[Release-1.26] - /var/lib/rancher/k3s/storage should not be world-readable.

[dereknola]

Backport fix for /var/lib/rancher/k3s/storage should not be world-readable.

• /var/lib/rancher/k3s/storage should not be world-readable. #2348

[bguzman-3pillar]

Validated on v1.26.5-rc1+k3s1

$ k3s -v
k3s version v1.26.5-rc1+k3s1 (6cd54032)
go version go1.19.9

Environment Details

Infrastructure

• Cloud
• Hosted

Node(s) CPU architecture, OS, and Version:

$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian

Cluster Configuration:

1 server

Config.yaml:

$ cat config.yaml 
token: test
write-kubeconfig-mode: 644
selinux: true
cluster-init: true

Additional files

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: local-path-pvc
  namespace: default
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 500Mi
---
apiVersion: v1
kind: Pod
metadata:
  name: volume-test
  namespace: default
spec:
  containers:
  - name: volume-test
    image: nginx:stable-alpine
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - name: volv
      mountPath: /data
    ports:
    - containerPort: 80
  volumes:
  - name: volv
    persistentVolumeClaim:
      claimName: local-path-pvc

Testing Steps

1. sudo mkdir -p /etc/rancher/k3s/ && sudo cp config.yaml /etc/rancher/k3s/config.yaml
2. Install k3s: curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=<version> sh -s - server
3. Deploy persistent volumen dep.yaml
4. Create create awx instance ( please follow: https://awstip.com/deploy-ansible-awx-into-a-k3s-single-node-cluster-794c023c514b)
5. Validate the regression testing for persistent volumen

Validation Results:

$ cd /var/lib/rancher/k3s/storage/
-bash: cd: /var/lib/rancher/k3s/storage/: Permission denied

$ cd /var/lib/rancher/k3s/storage/pvc-f1751576-96e5-4368-97c0-a962701a63ca_default_local-path-pvc
-bash: cd: /var/lib/rancher/k3s/storage/pvc-f1751576-96e5-4368-97c0-a962701a63ca_default_local-path-pvc: Permission denied

• Functional persistent volume checks:

$ kubectl get pod -A
NAMESPACE     NAME                                               READY   STATUS      RESTARTS   AGE
awx           awx-operator-controller-manager-74889d49c8-rws5l   2/2     Running     0          3m23s
default       volume-test                                        1/1     Running     0          8m
kube-system   coredns-59b4f5bbd5-zs2sv                           1/1     Running     0          8m35s
kube-system   helm-install-traefik-crd-hrcgz                     0/1     Completed   0          8m35s
kube-system   helm-install-traefik-r7fdk                         0/1     Completed   1          8m35s
kube-system   local-path-provisioner-76d776f6f9-dkh9l            1/1     Running     0          8m35s
kube-system   metrics-server-7b67f64457-v88dd                    1/1     Running     0          8m35s
kube-system   svclb-traefik-5a91bd35-tgz6b                       2/2     Running     0          8m14s
kube-system   traefik-57c84cf78d-rrhs8                           1/1     Running     0          8m14s

$ kubectl get svc

NAME                                              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
awx-operator-controller-manager-metrics-service   ClusterIP   10.43.174.136   <none>        8443/TCP   2m57s

$ kubectl get pv,pvc -A

NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                    STORAGECLASS   REASON   AGE
persistentvolume/pvc-00ea406a-f12d-4ee3-83b0-2905a9d8cf53   500Mi      RWO            Delete           Bound    default/local-path-pvc   local-path              7m37s

NAMESPACE   NAME                                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
default     persistentvolumeclaim/local-path-pvc   Bound    pvc-00ea406a-f12d-4ee3-83b0-2905a9d8cf53   500Mi      RWO            local-path     7m44s

$ kubectl get pod volume-test -n default
NAME          READY   STATUS    RESTARTS   AGE
volume-test   1/1     Running   0          8m53s

$ kubectl get pods -o=name -l app=local-path-provisioner --field-selector=status.phase=Running -n kube-system

pod/local-path-provisioner-76d776f6f9-dkh9l

$ kubectl exec volume-test -n default -- sh -c 'echo local-path-test > /data/test'
kubectl exec volume-test -n default -- cat /data/test
local-path-test

$ kubectl get node,pod -A
NAME                   STATUS   ROLES                       AGE   VERSION
node/ip-172-31-1-190   Ready    control-plane,etcd,master   22m   v1.26.5-rc1+k3s1

NAMESPACE     NAME                                                   READY   STATUS      RESTARTS   AGE
awx           pod/awx-operator-controller-manager-74889d49c8-rws5l   2/2     Running     0          16m
default       pod/volume-test                                        1/1     Running     0          21m
kube-system   pod/coredns-59b4f5bbd5-zs2sv                           1/1     Running     0          22m
kube-system   pod/helm-install-traefik-crd-hrcgz                     0/1     Completed   0          22m
kube-system   pod/helm-install-traefik-r7fdk                         0/1     Completed   1          22m
kube-system   pod/local-path-provisioner-76d776f6f9-dkh9l            1/1     Running     0          22m
kube-system   pod/metrics-server-7b67f64457-v88dd                    1/1     Running     0          22m
kube-system   pod/svclb-traefik-5a91bd35-tgz6b                       2/2     Running     0          21m
kube-system   pod/traefik-57c84cf78d-rrhs8                           1/1     Running     0          21m