No way to set permissions (mode) on secret and configmap files #28317
Comments
This one. I think As for how to write a proposal - this is a good start! I think the most important part of a design proposal is "all the things we considered and rejected, and why" |
|
@thockin thanks for the quick response! Sorry the delay, I was busy at work and university and I just had a few minutes to play with this now (but very excited to do it! :)). Very nice the doc, btw, on how to run a local kubernetes cluster so I easily try things :-) I think I prefer to start small and then do more stuff later :-). Yes, I see the fsGroup thing all over the place, but I'm not sure what it means. In my local cluster is always nil, so no hin there. Will investigate more later. The permissions are 0444 on a secret (on my AWS 1.2.4 cluster and my local dev env) because (after this change, the secret file has mode 0400 in the container) Although after this is done permissions might be changed to the file if So I'll try to see (next Sunday probably I'll have some time) where this comes from and how it might be set (it's not set in my default local cluster). Also, start playing with the struct you mention to add mode bits and set them accordingly and, if I come up with something reasonable, hopefully open a proposal with details about the proposed implementation so I can have some early feedback =) Thanks a lot for your help! |
|
Oh, my repo was kind of old. Updated to latest master and now the code is quite different. But the permissions for secrets are changed now! Isn't this a backwards incompatible change? I see where it is hardcoded now, but the code seems to be shared. @pmorie (I see you are the owner, now that I updated my k8s repo, I didn't know before, sorry) isn't a backwards incompatible change that mode permission on a secret file is different now that in 1.2.4? In a 1.2.4 cluster, To be clear on what I'm testing: from the k8s root repo (i.e. that file exists) And the tes-pod.yml is just (c&p from some example and added the secret): |
|
Oh, and found the fsGroup in the spec: http://kubernetes.io/docs/api-reference/extensions/v1beta1/definitions/#_v1_podsecuritycontext That was easier to find than I thought :) |
|
Sort of a dupe of #4789, though more targeted (file mode only) |
|
mode, uid, gid, and path/filename seem like the most common options we'Il want per key, so even if this doesn't add all of those at once, we'd want a structure that would be conducive to adding those later, I think |
|
@liggitt oh, didn't find it before. Thanks a lot! I agree with mode, uid and gid. Not sure about path/filename, as the key is supposed to be that. If the key name is more restrictive than filenames (I think it is), I think it is better to change that instead of adding a mapping for it |
|
I definitely feel this should apply to ConfigMaps from the start, especially as they in their infancy at the moment and less heartache to tackle this now. ConfigMap uses KeyToPath too, so this seems like natural point to be able to specify filemode, userId, groupId and tackle both secrets and configmaps at same time. |
|
@nowprovision yes, I (we? wanna help?) can make it for both, configmaps and secrets. There is pretty much code shared, I think |
rata
changed the title
|
@pmorie #25285 says the permission change on secret's files was on purpose and I think you ack there. It seems a breaking change, though. @nowprovision can you share what is your motivation to add this for configmaps too? Make them more similar? Do you have a use case where you would use this feature? |
|
The only tricky part is to define what happens when fsGroup is set AND this On Mon, Jul 4, 2016 at 6:52 AM, rata notifications@github.com wrote:
|
|
On Mon, Jul 04, 2016 at 12:11:24PM -0700, Tim Hockin wrote:
Haven't played and looked carefully at the fsGroup documentation, but if the I don't want, though, this to be too complicated and have weird conditions. I will look into fsGroup more in detail (the doc in k8s.io was not clear enough But if anyone has any suggestions, more than welcome! |
|
@nowprovision ping? :) |
|
@liggitt playing with secrets code, I have just tested mappings with secrets and they work fine. It's just the documentation that is outdated, I created an issue for that (kubernetes/website#803). |
|
It's fine to update the docs, I just wanted to make sure any mode-setting API design we come up with works well with the existing per-key options we already had |
|
On Mon, Jul 11, 2016 at 07:00:45AM -0700, Jordan Liggitt wrote:
Ohh, I see now. Yes, it will. Thanks :-) |
This is a proposal to address kubernetes#28317.
