Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

projected serviceAccountToken do not honour defaultMode or readOnly: true (tested in 1.30) #129475

Open
rbtcollins opened this issue Jan 3, 2025 · 5 comments
Open

projected serviceAccountToken do not honour defaultMode or readOnly: true (tested in 1.30) #129475

rbtcollins opened this issue Jan 3, 2025 · 5 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/storage Categorizes an issue or PR as relevant to SIG Storage.

Comments

@rbtcollins
Copy link

What happened?

We have a container which needs to start as root today (because we install packages, mount a docker socket and the like). But then we change uid to a lower privilege user for the rest of time.

That user needs access to a projected serviceAccountToken to access another service. The user cannot read the file because its mode is rw-------.

So, we set defaultMode on the projected volume definition, but this has no effect.

We also had readOnly: true in the mount definition, and that seems to not have effect either, as the mode was still rw------- not r--------.

Sample Pod definitions 
apiVersion: v1
kind: Pod
metadata:
  name: with-mode
  namespace: robertc-scratch
spec:
      containers:
      - command:
        - sleep
        - "604800"
        image: ubuntu
        imagePullPolicy: IfNotPresent
        name: test
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 0
        volumeMounts:
        - mountPath: /secrets/token
          name: token
      volumes:
      - name: token
        projected:
          defaultMode: 292
          sources:
          - serviceAccountToken:
              path: token
---
apiVersion: v1
kind: Pod
metadata:
  name: with-readonly
  namespace: robertc-scratch
spec:
      containers:
      - command:
        - sleep
        - "604800"
        image: ubuntu
        imagePullPolicy: IfNotPresent
        name: test
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 0
        volumeMounts:
        - mountPath: /secrets/token
          name: token
          readOnly: true
      volumes:
      - name: token
        projected:
          sources:
          - serviceAccountToken:
              path: token

The test I did in making a SSCCE was to run this:

kubectl --namespace robertc-scratch exec -ti with-mode -- ls -l /secrets/token/..data/
total 4
-rw------- 1 root root 1414 Jan  3 17:45 token
@rbtcollins ➜ /workspaces/infrastructure (rbt/agent-permissions-3) $ kubectl --namespace robertc-scratch exec -ti with-mode -- ls -l /secrets/token/..data/
total 4
-rw------- 1 root root 1414 Jan  3 17:45 token

We checked the documentation and it describes defaultMode with no restrictions on its relevance to difference sources. The API reference is no more useful.

What did you expect to happen?

I expected the defaultMode setting to apply to the serviceAccountToken. All the same reasons one might want a different mode for a projected secret or config map also apply to a projected serviceAccountToken.

How can we reproduce it (as minimally and precisely as possible)?

See above.

Anything else we need to know?

Probably not ;) .

Kubernetes version

$ kubectl version
Client Version: v1.27.16
Kustomize Version: v5.0.1
Server Version: v1.30.5-gke.1699000

Cloud provider

Google GKE

OS version

I don't have access to the node OS itself, sorry.

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)
@rbtcollins rbtcollins added the kind/bug Categorizes issue or PR as related to a bug. label Jan 3, 2025
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jan 3, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jan 3, 2025
@carlory
Copy link
Member

carlory commented Jan 6, 2025

similar issue: #57923

@carlory
Copy link
Member

carlory commented Jan 6, 2025
edited
Loading

If you specify the runASUser, the mode will be changed to 0600 from the default mode.

kubernetes/pkg/volume/projected/projected.go

Lines 322 to 324 in 6746df7

mode := *s.source.DefaultMode
if mounterArgs.FsUser != nil || mounterArgs.FsGroup != nil {
mode = 0600

@gnufied commented: So one flip side of this implementation is - it won't easily work for other ephemeral volume types, which was discussed in sig-storage call.

@carlory
Copy link
Member

carlory commented Jan 6, 2025

Related KEP: kubernetes/enhancements#1598

@carlory
Copy link
Member

carlory commented Jan 6, 2025

/sig storage

@k8s-ci-robot k8s-ci-robot added sig/storage Categorizes an issue or PR as relevant to SIG Storage. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/storage Categorizes an issue or PR as relevant to SIG Storage.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rbtcollins @k8s-ci-robot @carlory