Remove chmod command since we can specify permissions for a Secret Vo…

…lume - Fixed because of kubernetes/kubernetes#28936
ApsOps · Dec 19, 2016 · c01a9a4 · c01a9a4
1 parent 5b24e17
commit c01a9a4
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 11 deletions.
diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go
@@ -471,17 +471,13 @@ func setupGitAuth(username, password, gitURL string) error {
 func setupGitSSH() error {
 	log.V(1).Infof("setting up git SSH credentials")
 
-	if _, err := os.Stat("/etc/git-secret/ssh"); err != nil {
+	fileInfo, err := os.Stat("/etc/git-secret/ssh")
+	if err != nil {
 		return fmt.Errorf("error: could not find SSH key Secret: %v", err)
 	}
 
-	// Kubernetes mounts Secret as 0444 by default, which is not restrictive enough to use as an SSH key.
-	// TODO: Remove this command once Kubernetes allows for specifying permissions for a Secret Volume.
-	// See https://github.com/kubernetes/kubernetes/pull/28936.
-	if err := os.Chmod("/etc/git-secret/ssh", 0400); err != nil {
-
-		// If the Secret Volume is mounted as readOnly, the read-only filesystem nature prevents the necessary chmod.
-		return fmt.Errorf("error running chmod on Secret (make sure Secret Volume is NOT mounted with readOnly=true): %v", err)
+	if fileInfo.Mode() != 0400 {
+		return fmt.Errorf("Permissions %s for SSH key are too open. It is recommeded to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode())
 	}
 
 	return nil

diff --git a/docs/ssh.md b/docs/ssh.md
@@ -73,6 +73,4 @@ In your git-sync container configuration, mount the Secret Volume at "/etc/git-s
     ],
 }
 ```
-**Note: Do not mount the Secret Volume with "readOnly: true".** Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so the container runs a chmod command on the Secret. Mounting the Secret Volume as a read-only filesystem prevents chmod and thus prevents the use of the Secret as an SSH key.
-
-***TODO***: Remove the chmod command once Kubernetes allows for specifying permissions for a Secret Volume. See https://github.com/kubernetes/kubernetes/pull/28936.
+**Note:** Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so make sure you use secret volume with `defaultMode: 256` (decimal number for octal 0400).