Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change perms from 0400 to 0600 for acl-token #248

Merged
merged 2 commits into from
Apr 23, 2020
Merged

Change perms from 0400 to 0600 for acl-token #248

merged 2 commits into from
Apr 23, 2020

Conversation

lkysow
Copy link
Member

@lkysow lkysow commented Apr 20, 2020
edited
Loading

If the acl-init command is re-run, it needs to be able to overwrite the
previously written acl-token file.

In some testing, the service-init init container has later commands fail. Then Kubernetes restarts the init container and it continuously fails with the error:

Error writing token to file "/consul/service/acl-token": open /consul/service/acl-token: permission denied

because that file has already been written but it has 0400 permissions so can't be overwritten.

To reproduce, edit mesh-gateway-deployment:

                ls -la /consul/service
                {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }}
                consul-k8s acl-init \
                  -secret-name="{{ template "consul.fullname" . }}-mesh-gateway-acl-token" \
                  -k8s-namespace={{ .Release.Namespace }} \
                  -token-sink-file=/consul/service/acl-token
                {{ end }}
                exit 1

The first run-through will write the token. Subsequent run throughs will always fail.

@lkysow lkysow added area/acls Related to ACLs type/bug Something isn't working labels Apr 20, 2020
@lkysow lkysow requested a review from a team April 20, 2020 18:50
@ishustava
Copy link
Contributor

@lkysow This change looks good. It'd be good to add a test or an assertion to check file permissions since this was a bug. I think your comment pretty much covers the intention behind it, but just to make sure it won't be overlooked in the future.

@lkysow
Change perms from 0400 to 0600 for acl-token
e0bad41 
If the acl-init command is re-run, it needs to be able to overwrite the
previously written acl-token file.
@lkysow
Copy link
Member Author

lkysow commented Apr 22, 2020

Absolutely, i've added a test for this!

ishustava
ishustava approved these changes Apr 23, 2020
View reviewed changes
Copy link
Contributor

@ishustava ishustava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thanks for adding a test!

subcommand/acl-init/command_test.go Outdated Show resolved Hide resolved
@lkysow @ishustava
Update subcommand/acl-init/command_test.go
7f6a895 
Co-Authored-By: Iryna Shustava <ishustava@users.noreply.github.com>
@lkysow lkysow merged commit aa08b5d into master Apr 23, 2020
@lkysow lkysow deleted the perms branch April 23, 2020 17:59
ndhanushkodi pushed a commit to ndhanushkodi/consul-k8s that referenced this pull request Jul 9, 2021
@lkysow
Merge pull request hashicorp#248 from hashicorp/less-perms
6aaf0a9 
Less privileges when syncCatalog.toK8S = false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ishustava ishustava ishustava approved these changes

Assignees
No one assigned
Labels
area/acls Related to ACLs type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lkysow @ishustava