Automatic merge from submit-queue Add proposal for secret and configmap files mode bits This is a proposal to address #28317. cc @pmorie (owner) @thockin @thockin: Sorry if you preferred not to be CCed, I thougth you'd be interested :-) I think this is always the case, but let me say it one more time just in case: as this is a PR, ALL the feedback is more than welcome! It's my first time in kubernetes, so sorry in advance if this is obviously wrong. What I realize now is that I forgot to add the headers to the proposal. Is there some script to add them? Or should I just c&p from some other proposal? Thanks a lot, Rodrigo
This is a proposal to address kubernetes#28317.
This implements the proposal in: docs/proposals/secret-configmap-downwarapi-file-mode.md Fixes: kubernetes#28317
This implements the proposal in: docs/proposals/secret-configmap-downwarapi-file-mode.md Fixes: kubernetes#28317. The mounttest image is updated so it returns the permissions of the linked file and not the symlink itself.
This implements the proposal in: docs/proposals/secret-configmap-downwarapi-file-mode.md Fixes: kubernetes#28317. The mounttest image is updated so it returns the permissions of the linked file and not the symlink itself.
This implements the proposal in: docs/proposals/secret-configmap-downwarapi-file-mode.md Fixes: kubernetes#28317. The mounttest image is updated so it returns the permissions of the linked file and not the symlink itself.
This is a proposal to address kubernetes/kubernetes#28317.
This is a proposal to address kubernetes/kubernetes#28317.
This is a proposal to address kubernetes/kubernetes#28317.
Automatic merge from submit-queue Add proposal for secret and configmap files mode bits This is a proposal to address kubernetes/kubernetes#28317. cc @pmorie (owner) @thockin @thockin: Sorry if you preferred not to be CCed, I thougth you'd be interested :-) I think this is always the case, but let me say it one more time just in case: as this is a PR, ALL the feedback is more than welcome! It's my first time in kubernetes, so sorry in advance if this is obviously wrong. What I realize now is that I forgot to add the headers to the proposal. Is there some script to add them? Or should I just c&p from some other proposal? Thanks a lot, Rodrigo
To access to the container without using a password, the jumphost RSA public key is copied to each container, using "volumeMounts" defined as "configMap", to /root/.ssh/authorized_keys. To work properly, the following permissions must be set: - /root/.ssh: 700 - /root/.ssh/authorized_keys: 600 Because of [1][2], the mounted folders have fixed permissions and cannot be modified. [1]https://groups.google.com/forum/#!topic/kubernetes-dev/eTnfMJSqmaM [2]kubernetes/kubernetes#28317 JIRA: YARDSTICK-1149 Change-Id: I821064da56699c5b4f509d233c33e55af119fd56 Signed-off-by: Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com>
* Update docs/submodules/yardstick from branch 'master'
- Merge changes from topics 'YARDSTICK-1154', 'YARDSTICK-1160'
* changes:
Kubernetes API "delete_service" missing parameter
Bump Kubernetes Python client to version 6.0.0
Avoid "volumeMounts" with "configMap" fixed permissions
- Kubernetes API "delete_service" missing parameter
Kubernetes method "delete_service" calls core API function
"delete_namespaced_service". The parameter "body" [1] is missing:
:param V1DeleteOptions body: (required)
[1] https://github.com/kubernetes-client/python/blob/6.0.0/kubernetes/client/apis/core_v1_api.py
JIRA: YARDSTICK-1154
Change-Id: I40bca2af0f5359eaa788d3b81d82897a770329f0
Signed-off-by: Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com>
- Bump Kubernetes Python client to version 6.0.0
Bump Kubernetes Python client to version 6.0.0. This versions supports
Kubernetes service from 1.4 to 1.10 (current version) [1].
Current version of Kubernetes service: 1.10.2
[1] https://github.com/kubernetes-client/python/tree/6.0.0#compatibility-matrix
JIRA: YARDSTICK-1153
Change-Id: I96e855a68e39b17af02cd362040f8c765a9531f0
Signed-off-by: Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com>
- Avoid "volumeMounts" with "configMap" fixed permissions
To access to the container without using a password, the jumphost
RSA public key is copied to each container, using "volumeMounts"
defined as "configMap", to /root/.ssh/authorized_keys.
