-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Projected serviceAccountToken has mode of mounted file hardcoded to 0600 #82573
Comments
@kubernetes/sig-node-bugs |
@devkid: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
duplicate of #74565 /cc @mikedanese |
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
actually, leaving this open to track resolution /remove-sig node |
@liggitt: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This might be a docs issue, or the webhook could work around this by adding supplemental groups. I'm not sure if that's particularly desirable. |
Yea, adding supplemental groups from the webhook is probably not the route we want to go, since it's hard to determine which GID is correct. We'll update our docs on that workaround, but having the mode be set by |
|
Would you agree that requiring changes to pod specs in order to replace the secret-based token with the projected one by default doesn't seem tenable? If we can't require pod spec changes, and the pod spec doesn't contain enough info to confidently use gid / fsGroup / supplementalGroups, I don't see great options other than preserving the secret-based behavior. What are the actual risks of injecting a token that is group or world-readable into a pod? |
I'd like to pursue the avenue of setting better file ownership of TokenVolumeProjections which would be preferable as it offers better security to users that are running as non-root transparently. |
One point to note here is that setting the Edit: |
Proposal to fix in kubernetes/enhancements#1598 |
Might especially be useful with service account sometimes, e.g. see: aws/amazon-eks-pod-identity-webhook#8 (comment) kubernetes/kubernetes#82573
Workaround kubernetes/kubernetes#82573 - this got fixed with kubernetes/kubernetes#89193 starting with Kubernetes 1.19
Workaround kubernetes/kubernetes#82573 - this got fixed with kubernetes/kubernetes#89193 starting with Kubernetes 1.19
Workaround kubernetes/kubernetes#82573 - this got fixed with kubernetes/kubernetes#89193 starting with Kubernetes 1.19
What happened:
Mounting
projected
serviceAccountTokens
into a container always sets the mode of the mounted token files to0600
. This is hardcoded in the source code:kubernetes/pkg/volume/projected/projected.go
Line 357 in cf76868
What you expected to happen:
The file mode should equal the
defaultMode
given in theprojected
map.How to reproduce it (as minimally and precisely as possible):
Create a pod with a
projected
serviceAccountToken
with anydefaultMode
set. Observe that the file mode of the file is always0600
.Environment:
kubectl version
): latest masterThe text was updated successfully, but these errors were encountered: