K
Q

Kubernetes 1.4 secret file permission not working

10/6/2016

running K8s 1.4 with minikube on mac. I have the following in my replication controller yaml: 

volumes:
  - name: secret-volume
    secret:
      secretName: config-ssh-key-secret
        items:
          - key: "id_rsa"
            path: ./id_rsa
            mode: 0400
          - key: "id_rsa.pub"
            path: ./id_rsa.pub
          - key: "known_hosts"
            path: ./known_hosts
volumeMounts:
  - name: secret-volume
    readOnly: true
    mountPath: /root/.ssh

when I exec into a pod and check, I see the following:

~/.ssh # ls -ltr
lrwxrwxrwx    1 root     root            18 Oct  6 17:01 known_hosts -> ..data/known_hosts
lrwxrwxrwx    1 root     root            17 Oct  6 17:01 id_rsa.pub -> ..data/id_rsa.pub
lrwxrwxrwx    1 root     root            13 Oct  6 17:01 id_rsa -> ..data/id_rsa

plus looking at the ~ level:

drwxrwxrwt    3 root     root           140 Oct  6 17:01 .ssh

so the directory isn't read only and the file permissions seem to have been ignored (even the default 0644 doesn't seem to be working). Am I doing something wrong or is this a bug?

-- Matt Reynolds
kubernetes

Similar Questions

Kubernetes - how to run job only once
google/cadvisor:latest image monitor container run error
kubectl attach: Unable to use a TTY - container es-node did not allocate one
closing a port in a running kubernetes service

1 Answer

10/10/2016

The .ssh directory has links to the actual files. Following the link shows the actual files have the correct permissions (read only for id_rsa).

I validated the ssh setup would actually work by execing into a container generated from that replication controller and doing a git clone via ssh to a repo holding that key.

-- Matt Reynolds
Source: StackOverflow