-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
missing /var/run/secrets/kubernetes.io in builder pod .. #249
Comments
From a code browse it looked like |
@champak yeah this has been a space of much churn wrt openshift/builder in 2021, with CVEs and regressions of various variety One thing that is NOT going to happen is mounting of Now, @coreydaley is close to getting a changed merged, #245, that would allow you to specify the mounting of specific secrets, assuming one of the SA's secrets is ultimately what you want to pull from But generally speaking for security reasons, a build has to opt into mounting things under If there is something other than secrets off of |
@gabemontero thanks very much for the info ! It certainly makes sense to protect the secrets under the kubernetes.io/serviceaccount/ particularly the token. I was thinking of less confidential info like the namespace. Would be convenient if we could have (by default..) /var/run/secrets/kubernetes.io/serviceaccount/namespace copied into the container where the assemble script runs. This info does not seem to be subject to a privilege escalation vector and some apps may expect it to be around. Thanks ! |
namespace does seem less innocuous if not copied into the container's filesystem, I could also see us setting an env var with the value but again, we are talking feature request I'm trying to track down the preferred means for you to do so |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi Folks,
In trying out Openshift BuildConfigs have run into an oddball issue. When we specify a user (USER ####) in the inline Dockerfile strategy for running the assemble script we find that the pod produced by BuildConfig does not have anything (dir is MIA) at /var/run/secrets/kubernetes.io and the permissions on /var/run/secrets/rhsm are "drwx--------- root root" The pod spec does have a volumemount with the mountpath: /var/run/secrets/kubernetes.io/serveiceaccount.
automountServiceAccountToken is not configured. Any ideas on why we may be in this state ? I was expecting the pod to have /var/run/secrets/kubernetes.io/<> available to USER ####. Thanks for any pointers
The text was updated successfully, but these errors were encountered: