2

I'm trying to mount a Kubernetes secret as a volume into a Pod running a Windows container. I want the mounted secret to contain subdirectories. To do so, I'm using the items feature (see also this StackOverflow question):

...
  containers:
    ...
    volumeMounts:
    - mountPath: C:\Secrets
      name: secrets-volume
      readOnly: true
...
  volumes:
  - name: secrets-volume
    secret:
      items:
      - key: secret.txt
        path: Files/secret.txt
      secretName: fs-testsecret

When the container is created, the C:\Secrets directory looks like this:

C:\secrets>dir
 Volume in drive C has no label.
 Volume Serial Number is DAA6-0343

 Directory of C:\secrets

09/29/2021  12:26 PM    <DIR>          .
09/29/2021  12:26 PM    <DIR>          ..
09/29/2021  12:26 PM    <DIR>          ..2021_09_29_10_26_51.246293635
09/29/2021  12:26 PM    <SYMLINKD>     ..data [..2021_09_29_10_26_51.246293635]
09/29/2021  12:26 PM    <SYMLINK>      Files [..data\Files]
               1 File(s)              0 bytes
               4 Dir(s)  44,635,086,848 bytes free

This is not right, the Files entry was created as a file symbolic link, not as a directory symbolic link. Navigating to that directory does not work. (Navigating to the ..data\Files directory does work.)

C:\secrets>cd Files
The directory name is invalid.

C:\secrets>cd ..data\Files

C:\secrets\..data\Files>dir
 Volume in drive C has no label.
 Volume Serial Number is DAA6-0343

 Directory of C:\secrets\..data\Files

09/29/2021  12:26 PM    <DIR>          .
09/29/2021  12:26 PM    <DIR>          ..
09/29/2021  12:26 PM               582 secret.txt
               1 File(s)            582 bytes
               2 Dir(s)  44,633,931,776 bytes free

Am I doing something wrong or is this a bug in Kubernetes with Windows containers?

Here's a full repro sample:

  1. Create the secret (assuming a directory secrets with a file secret.txt):
kubectl -n ... create secret generic fs-testsecret --from-file secrets
  1. The Pod resource definition:
apiVersion: v1
kind: Pod
metadata:
  name: fs-testpod
spec:
  containers:
  - command:
    - powershell
    image: mcr.microsoft.com/windows/servercore:ltsc2019
    imagePullPolicy: IfNotPresent
    name: fs-testpod-container
    stdin: true
    tty: true
    volumeMounts:
    - mountPath: C:\Secrets
      name: secrets-volume
      readOnly: true
  nodeSelector:
    kubernetes.io/os: windows
    node.kubernetes.io/windows-build: 10.0.17763
  tolerations:
  - effect: NoSchedule
    key: kubernetes.io/os
    operator: Equal
    value: windows
  volumes:
  - name: secrets-volume
    secret:
      items:
      - key: secret.txt
        path: Files/secret.txt
      secretName: fs-testsecret
Fabian Schmied
  • 3,885
  • 3
  • 30
  • 49
  • 1
    Which version of Kubernetes did you use and how did you set up the cluster? Did you use bare metal installation or some cloud providor? – Mikołaj Głodziak Sep 30 '21 at 07:30
  • @MikołajGłodziak This is Kubernetes v1.19.4-rancher1-1 in a local Rancher installation (v2.5.2). This is not the most recent 1.19 version (the version is not under my control), but I've scanned the changelog up the the current 1.19.15 version and didn't see a related Bugfix entry. – Fabian Schmied Sep 30 '21 at 13:50
  • Did you try to set `mountPath: C:\Secrets` in `"` like `mountPath: "C:\Secrets"`? – Mikołaj Głodziak Oct 01 '21 at 14:20
  • @MikołajGłodziak Thank you for the input. I changed the `mountPath` to (quoted) `"C:\\Secrets"` and `"C:/Secrets"`, these did not make any difference. – Fabian Schmied Oct 06 '21 at 11:40

0 Answers0