Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret defaultMode / mode not respected initially #34445

Closed
wernight opened this issue Oct 10, 2016 · 7 comments
Closed

Secret defaultMode / mode not respected initially #34445

wernight opened this issue Oct 10, 2016 · 7 comments
Labels
sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@wernight
Copy link

wernight commented Oct 10, 2016
edited

Kubernetes version:

Client Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.7", GitCommit:"a2cba278cba1f6881bb0a7704d9cac6f
ca6ed435", GitTreeState:"clean", BuildDate:"2016-09-12T23:15:30Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"li
nux/amd64"}
Server Version: version.Info{Major:"1", Minor:"4", GitVersion:"v1.4.0", GitCommit:"a16c0a7f71a6f93c7e0f222d961f4675
cd97a46b", GitTreeState:"clean", BuildDate:"2016-09-26T18:10:32Z", GoVersion:"go1.6.3", Compiler:"gc", Platform:"li
nux/amd64"}

Environment:

  • Cloud provider or hardware configuration: GKE

What happened:
Changes the permission to 420 instead of 256, so -rw-r--r-- instead of -r-----.

What you expected to happen:
Should preserve 0700 (256).

How to reproduce it (as minimally and precisely as possible):
Following Secret files permissions, setting defaultMode (without setting fsGroup) in a Yaml like:

volumes:
  - name: foo
    secret:
      - secretName: mysecret
      - defaultMode: 0400

And doing a kubectl apply -f my_file.yml.

Note: It's a Deployment with normally only the container image that is changing.

Anything else do we need to know:
Editing the pod and changing the defaultMode: 0700 (again) works.

Related to #4789
@wernight
Copy link
Author

wernight commented Oct 10, 2016
edited

Upgraded kubectl:

Client Version: version.Info{Major:"1", Minor:"4", GitVersion:"v1.4.0", GitCommit:"a16c0a7f71a6f93c7e0f222d961f4675
cd97a46b", GitTreeState:"clean", BuildDate:"2016-09-26T18:16:57Z", GoVersion:"go1.6.3", Compiler:"gc", Platform:"li
nux/amd64"}
Server Version: version.Info{Major:"1", Minor:"4", GitVersion:"v1.4.0", GitCommit:"a16c0a7f71a6f93c7e0f222d961f4675
cd97a46b", GitTreeState:"clean", BuildDate:"2016-09-26T18:10:32Z", GoVersion:"go1.6.3", Compiler:"gc", Platform:"li
nux/amd64"}

Seems to fix the bug.

@rata
Copy link
Member

rata commented Oct 10, 2016

@wernight yes, you need kubectl from 1.4 release too. Glad it works that way! :-)

@rata rata mentioned this issue Oct 10, 2016
Closed
@pwittrock pwittrock added team/cluster sig/node Categorizes an issue or PR as relevant to SIG Node. and removed area/kubectl team/ux labels Oct 13, 2016
@pwittrock
Copy link
Member

@saad-ali @yujuhong This either of you?

@rata
Copy link
Member

rata commented Oct 13, 2016

@pwittrock @wernight reported that upgrading kubectl to 1.4 did the trick (and it won't work with kubectl 1.3.x as the feature is not there, so the field is probably not sent by kubectl). He reported it here: #4789

@wernight can you confirm this should be closed too?

@pwittrock
Copy link
Member

Ah, this is probably due to round tripping the objects in kubectl so it wipes out values it doesn't know about

@rata
Copy link
Member

rata commented Oct 13, 2016

@pwittrock yeap, this is not expected to work with kubectl 1.3 and the report says it was using that. So quite confident that was the issue :-)

@wernight
Copy link
Author

Should close, no? I expected a validation error but that may be for the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rata @wernight @pwittrock @k8s-github-robot