I'm projecting a token into a pod in order to use this token to authenticate into an external system. I do not fully trust the code that can potentially run into this pod, so I would like to use the token projection to perform the authentication and then remove the projected token so that the code that will run at a later time cannot use it.
When deleting the projected token I receive an answer that the filesystem is read only:
rm: can't remove '/var/run/secrets/tokens/..data': Read-only file system
rm: can't remove '/var/run/secrets/tokens/vault-token': Read-only file system
rm: can't remove '/var/run/secrets/tokens/..2019_12_06_09_50_26.580875372/vault-token': Read-only file systemWhen mounting the file system I specified that I want to mount it read write (I use a PodPreset to inject the projected folder into pods):
apiVersion: settings.k8s.io/v1alpha1
kind: PodPreset
metadata:
name: pod-preset
namespace: my-namespace
spec:
selector:
matchLabels:
my-pod: job
env:
volumeMounts:
- name: token-mounter
mountPath: /var/run/secrets/tokens
readOnly: false
volumes:
- name: token-mounter
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: 7200
audience: vaultIs there any way to make the projected file system writable or, in general, to remove the projected token?
No, as it says it uses a read only ramdisk so you can’t change things. I’m not 100% sure this is possible but you could try using an initContainer to copy the token to a r/w ramdisk volume and then skip mounting the token volume in the main container entirely.