From 25bdad762b4605dee11889f41e9e23997ab0edf9 Mon Sep 17 00:00:00 2001
From: Matthew Wong <mawong@redhat.com>
Date: Thu, 30 Mar 2017 01:49:32 -0400
Subject: [PATCH] Create subPaths and set their permissions like we do
 mountPaths

---
 pkg/kubelet/kubelet_pods.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go
index 3aa8509f039..0fb29ccda27 100644
--- a/pkg/kubelet/kubelet_pods.go
+++ b/pkg/kubelet/kubelet_pods.go
@@ -135,7 +135,28 @@ func makeMounts(pod *v1.Pod, podDir string, container *v1.Container, hostName, h
 			return nil, err
 		}
 		if mount.SubPath != "" {
+			fileinfo, err := os.Lstat(hostPath)
+			if err != nil {
+				return nil, err
+			}
+			perm := fileinfo.Mode()
+
 			hostPath = filepath.Join(hostPath, mount.SubPath)
+
+			// Create the sub path now because if it's auto-created later when referenced, it may have an
+			// incorrect ownership and mode. For example, the sub path directory must have at least g+rwx
+			// when the pod specifies an fsGroup, and if the directory is not created here, Docker will
+			// later auto-create it with the incorrect mode 0750
+			if err := os.MkdirAll(hostPath, perm); err != nil {
+				glog.Errorf("failed to mkdir:%s", hostPath)
+				return nil, err
+			}
+
+			// chmod the sub path because umask may have prevented us from making the sub path with the same
+			// permissions as the mounter path
+			if err := os.Chmod(hostPath, perm); err != nil {
+				return nil, err
+			}
 		}
 
 		// Docker Volume Mounts fail on Windows if it is not of the form C:/