K
Q

Mouting OpenShift secrets into volumes / files with restricted access rights

11/26/2018

I am mounting an OpenShift 3.11 secret into a container by virtue of this new section inside the container's element in `dc.spec.template.spec.containers:

volumeMounts:
- name: my-secret
  mountPath: /mnt/my-secret
  readOnly: true

and that new section into dc.spec.template.spec.containers:

volumes:
- name: my-secret
  secret:
    secretName: my-secret

My my-secret has been created from a private key like so:

oc create secret generic my-secret \
  --type=kubernetes.io/ssh-auth \
  --from-file=ssh-privatekey=my-private-key

At container runtime, I find the armored private key in a file /mnt/my-secret/ssh-privatekey. How can I ensure that only the UID which runs the container (a random UID under OpenShift rules) can read from that file, i.e. enforce a file mode akin to 0400?

-- rookie099
kubernetes
mount
openshift
secret-key

Similar Questions

High loads causing node to become NotReady?
The deployment of eclipse_che failed in kubernetes in multi user mode
Hadoop on Kubernetes vs Standard Hadoop
Unable to configure kubernetes URL with kubernetes-Jenkins plugin
VirtualService hosts and minikube

1 Answer

11/27/2018

Setting dc.spec.template.spec.volumes.secret.defaultMode (as suggested in the comment) to 0644 seems to have the desired effect on the private key in a file symlinked from /mnt/my-secret/ssh-privatekey.

-- rookie099
Source: StackOverflow