Merge pull request #43775 from wongma7/subpath

Automatic merge from submit-queue Create subPaths and set their permissions like we do mountPaths fixes https://github.com/kubernetes/kubernetes/issues/41638 If a subPath does not exist at the time MountVolume.Setup happens, SetVolumeOwnership will not have walked to the subPath and set appropriate permissions on it, leading to the above issue So later, at makeMounts when we are parsing subPaths, let's create all subPaths and set their permissions according to how the parent mountPath looks. ```release-note NONE ```
2025-07-22 11:21:47 +00:00 · 2017-03-30 01:15:50 -07:00 · 2017-03-30 01:15:50 -07:00 · a644c8f968
commit a644c8f968
parent 58d2d9ade1 25bdad762b
1 changed files with 21 additions and 0 deletions
--- a/pkg/kubelet/kubelet_pods.go
+++ b/pkg/kubelet/kubelet_pods.go
@ -135,7 +135,28 @@ func makeMounts(pod *v1.Pod, podDir string, container *v1.Container, hostName, h
 			return nil, err
 		}
 		if mount.SubPath != "" {
+			fileinfo, err := os.Lstat(hostPath)
+			if err != nil {
+				return nil, err
+			}
+			perm := fileinfo.Mode()
+
 			hostPath = filepath.Join(hostPath, mount.SubPath)
+
+			// Create the sub path now because if it's auto-created later when referenced, it may have an
+			// incorrect ownership and mode. For example, the sub path directory must have at least g+rwx
+			// when the pod specifies an fsGroup, and if the directory is not created here, Docker will
+			// later auto-create it with the incorrect mode 0750
+			if err := os.MkdirAll(hostPath, perm); err != nil {
+				glog.Errorf("failed to mkdir:%s", hostPath)
+				return nil, err
+			}
+
+			// chmod the sub path because umask may have prevented us from making the sub path with the same
+			// permissions as the mounter path
+			if err := os.Chmod(hostPath, perm); err != nil {
+				return nil, err
+			}
 		}

 		// Docker Volume Mounts fail on Windows if it is not of the form C:/