.UID("poduid")}}
|
||||
mounter, err := plug.NewMounter(getTestVolume(false, "/no/backsteps/allowed/.."), pod, volume.VolumeOptions{})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
err = mounter.SetUp(nil)
|
||||
expectedMsg := "invalid path: /no/backsteps/allowed/.. must not contain '..'"
|
||||
if err.Error() != expectedMsg {
|
||||
t.Fatalf("expected error `%s` but got `%s`", expectedMsg, err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestMountUnmount(t *testing.T) {
|
||||
tmpDir, plug := getPlugin(t)
|
||||
defer os.RemoveAll(tmpDir)
|
||||
|
||||
pod := &v1.Pod{ObjectMeta: metav1.ObjectMeta{UID: types.UID("poduid")}}
|
||||
mounter, err := plug.NewMounter(getTestVolume(false), pod, volume.VolumeOptions{})
|
||||
mounter, err := plug.NewMounter(getTestVolume(false, "/test-vol"), pod, volume.VolumeOptions{})
|
||||
if err != nil {
|
||||
t.Errorf("Failed to make a new Mounter: %v", err)
|
||||
}
|
||||
@ -226,7 +243,7 @@ func TestPersistentClaimReadOnlyFlag(t *testing.T) {
|
||||
|
||||
// Read only == true
|
||||
pod := &v1.Pod{ObjectMeta: metav1.ObjectMeta{UID: types.UID("poduid")}}
|
||||
mounter, err := plug.NewMounter(getTestVolume(true), pod, volume.VolumeOptions{})
|
||||
mounter, err := plug.NewMounter(getTestVolume(true, "/test-vol"), pod, volume.VolumeOptions{})
|
||||
if err != nil {
|
||||
t.Errorf("Failed to make a new Mounter: %v", err)
|
||||
}
|
||||
@ -238,7 +255,7 @@ func TestPersistentClaimReadOnlyFlag(t *testing.T) {
|
||||
}
|
||||
|
||||
// Read only == false
|
||||
mounter, err = plug.NewMounter(getTestVolume(false), pod, volume.VolumeOptions{})
|
||||
mounter, err = plug.NewMounter(getTestVolume(false, "/test-vol"), pod, volume.VolumeOptions{})
|
||||
if err != nil {
|
||||
t.Errorf("Failed to make a new Mounter: %v", err)
|
||||
}
|
||||
@ -259,7 +276,7 @@ func TestUnsupportedPlugins(t *testing.T) {
|
||||
|
||||
plugMgr := volume.VolumePluginMgr{}
|
||||
plugMgr.InitPlugins(ProbeVolumePlugins(), volumetest.NewFakeVolumeHost(tmpDir, nil, nil))
|
||||
spec := getTestVolume(false)
|
||||
spec := getTestVolume(false, "/test-vol")
|
||||
|
||||
recyclePlug, err := plugMgr.FindRecyclablePluginBySpec(spec)
|
||||
if err == nil && recyclePlug != nil {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user