From 1994e9448a4d131e6305b68e49f1fdcdb5420cef Mon Sep 17 00:00:00 2001
From: Bharat Kunwar <bharat@stackhpc.com>
Date: Sat, 28 Mar 2020 09:13:57 +0000
Subject: [PATCH] fcos: Mount /:/rootfs:ro to Kubelet

Kubelet fails to handle SELinux labelling of Cinder PV without
presenting the rootfs to Kubelet and as a result, an unprivileged
container lacks the ability to access the path.

With this patch, Kubelet handles the correct labelling automatically
when a Cinder PV is attached to a pod.

The default behaviour using system containers in Fedora Atomic is to
mount rootfs [1] but we did not implement the same behaviour in Fedora
CoreOS which was a mistake as this was a missing piece of code.

[1] https://github.com/openstack/magnum/blob/master/dockerfiles/kubernetes-kubelet/config.json.template#L335

Story: 2007413
Task: 39129

Change-Id: Id59c604928244bf49773b7519fa756d5b2814b69
---
 .../kubernetes/fragments/configure-kubernetes-master.sh          | 1 +
 .../kubernetes/fragments/configure-kubernetes-minion.sh          | 1 +
 2 files changed, 2 insertions(+)

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
index 4ea282f389..c8f0f66405 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@@ -189,6 +189,7 @@ ExecStart=/bin/bash -c '/usr/bin/podman run --name kubelet \\
     --pid host \\
     --network host \\
     --entrypoint /hyperkube \\
+    --volume /:/rootfs:ro \\
     --volume /etc/cni/net.d:/etc/cni/net.d:ro,z \\
     --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
     --volume /usr/lib/os-release:/usr/lib/os-release:ro \\
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
index 6d4f18c0f5..92b821cee1 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
@@ -83,6 +83,7 @@ ExecStart=/bin/bash -c '/usr/bin/podman run --name kubelet \\
     --pid host \\
     --network host \\
     --entrypoint /hyperkube \\
+    --volume /:/rootfs:ro \\
     --volume /etc/cni/net.d:/etc/cni/net.d:ro,z \\
     --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
     --volume /usr/lib/os-release:/usr/lib/os-release:ro \\