Describe the solution you'd like

Providers return a MountResponse with a view of the filesystem and each file has a mode property. This allows providers to control the file permissions of individual secret files in the mounted filesystem, but there is no control over the file ownership.

The file permissions may be useful but because the owner will always be root, it may have little practical value.

The atomic_writer.go also supports a file owner, but the service.proto does provide a way for file ownership to be specified.

Anything else you would like to add:

A pod with a non-root user should be able to read a secret, and that secret should not be world-readable.

Support for user-names may be difficult and user namespaces will likely need to be considered.

Relevant previous issues:

• Capability to set file-system permissions for mounted secrets #722
• Is it possible to add file attributes when mounting? #346

Environment:

• Secrets Store CSI Driver version: (use the image tag): all
• Kubernetes version: (use kubectl version): all