Menu
I am new to K8S. I have a yaml file which generates kubernetes secrets mounted on projected volumes. Upon execution, I found that the secret files (packaged with secrets) are showing "root" as file owner and group owner. I want to change the file owner and group owner to the same specific user (say 450).
I have tried using "chown" from init container (tried it but failed), but I got error saying "read-only file system" and could not modify file & group owner. I do not want to use "fsGroup" under securitycontext. I observed that the "mode:" option under "items" behaves in unpredictable manner when fsGroup is used.
Is there any way to modify default file and group owner of the kubernetes secret files that are mounted via projected volumes ?
I am providing the sample code below. Suppose I want to change the file & group owner of "password" file (under 'mysecret2') in the below sample. how to achieve it?
apiVersion: v1
kind: Pod
metadata:
name: volume-test
spec:
containers:
- name: container-test
image: busybox
volumeMounts:
- name: all-in-one
mountPath: "/projected-volume"
readOnly: true
volumes:
- name: all-in-one
projected:
sources:
- secret:
name: mysecret
items:
- key: username
path: username
- secret:
name: mysecret2
items:
- key: password
path: password
mode: 511
329
Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd.
Edit a secret with kubectl edit secret Use the same command as before to open the editor, but this time add a new stringData field to the YAML file containing all the secret values that you want to change. Kubernetes merges the stringData field to the data field automatically and performs the needed conversions.
The projected volume is a volume that projects several existing volume sources into the same directory. Currently, one can project configmaps, downward API, and secrets. The resulting pod spec is also shorter when projecting to a single volume as opposed to multiple different locations.
Kubernetes deployment mounts secret as a folder instead of a file. A ConfigMap allows you to decouple environment-specific configuration from your container images, so that your applications are easily portable. It is possible to create Secret and pass it as a file or multiple files to Pods .
As far as I know, there's no way to change owner UID for secrets.
A workaround is to copy a secret to a normal file, then change its ownership and mode, like this:
apiVersion: v1
kind: Pod
metadata:
name: volume-test
spec:
containers:
- name: container-test
image: busybox
command: |
- "/bin/bash"
- "-exc"
cp /etc/secrets-mount/*_pgpass /etc/secrets
chown my-user /etc/*_pgpass
chmod 600 /etc/*_pgpass
exec su-exec my-user /entrypoint.sh
volumeMounts:
- name: secrets
mountPath: /etc/secrets-mount/
....
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
