I am mounting a k8s secret as a volume mount, and the files in the pod have the wrong permissions.
In my Deployment I have this entry in the volumes array:
- name: ssh-host-keys
secret:
secretName: ftp-ssh-host-keys
defaultMode: 0600which is then mounted like this:
- mountPath: /etc/ssh/ssh_host_rsa_key
name: ssh-host-keys
subPath: ssh_host_rsa_key
readOnly: trueHowever, when I look at the files in the Pod the file permissions are incorrect:
rw-r--r-- 1 root root 553122 Aug 21 2018 moduli
-rw-r--r-- 1 root root 1723 Aug 21 2018 ssh_config
-rw-r----- 1 root 1337 410 May 11 10:33 ssh_host_ed25519_key
-rw-r----- 1 root 1337 3242 May 11 10:33 ssh_host_rsa_key
-rw-r--r-- 1 root 1337 465 May 11 10:33 sshd_configi.e. the keys have permissions 0644 instead of 0600.
I don't know why this might be happening.
I think a common confusion is that the files are linked, so ls will show the link permissions by default. See more details here.
Simply add -L: ls -laL /path/to/directory/ to dereference the link
If that doesn't do the trick, maybe you are facing this bug.
According to the documentation, owing to JSON limitations, you must specify the mode in decimal notation.
Look to the example provided in the documentation:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
defaultMode: 256256 decimal is equivalent to 0400 in octal. In your specific case, you should use defaultMode: 384 to get 0600 to have the desired permissions.
You can convert octal permissions here.