-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Capability to set file-system permissions for mounted secrets #263
Comments
My Current workaround is "terrible". I forced the secret-store-csi-driver to sync the files as k8s secret (which i didn't need before) and then i set up to mount this secret as volume where those change are enabled via k8s:
This way the mounting works even though i do have this configuration there twice under diff paths for example: |
Thank you for the feature enhancement request. We will look into this. |
We are encountering the same problem. We have a product that requires 600 permissions on its secrets. Just for clarity, we used the same workaround / solution discussed above:
Tedious to set up and clutters our kubernetes cluster with an extra secret resource. Worth noting that permissions are also pretty complicated in Kubernetes Secrets / volume mounts. |
I am not able to change the permission of the files mounted using secretprovider-csi-driver in aws provider.
Could someone please help here update the file ownership and file permissions. |
+1 Same situation here. We would also like to mount secure strings from parameter store as non-root user with 400 permission. Worth to mention here that a guy solved this for Microsoft Azure two years ago: |
Describe the solution you'd like
Supposing my secret is an ssh key. Then I'm going to want the file to have permissions 0600, else I'll get
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Anything else you would like to add:
Common advice seems to be to run an initContainer and adjust the permissions on files as needed from that. But the secrets-store-csi-driver insists that I mount the volume as read-only, so that doesn't work.
This request was copied from the kubernetes-sigs/secrets-store-csi-driver#722
As the resolution from there was to submit this as Request under specific cloud provider and i didn't notice any request to be filled for AWS as for now.
The text was updated successfully, but these errors were encountered: