Kubernetes 1.4 secret file permission not working?

[Matt Reynolds]

I put this on stackoverflow but it hasn't had any response yet so I'm reposting here for help...

running K8s 1.4 with minikube on mac. I have the following in my replication controller yaml:

volumes:
  - name: secret-volume
    secret:
      secretName: config-ssh-key-secret
        items:
          - key: "id_rsa"
            path: ./id_rsa
            mode: 0400
          - key: "id_rsa.pub"
            path: ./id_rsa.pub
          - key: "known_hosts"
            path: ./known_hosts
volumeMounts:
  - name: secret-volume
    readOnly: true
    mountPath: /root/.ssh

when I exec into a pod and check, I see the following:

~/.ssh # ls -ltr
lrwxrwxrwx    1 root     root            18 Oct  6 17:01 known_hosts -> ..data/known_hosts
lrwxrwxrwx    1 root     root            17 Oct  6 17:01 id_rsa.pub -> ..data/id_rsa.pub
lrwxrwxrwx    1 root     root            13 Oct  6 17:01 id_rsa -> ..data/id_rsa

plus looking at the ~ level:

drwxrwxrwt    3 root     root           140 Oct  6 17:01 .ssh

so the directory isn't read only and the file permissions seem to have been ignored (even the default 0644 doesn't seem to be working). Am I doing something wrong or is this a bug?

link to stackoverflow: http://stackoverflow.com/questions/39902430/kubernetes-1-4-secret-file-permission-not-working

[Rodrigo Campos]

Oh, maybe this should be more clear in the docs. 

But the files you see are Symlinks to the real file that has the permission you specified. The permission you see are the standard Symlinks permissions.

If you specify 0400, then the file the Symlink points to should have that. And I'm quite sure I tested using it with ssh keys and it was fine, but maybe I tested it wrong? :-/

Doesn't it work for you?

--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

[Matt Reynolds]

Ah ok thanks Rodrigo - that makes sense. I just saw the permissions and figured I had a problem. I'm having VPN issues today so I won't be able to test it out until Monday. I'll check it then and respond here and close out the stack overflow question if it's working. 

--
You received this message because you are subscribed to a topic in the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kubernetes-users/h22ASb6dNF4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kubernetes-users+unsubscribe@googlegroups.com.

To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Matt

[Rodrigo Campos]

And to avoid confusions: this Symlink is the behavior for configmaps and secrets, either specify a mode or not (since k8s 1.3)

If you specify the mode, it changes the mode of the file it points to. But I don't think that should be a problem. Is it for you?

Thanks a lot,

Rodrigo

[Rodrigo Campos]

Oh awesome! If you have any questions or issues with this, please don't hesitate to tell me :-)

[Matt Reynolds]

I checked my ssh key setup by exec'ing into the pod and performing a git clone with ssh requiring the provided key and it works. I'll update my stack exchange Q and close it out.

On Friday, October 7, 2016 at 4:55:38 PM UTC-6, Rodrigo Campos wrote:

Oh awesome! If you have any questions or issues with this, please don't hesitate to tell me :-)

On Friday, October 7, 2016, Matt Reynolds wrote:

Ah ok thanks Rodrigo - that makes sense. I just saw the permissions and figured I had a problem. I'm having VPN issues today so I won't be able to test it out until Monday. I'll check it then and respond here and close out the stack overflow question if it's working. 

[Rodrigo Campos]

Awesome, thanks a lot for the update!

> >>>> an email to kubernetes-use...@googlegroups.com.
> >>>> To post to this group, send email to kubernet...@googlegroups.com.

> >>>> Visit this group at https://groups.google.com/group/kubernetes-users.
> >>>> For more options, visit https://groups.google.com/d/optout.
> >>>>
> >>> --
> >>> You received this message because you are subscribed to a topic in the
> >>> Google Groups "Kubernetes user discussion and Q&A" group.
> >>> To unsubscribe from this topic, visit
> >>> https://groups.google.com/d/topic/kubernetes-users/h22ASb6dNF4/unsubscribe
> >>> .
> >>> To unsubscribe from this group and all its topics, send an email to

> >>> kubernetes-use...@googlegroups.com.
> >>> To post to this group, send email to kubernet...@googlegroups.com.

> >>> Visit this group at https://groups.google.com/group/kubernetes-users.
> >>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>
> >>
> >>
> >> --
> >> Cheers,
> >>
> >> Matt
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "Kubernetes user discussion and Q&A" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an

> >> email to kubernetes-use...@googlegroups.com.
> >> To post to this group, send email to kubernet...@googlegroups.com.

> >> Visit this group at https://groups.google.com/group/kubernetes-users.
> >> For more options, visit https://groups.google.com/d/optout.
> >>
> >
>
> --

> You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
> To post to this group, send email to kubernet...@googlegroups.com.