To work properly, the following permissions must be set:
- /root/.ssh: 700
- /root/.ssh/authorized_keys: 600
Because of [1][2], the mounted folders have fixed permissions and
cannot be modified.
[1]https://groups.google.com/forum/#!topic/kubernetes-dev/eTnfMJSqmaM
[2]kubernetes/kubernetes#28317
JIRA: YARDSTICK-1149
Change-Id: I821064da56699c5b4f509d233c33e55af119fd56
Signed-off-by: Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com>
Hi,
There is currently no way to set permissions on secret files mounted as volumes.
This is an issue with some tools that enforce them, like ssh for ssh keys, or
just if we want/need the permission to be other than 0444.
I've asked in the mailing list and I was suggested to open a proposal to enhance
(at least) secrets to support this. The ML thread is here:
https://groups.google.com/forum/#!topic/google-containers/EcaOPq4M758
I'm doing this as an issue, instead of a proposal, for several reasons: a) I don't know if there are any
"rules" to take into account when creating a proposal (although I've read some docs in
the repo, and seen other proposals as examples), b) it seems the proposal goes
way in detail and I still have several options and would like some feedback on
which ones to choose before I write the proposal, c) I feel more comfortable starting like this :-D
Before we start, let me say that with "permission" I only refer to the file mode
here and I may use them interchangeably. Sorry if this is a problem, let me know
and I can edit. This is not about the file owners, although let me know if you
prefer to discuss that here too.
So, let's start discussing the problem with secrets permissions. As I already
said, there is no way to set any mode on the secret's files mounted as volumes.
And the permissions on my AWS 1.2.4 cluster for a secret file is 0444.
This can be a problem for applications that enforce files to have permissions
only for the owner (like fetchmail, ssh, pgpass file in postgres1, etc.) and
it's just not possible to run them without changing the file mode. Also, in-house applications may have this restriction too.
Also, it doesn't seem totally wrong if someone wants to make a secret, that is
sensitive information, not world-readable (or group, too). Although it's already in a container
that is (hopefully) running only one process and it might not be so bad.
For example, my use case is that we are migrating to kubernetes, the migration
is in progress (and will take a while) and we have migrated our deployment web
interface to kubernetes. But this interface connects to the servers via ssh, so
it needs the ssh keys, and ssh will only work if the ssh key file mode is the
one it expects.
There are some alternatives I can think of (some less likely than others to be
accepted, I think, but wanted to be sure what you think or if you see other
before doing a proposal):
compatible as described in (docs/devel/api_changes.md) IIUC and seems like the
way to go. Also @thockin said in the ML that he would consider such an
approach. But it might be worth to consider if we want to do the same for
configmaps or owners, but there is no need to do it now either.
is stated in the api_changes doc. And besides it doesn't feel correct IMHO, it
is technically one option. The argument for this might be that world and group
readable for a secret is not a nice default, we already take care of not
writing it to disk, etc. but the file is created world-readable. This sound
awful to change specially if there is no way to revert to the old permissions
and some use case is broken by this. And if we are adding a way to change it,
like in the option above, there is no need to rush changing the default. So I
would discard this.
ones who do, suggest that do it as a "postStart" command. This is acceptable
if we don't want to change kubernetes core for some reason, although there
seem to be valid use cases. But if the user want's to use the "postStart" for
something else, then it is more disturbing to do both things (have a script
in the docker image that deals with this, but is not probably concern of the
project so it's not nice, or specify several commands by using "sh").
So, do you consider it's an option to add a way to specify file mode for files
in secrets?
If so, I can try to come up with a proposal for this (Tim give me some hints in
the thread I linked here, and I've looked at the code and seems doable, although
hasn't tested anything yet). Also, if there is something in particular (or some
doc I missed) on how to create a proposal or things to take into account, please
let me know!
Thanks a lot,
Rodrigo
The text was updated successfully, but these errors were encountered: