Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Projected serviceAccountToken has mode of mounted file hardcoded to 0600 #82573

Closed
alfredkrohmer opened this issue Sep 11, 2019 · 14 comments
Closed

Projected serviceAccountToken has mode of mounted file hardcoded to 0600 #82573

alfredkrohmer opened this issue Sep 11, 2019 · 14 comments
Assignees
@mikedanese
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@alfredkrohmer
Copy link

What happened:

Mounting projected serviceAccountTokens into a container always sets the mode of the mounted token files to 0600. This is hardcoded in the source code:

kubernetes/pkg/volume/projected/projected.go

Line 357 in cf76868

Mode: 0600,

What you expected to happen:

The file mode should equal the defaultMode given in the projected map.

How to reproduce it (as minimally and precisely as possible):

Create a pod with a projected serviceAccountToken with any defaultMode set. Observe that the file mode of the file is always 0600.

Environment:

  • Kubernetes version (use kubectl version): latest master
@alfredkrohmer alfredkrohmer added the kind/bug Categorizes issue or PR as related to a bug. label Sep 11, 2019
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Sep 11, 2019
This was referenced Sep 11, 2019
Open
Merged
@alfredkrohmer
Copy link
Author

@kubernetes/sig-node-bugs

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 11, 2019
@k8s-ci-robot
Copy link
Contributor

@devkid: Reiterating the mentions to trigger a notification:
@kubernetes/sig-node-bugs

In response to this:

@kubernetes/sig-node-bugs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@liggitt
Copy link
Member

liggitt commented Sep 11, 2019

duplicate of #74565

/cc @mikedanese
/close

@k8s-ci-robot
Copy link
Contributor

@liggitt: Closing this issue.

In response to this:

duplicate of #74565

/cc @mikedanese
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@liggitt
Copy link
Member

liggitt commented Sep 11, 2019

actually, leaving this open to track resolution

/remove-sig node
/sig auth
/assign @mikedanese
/reopen

@k8s-ci-robot
Copy link
Contributor

@liggitt: Reopened this issue.

In response to this:

actually, leaving this open to track resolution

/remove-sig node
/sig auth
/assign @mikedanese
/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot reopened this Sep 11, 2019
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed sig/node Categorizes an issue or PR as relevant to SIG Node. labels Sep 11, 2019
@mikedanese
Copy link
Member

This might be a docs issue, or the webhook could work around this by adding supplemental groups. I'm not sure if that's particularly desirable.

cc @micahhausler

@micahhausler
Copy link
Member

Yea, adding supplemental groups from the webhook is probably not the route we want to go, since it's hard to determine which GID is correct. We'll update our docs on that workaround, but having the mode be set by defaultMode is the desired behavior

@mikedanese
Copy link
Member

deafultMode defaults to world readable. The current behavior was intentional. I would really like if the world bit was never set on these tokens. This is something that I was hoping to fix with the second iteration of tokens. Coincidentally, the security audit pointed this issue out: #81116

@liggitt
Copy link
Member

liggitt commented Sep 18, 2019

Would you agree that requiring changes to pod specs in order to replace the secret-based token with the projected one by default doesn't seem tenable? If we can't require pod spec changes, and the pod spec doesn't contain enough info to confidently use gid / fsGroup / supplementalGroups, I don't see great options other than preserving the secret-based behavior.

What are the actual risks of injecting a token that is group or world-readable into a pod?

@mikedanese
Copy link
Member

I'd like to pursue the avenue of setting better file ownership of TokenVolumeProjections which would be preferable as it offers better security to users that are running as non-root transparently.

@micahhausler micahhausler mentioned this issue Sep 25, 2019
Closed
@caseydavenport caseydavenport mentioned this issue Oct 10, 2019
Merged
@gauravsinhatigera gauravsinhatigera mentioned this issue Oct 11, 2019
Merged
@willthames
Copy link

willthames commented Oct 24, 2019
edited
Loading

One point to note here is that setting the fsGroup to the gid of the pod is a commonly documented workaround for this issue. However, this gid is typically 0 by default, which doesn't seem ideal - but if you then set the gid of the pod with RunAsGroup, this solution no longer works (fsGroup seems to be dropped if RunAsGroup is set to the same value (presumably as it's no longer a supplemental group) and the token is then only owner-readable again)

Edit: fsGroup is only available in the pod security context, and I was trying to set it in the container security context.

This was referenced Oct 25, 2019
Closed
Merged
@tallclair tallclair added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Oct 30, 2019
@liggitt liggitt added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Nov 28, 2019
@mikedanese
Copy link
Member

Proposal to fix in kubernetes/enhancements#1598

@max-rocket-internet max-rocket-internet mentioned this issue Apr 15, 2020
Closed
@munnerz munnerz mentioned this issue Apr 24, 2020
Closed
@hasheddan hasheddan mentioned this issue May 5, 2020
Closed
@geota geota mentioned this issue Jul 30, 2020
Closed
@bbenzikry bbenzikry mentioned this issue Aug 24, 2020
Closed
@mikedanese
Copy link
Member

Fixed by @zshihang in #89193

@zubron zubron mentioned this issue Sep 29, 2020
Closed
modax added a commit to inventi/helm that referenced this issue Feb 2, 2021
@modax
Support specifying fsGroup in springboot chart
ecb2190 
Might especially be useful with service account sometimes, e.g. see:

aws/amazon-eks-pod-identity-webhook#8 (comment)
kubernetes/kubernetes#82573
@brentwolfram brentwolfram mentioned this issue Mar 25, 2021
Merged
@TheKangaroo TheKangaroo mentioned this issue Jun 16, 2021
Closed
@aramase aramase mentioned this issue Aug 26, 2021
Closed
rfranzke added a commit to rfranzke/gardener that referenced this issue Nov 30, 2021
@rfranzke
Add workaround for projected service account tokens
bcdf7c2 
Workaround kubernetes/kubernetes#82573 - this got fixed with kubernetes/kubernetes#89193 starting with Kubernetes 1.19
@rfranzke rfranzke mentioned this issue Nov 30, 2021
Merged
@Throckmortra Throckmortra mentioned this issue Dec 22, 2021
Closed
@bothra90 bothra90 mentioned this issue Jan 28, 2022
Closed
@dylan-bitovi dylan-bitovi mentioned this issue Feb 23, 2022
Merged
9 tasks
krgostev pushed a commit to krgostev/gardener that referenced this issue Apr 21, 2022
@rfranzke
Add workaround for projected service account tokens
2eb4e07 
Workaround kubernetes/kubernetes#82573 - this got fixed with kubernetes/kubernetes#89193 starting with Kubernetes 1.19
krgostev pushed a commit to krgostev/gardener that referenced this issue Jul 5, 2022
@rfranzke
Add workaround for projected service account tokens
f17056a 
Workaround kubernetes/kubernetes#82573 - this got fixed with kubernetes/kubernetes#89193 starting with Kubernetes 1.19
@astraw99 astraw99 mentioned this issue Oct 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikedanese mikedanese

Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@willthames @micahhausler @liggitt @alfredkrohmer @mikedanese @k8s-ci-robot @tallclair