Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added SecretFileMode for specifying mounted secrets file permissions. #7908

Closed
wants to merge 1 commit into from
Closed

Added SecretFileMode for specifying mounted secrets file permissions. #7908

wants to merge 1 commit into from

Conversation

soltysh
Copy link
Contributor

@soltysh soltysh commented May 7, 2015

This came as a result of discussion in #4789.
@pmorie @jimmidyson PTAL.

@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project, in which case you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

  • If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
  • If you signed the CLA as a corporation, please let us know the company's name.

@pmorie
Copy link
Member

pmorie commented May 7, 2015

@soltysh This needs another case in the secrets e2e

@pmorie
Copy link
Member

pmorie commented May 7, 2015

@soltysh I think that new case case be, create different files with different modes and use the mount tester binary to check them. You can only check one file's mode with the current mount tester so it will probably 1 case per non-standard mode

@erictune
Copy link
Member

erictune commented May 7, 2015

Unless there is a good reason to rush this, I'd like to put a hold on this
till I (we?) understand #7925 better.
For one thing, I'm not sure whether the permissions belong on the Secret or
the SecretVolumeSource.

On Thu, May 7, 2015 at 3:09 PM, Paul Morie notifications@github.com wrote:

@soltysh https://github.com/soltysh I think that new case case be,
create different files with different modes and use the mount tester binary
to check them. You can only check one file's mode with the current mount
tester so it will probably 1 case per non-standard mode


Reply to this email directly or view it on GitHub
#7908 (comment)
.

@pmorie
Copy link
Member

pmorie commented May 8, 2015

@erictune

For one thing, I'm not sure whether the permissions belong on the Secret or
the SecretVolumeSource.

I'm actually thinking now that #7925 is what we ought to be talking about. Once we have security and volumes sorted there shouldn't be any need to control permissions -- secrets in volumes should always be 0400, owned by the uid in the pod's security context, and have the selinux context set correctly.

@soltysh
Copy link
Contributor Author

soltysh commented May 8, 2015

That was my first take in resolving #4789, just to set by default 0400 on mounted secrets. Still that kind of action generates risk that since we mount those as root, only root will have access to it. I then started chatting with @pmorie about that and we came up with this solution. I'll then wait for #7925 and its output.

@soltysh soltysh mentioned this pull request May 8, 2015
Closed
@bgrant0607 bgrant0607 self-assigned this May 11, 2015
@nikhiljindal nikhiljindal assigned erictune and unassigned bgrant0607 May 11, 2015
bgrant0607
bgrant0607 reviewed May 13, 2015
View reviewed changes
pkg/api/types.go
@@ -450,6 +452,16 @@ type GitRepoVolumeSource struct {
type SecretVolumeSource struct {
// Name of the secret in the pod's namespace to use
SecretName string `json:"secretName"`
// Modes describes access permissions to be applied per Secret's data key while mounting
Modes []SecretFileMode `json:"modes"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this really need to be per-key?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may want to mount each data's value with different permissions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Create multiple secrets.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we provide users with option to put multiple data we should allow them to define different permissions as well. On the other hand I can think of that as a grouping factor, where you'd group kind of "similar" data into one secret. Before doing any changes I'll wait for the outcome from #7925 @erictune mentioned.

@pmorie pmorie mentioned this pull request May 18, 2015
Closed
@erictune
Copy link
Member

Not sure if this is still active? If it isn't, it can be closed.

At any rate, I don't think there will be time to complete review of this prior to the pre-v1 code freeze.

@soltysh
Copy link
Contributor Author

soltysh commented May 29, 2015

I'm closing this until this gets sorted out, but everything seems that it'll be done differently.

@soltysh soltysh closed this May 29, 2015
@soltysh soltysh mentioned this pull request Nov 27, 2015
Closed
@soltysh soltysh deleted the secret_mount_permissions branch September 12, 2016 09:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@erictune erictune

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@soltysh @googlebot @pmorie @erictune @bgrant0607