Skip to content

Setting defaultMode is not Fully Respected When Pod.spec.securityContext.runAsUser is Set #57923

New issue
New issue
Open
Open
Setting defaultMode is not Fully Respected When Pod.spec.securityContext.runAsUser is Set#57923
Labels
kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/storageCategorizes an issue or PR as relevant to SIG Storage.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@pnovotnak

Description

@pnovotnak
pnovotnak
opened on Jan 6, 2018

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:

Setting Pod.spec.securityContext.runAsUser causes the group read permission bit to be set on secrets exposed via volumes, even if Pod.spec.volumes[x].defaultMode is set to 256.

See also: openshift/origin#16424

What you expected to happen:

Given a defaultMode of 256 the file mode should be 0400 but it is 0440 instead.

How to reproduce it (as minimally and precisely as possible):

Create the following objects and observe the logs of the created pod:

---
apiVersion: v1
data:
  test: dGVzdA==
kind: Secret
metadata:
  name: test-secret
type: Opaque

---
apiVersion: v1
kind: Pod
metadata:
  generateName: issue-repro-
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 1000
  containers:
  - image: busybox
    name: busybox
    imagePullPolicy: IfNotPresent
    args:
    - "ls"
    - "-alR"
    - "/tmp/dummy-secret"
    volumeMounts:
    - mountPath: /tmp/dummy-secret
      name: test-secret

  volumes:
  - name: test-secret
    secret:
      defaultMode: 256
      secretName: test-secret

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version):
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-16T03:15:38Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.0", GitCommit:"0b9efaeb34a2fc51ff8e4d34ad9bc6375459c4a4", GitTreeState:"clean", BuildDate:"2017-11-29T22:43:34Z", GoVersion:"go1.9.1", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration:
$ minikube version
minikube version: v0.24.1
  • OS (e.g. from /etc/os-release):
$ cat /etc/os-release
NAME=Buildroot
VERSION=2017.02
ID=buildroot
VERSION_ID=2017.02
PRETTY_NAME="Buildroot 2017.02"
  • Kernel (e.g. uname -a):
$ uname -a
Linux minikube 4.9.13 #1 SMP Thu Oct 19 17:14:00 UTC 2017 x86_64 GNU/Linux
  • Install tools:
  • Others:

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/storageCategorizes an issue or PR as relevant to SIG Storage.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions