origin: Mounting file from ConfigMap using volume subPath causes file permission denied error

I’m trying to mount a single file from a ConfigMap into a container directory that already contains other files. Followed https://stackoverflow.com/a/43404857 it seems like it should be possible to do this using volume subPath, however, a permission denied error is shown when I try to open the file. Maybe I’m doing it wrong?

Version

oc v3.6.0+c4dd4cf kubernetes v1.6.1+5115d708d7 features: Basic-Auth

Server XXX openshift v3.6.0+c4dd4cf kubernetes v1.6.1+5115d708d7

Steps To Reproduce

Create a configMap:

apiVersion: v1
data:
  hello.txt: This is a test file
kind: ConfigMap
metadata:
  name: myconfig

Deploy a test pod, e.g. redis, and edit the deploymentConfig yaml to have:

volumes:
  - configMap:
      name: myconfig
    name: myconfig
....
containers:
  - volumeMounts:
    - mountPath: /var/lib/hello.txt
      name: myconfig
      subPath: hello.txt

oc rsh into the pod and cd /var/lib/ and notice how hello.txt can’t be read:

ls -lah                                                                                                                                                           
ls: cannot access hello.txt: Permission denied

Current Result

ls: cannot access hello.txt: Permission denied

Expected Result

file contents should be available from inside the container.

About this issue

Original URL
State: closed
Created 7 years ago
Reactions: 3
Comments: 22 (17 by maintainers)

Commits related to this issue

Workaround for https://github.com/openshift/origin/issues/16951. — committed to appuio/ansible-role-openshift-haproxy by dtschan 7 years ago
ConfigMap using subPath causes permission denied see https://github.com/openshift/origin/issues/16951 — committed to giuliohome/hello-observability by giuliohome 2 years ago

Most upvoted comments

Sorry for re-opening this one but has the answer I was looking for is not present here, I thought I should share it.

To fix the access denied on a file mounted with volumeMount and subPath, it seems to work if we provide default_mode property on the volume and give an access containing read permission.

volume {
          name = "<some-name>"
          config_map {
            name = "<some-file>"
            default_mode = "0555"
          }
        }

volume_mount {
            name = "<some_name>"
            mount_path = "<file_path>"
            read_only = true
            sub_path = "<some-file>"
          }

JnMik on Jun 26, 2019

Ultimately I think this is an upstream Kube issue, so I’ll open one there and reference this one.

thoraxe on Oct 24, 2017