Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podman kube play support posix permissions for configmap volumes #19313

Closed
n35k3nd1r opened this issue Jul 22, 2023 · 9 comments · Fixed by #20194
Closed

podman kube play support posix permissions for configmap volumes #19313

n35k3nd1r opened this issue Jul 22, 2023 · 9 comments · Fixed by #20194
Labels
Good First Issue This issue would be a good issue for a first time contributor to undertake. kind/feature Categorizes issue or PR as related to a new feature. kube locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@n35k3nd1r
Copy link

n35k3nd1r commented Jul 22, 2023
edited

Feature request description

Kubernetes allows to set specific file permission via the attribute "defaultMode"
https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/volume/

configMap.defaultMode (int32)
defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.

Example Use case:
If one of the containers is started as "non-root" the access to the ConfigMap volume is limited.

Suggest potential solution

According to kubernate's documentation include the feature.

Have you considered any alternatives?

As workaorund you can change the rights via script in advance.

Additional context

Example POD:

apiVersion: v1 
 kind: Pod
 metadata:
   name: *dummy*
 spec:
     containers:
     - name: *dummy*
       image: *dummy*
       volumeMounts:
       - name: volume-config
         mountPath: "/etc/config"
         readOnly: false
     volumes:
     - configMap:
         defaultMode: 438
         name: volume-config-file
         optional: false
       name: volume-config
@n35k3nd1r n35k3nd1r added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 22, 2023
@n35k3nd1r
Copy link
Author

Just tested with 4.6.0 as well. Not implemented.

@rhatdan
Copy link
Member

rhatdan commented Jul 22, 2023

Interested in opening a PR?

@rhatdan rhatdan added the kube label Jul 22, 2023
@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Aug 25, 2023

So this means when it creates the volume it will have 438 mode?

@rhatdan rhatdan added the Good First Issue This issue would be a good issue for a first time contributor to undertake. label Aug 25, 2023
@rhatdan
Copy link
Member

rhatdan commented Aug 25, 2023

@ygalblum @umohnani8 Thoughts?

@ygalblum
Copy link
Collaborator

I'm surprised to learn that it is not supported already

@fsdrw08
Copy link

fsdrw08 commented Sep 1, 2023

any update of this request?

@rhatdan
Copy link
Member

rhatdan commented Sep 8, 2023

Nope, still waiting for someone to step forward on this, Seems similar to another issue with fsgroup?

@rhatdan
Copy link
Member

rhatdan commented Sep 8, 2023

@umohnani8 Interested?

vincentywdeng added a commit to vincentywdeng/podman that referenced this issue Sep 25, 2023
@vincentywdeng
Supporting defaultMode in podman kube play
98ba7e5 
Kubernetes allows setting default permission for volume, this is to
provide similar capability in podman kube play

Close containers#19313
Signed-off-by: Vincent Deng <ywdeng@tw.ibm.com>
vincentywdeng added a commit to vincentywdeng/podman that referenced this issue Sep 25, 2023
@vincentywdeng
Supporting defaultMode in podman kube play
7c77fb6 
Kubernetes allows setting default permission for volume, this is to
provide similar capability in podman kube play

Close containers#19313
Signed-off-by: Vincent Deng <ywdeng@tw.ibm.com>
@umohnani8 umohnani8 mentioned this issue Sep 28, 2023
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Jan 1, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Good First Issue This issue would be a good issue for a first time contributor to undertake. kind/feature Categorizes issue or PR as related to a new feature. kube locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add DefaultMode to kube play umohnani8/libpod
4 participants
@rhatdan @ygalblum @n35k3nd1r @fsdrw08