Skip to content

Allow setting ownership on mounted secrets #81089

Open
@maxneaga

Description

@maxneaga

What would you like to be added:
Currently, you can set secret file permissions, but not ownership: (see the "Secret files permissions" section)
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets

It would be good to add a defaultOwner, and possible defaultGroup field that would allow setting the default ownership of the secret files.

Why is this needed:
It is possible that there is more than one process running in a container, each running as a different user. (think processA running as userA and processB running as userB). processA might need to use secretA and processB to use secretB.

To make the secrets usable today, secretA and secretB would need to be world-readable, because there is no way to set ownership on them. This is undesirable from the security standpoint, as processA could read secretB and vice versa.

Activity

added
kind/featureCategorizes issue or PR as related to a new feature.
on Aug 7, 2019
added
needs-sigIndicates an issue or PR lacks a `sig/foo` label and requires one.
on Aug 7, 2019
maxneaga

maxneaga commented on Aug 7, 2019

@maxneaga
Author

/sig auth

added
sig/authCategorizes an issue or PR as relevant to SIG Auth.
and removed
needs-sigIndicates an issue or PR lacks a `sig/foo` label and requires one.
on Aug 7, 2019
added
sig/storageCategorizes an issue or PR as relevant to SIG Storage.
priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.
on Aug 7, 2019
tallclair

tallclair commented on Aug 7, 2019

@tallclair
Member
liggitt

liggitt commented on Aug 7, 2019

@liggitt
Member

see also #57923 (specifically #57923 (comment))

liggitt

liggitt commented on Aug 7, 2019

@liggitt
Member

I think this is what the fsGroup setting was intended to accomodate

edit: misread the description as multiple containers running as different users wanting access to the same secret.

this is asking for a way to have multiple processes in a single container running as different users not have access to portions of the same secret?

maxneaga

maxneaga commented on Aug 7, 2019

@maxneaga
Author

this is asking for a way to have multiple processes in a single container running as different users not have access to portions of the same secret?

Correct, multiple processes in a single container running as different users not have access to another or portions of the same secret.

tallclair

tallclair commented on Aug 7, 2019

@tallclair
Member

This does not sound like a very common use case. Different processes running under different users are typically separated to different containers.

There are a handful of ways you could implement a custom solution within a container, but this doesn't sound like a use case we're likely to support in Kubernetes.
/priority awaiting-more-evidence

maxneaga

maxneaga commented on Aug 12, 2019

@maxneaga
Author

Different processes running under different users are typically separated to different containers.

Let's say there is only one process running in the container, and the container's security context has

          runAsNonRoot: true
          runAsUser: <user-id>

Currently, the secret file would still be created with root as the owner. Unless the file is world-readable, the main container process will not be able to read it. So in this scenario (which is not uncommon I would guess), there is little to no use for the defaultMode. Either the secret file needs to be created with the owner of runAsUser or you should be able to explicitly set the owner of the secret file.

138 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/featureCategorizes issue or PR as related to a new feature.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/storageCategorizes an issue or PR as relevant to SIG Storage.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @rottenbytes@chrislovecnm@petr-motejlek@The-Loeki@jtgans

        Issue actions

          Allow setting ownership on mounted secrets · Issue #81089 · kubernetes/kubernetes