K
Q

ServiceAccount secrets are mounted with restrictive permissions in OpenTelekomCloud's ClusterContainerEngine

2/25/2019

I have a managed kubernetes setup, called Cluster Container Engine (CCE), in the Open Telekom Cloud. Their documentation can be found online.

My CCE has one master and three nodes. I can access the CCE through kubectl and deploy new pods onto it. When installing helm/tiller with RBAC according to the official docs I noticed that the ServiceAccount secret is mounted with very restricted permissions:

$ ls -al /var/run/secrets/kubernetes.io/serviceaccount/..data/
total 16
drwxr-xr-x    2 root     root           100 Feb 25 15:20 .
drwxrwxrwt    3 root     root           140 Feb 25 15:20 ..
-rw-------    1 root     root          8011 Feb 25 15:20 ca.crt
-rw-------    1 root     root            11 Feb 25 15:20 namespace
-rw-------    1 root     root           852 Feb 25 15:20 token

Only root can access these files which unfortunately means that the helm/tiller installation, which relies on the linux user nobody, fails.

I already have another kubernetes cluster running in azure (also managed, i.e. an AKS instance); pods created in the AKS kubernetes receive general read-access to the service account secret:

$ # the azure cluster
$ ls -al /var/run/secrets/kubernetes.io/serviceaccount/..data/
total 12
drwxr-xr-x 2 root root  100 Jan 24 08:12 .
drwxrwxrwt 3 root root  140 Jan 24 08:12 ..
-rw-r--r-- 1 root root 1720 Jan 24 08:12 ca.crt
-rw-r--r-- 1 root root    7 Jan 24 08:12 namespace
-rw-r--r-- 1 root root 1183 Jan 24 08:12 token

I'm looking for ideas on how to relax the file-access-permissions to match those in azure. This would enable non-root users to access the service account secrets and allow me to use helm. Any ideas?

Output from kubectl version:

Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-24T06:54:59Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9+", GitVersion:"v1.9.2-CCE2.0.7-B003", GitCommit:"302f471a1e2caa114c9bb708c077fbb363aa2f13", GitTreeState:"clean", BuildDate:"2018-06-20T03:27:16Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

All nodes use EulerOS_2.0_SP2 with kernel version 3.10.0-327.59.59.46.h38.x86_64.

-- elemakil
kubernetes

Similar Questions

Asp.NET Core HealthChecksUI - empty
How to deploy a dynamically scalable AI service that run on GPUs in GKE?
How to get pod's TCP or WebSocket connection count on Google Kubernetes Engine?
Inference time using of Tensorflow Object Detection
Jenkins on Kubernetes & Git: SSL Certificate Problem with Self Signed Certificates

1 Answer

3/5/2019

The permissions will be changed one of the March-2019-releases for CCE. You will be able to run Helm as you are used to latest end of March.

-- T.S.
Source: StackOverflow