Menu
I am mounting a k8s secret as a volume mount, and the files in the pod have the wrong permissions.
In my Deployment I have this entry in the volumes array:
- name: ssh-host-keys
secret:
secretName: ftp-ssh-host-keys
defaultMode: 0600
which is then mounted like this:
- mountPath: /etc/ssh/ssh_host_rsa_key
name: ssh-host-keys
subPath: ssh_host_rsa_key
readOnly: true
However, when I look at the files in the Pod the file permissions are incorrect:
rw-r--r-- 1 root root 553122 Aug 21 2018 moduli
-rw-r--r-- 1 root root 1723 Aug 21 2018 ssh_config
-rw-r----- 1 root 1337 410 May 11 10:33 ssh_host_ed25519_key
-rw-r----- 1 root 1337 3242 May 11 10:33 ssh_host_rsa_key
-rw-r--r-- 1 root 1337 465 May 11 10:33 sshd_config
i.e. the keys have permissions 0644 instead of 0600.
I don't know why this might be happening.
838
A secret volume is used to pass sensitive information, such as passwords, to Pods. You can store secrets in the Kubernetes API and mount them as files for use by pods without coupling to Kubernetes directly. secret volumes are backed by tmpfs (a RAM-backed filesystem) so they are never written to non-volatile storage.
Volumes mount at the specified paths within the image. Volumes can not mount onto other volumes or have hard links to other volumes. Each Container in the Pod's configuration must independently specify where to mount each volume. Kubernetes supports several types of volumes.
This means secrets can't be mounted as files in the same way you'd do a file-as-volume-mount in Docker or mount a ConfigMap item into an existing directory. When you mount a secret to a directory (like /var/my-app in the above example), Kubernetes will mount the entire directory /var/my-app with only the contents of your secret / secretName items.
The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. It's usually a good idea to handle access to files via group ownership, because in restricted kubernetes configurations you can't actually control user id or group id, for example in RedHat Openshift.
According to the documentation, owing to JSON limitations, you must specify the mode in decimal notation.
Look to the example provided in the documentation:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
defaultMode: 256
256 decimal is equivalent to 0400 in octal. In your specific case, you should use defaultMode: 384 to get 0600 to have the desired permissions.
You can convert octal permissions here.
90
I think a common confusion is that the files are linked, so ls will show the link permissions by default. See more details here.
Simply add -L: ls -laL /path/to/directory/ to dereference the link
If that doesn't do the trick, maybe you are facing this bug.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
