I have a managed kubernetes setup, called Cluster Container Engine (CCE), in the Open Telekom Cloud. Their documentation can be found online.
My CCE has one master and three nodes. I can access the CCE through kubectl
and deploy new pods onto it. When installing helm/tiller
with RBAC according to the official docs I noticed that the ServiceAccount
secret is mounted with very restricted permissions:
$ ls -al /var/run/secrets/kubernetes.io/serviceaccount/..data/
total 16
drwxr-xr-x 2 root root 100 Feb 25 15:20 .
drwxrwxrwt 3 root root 140 Feb 25 15:20 ..
-rw------- 1 root root 8011 Feb 25 15:20 ca.crt
-rw------- 1 root root 11 Feb 25 15:20 namespace
-rw------- 1 root root 852 Feb 25 15:20 token
Only root
can access these files which unfortunately means that the helm/tiller
installation, which relies on the linux user nobody
, fails.
I already have another kubernetes cluster running in azure (also managed, i.e. an AKS instance); pods created in the AKS kubernetes receive general read-access to the service account secret:
$ # the azure cluster
$ ls -al /var/run/secrets/kubernetes.io/serviceaccount/..data/
total 12
drwxr-xr-x 2 root root 100 Jan 24 08:12 .
drwxrwxrwt 3 root root 140 Jan 24 08:12 ..
-rw-r--r-- 1 root root 1720 Jan 24 08:12 ca.crt
-rw-r--r-- 1 root root 7 Jan 24 08:12 namespace
-rw-r--r-- 1 root root 1183 Jan 24 08:12 token
I'm looking for ideas on how to relax the file-access-permissions to match those in azure. This would enable non-root users to access the service account secrets and allow me to use helm
. Any ideas?
Output from kubectl version
:
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-24T06:54:59Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9+", GitVersion:"v1.9.2-CCE2.0.7-B003", GitCommit:"302f471a1e2caa114c9bb708c077fbb363aa2f13", GitTreeState:"clean", BuildDate:"2018-06-20T03:27:16Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
All nodes use EulerOS_2.0_SP2
with kernel version 3.10.0-327.59.59.46.h38.x86_64
.
The permissions will be changed one of the March-2019-releases for CCE. You will be able to run Helm as you are used to latest end of March.