troubleshoot icon indicating copy to clipboard operation
troubleshoot copied to clipboard

Published 20 hours ago verified publisher icon replicatedhq

`copyFromHost` should not request write access

Open xavpaice opened this issue 3 years ago • 1 comments
trafficstars

Description

The copyFromHost collector appears to be requesting to open the hostPath with write permissions.

On GKE autopilot, when I try to collect a support bundle for the my KOTS deployed app using the CLI, I'm seeing:

 * failed to run collector: kurl-host-preflights: create daemonset: create daemonset: admission webhook "gkepolicy.common-webhooks.networking.gke.io" denied the request: GKE Policy Controller rejected the request because it violates one or more policies: {"[denied by autogke-no-write-mode-hostpath]":["hostPath volume host in container collector is accessed in write mode; disallowed in Autopilot. Requested by user: '[email protected]', groups: 'system:authenticated'."]}
 * failed to run collector: collectd: create daemonset: create daemonset: admission webhook "gkepolicy.common-webhooks.networking.gke.io" denied the request: GKE Policy Controller rejected the request because it violates one or more policies: {"[denied by autogke-no-write-mode-hostpath]":["hostPath volume host in container collector is accessed in write mode; disallowed in Autopilot. Requested by user: '[email protected]', groups: 'system:authenticated'."]}

Which states that it's denying write mode access to hostpath. Since the collector is suppose to be copying content from the hostpath, there's no reason it needs write access.

Reproduction Steps

  1. Install an app using KOTS
  2. Run kubectl support-bundle secret/app-slug/kotsadm-app-slug-supportbundle --redactors=configmap/app-slug/kotsadm-redact-spec/redact-spec,configmap/app-slug/kotsadm-app-slug-redact-spec/redact-spec

Expected Behavior

The collector should not error.

Impact

  • Replicated impact:
  • Vendor impact:
  • End-user impact: Confusion, lack of confidence, potentially reduced ability to troubleshoot.

Possible Solution

Open the hostPath as read-only.

Workaround

Environment

kots 1.87.2 Replicated Troubleshoot 0.44.0

Additional Information

xavpaice avatar Oct 19 '22 03:10 xavpaice

From issue https://app.shortcut.com/replicated/story/60508/copyfromhost-should-not-request-write-access

xavpaice avatar Oct 19 '22 03:10 xavpaice

https://github.com/replicatedhq/troubleshoot/blob/55608c12ede9597fa4106a0bd3228946067cd5ea/pkg/collect/host_copy.go#L106-L107 opens the file in readonly by default.

xavpaice avatar Aug 19 '24 01:08 xavpaice