I am not able to change the ownership of the files when mounted using secrets-store-csi-driver. the files are getting mounted as root with readonly permissions and 644 mode. Whereas I want to change the ownership of those files to different user and file permissions to 655.
I tried below things :
- setting defaultMode 0655 :- got error that defaultmode is not a valid attribute
- adding lifecycle policy
lifecycle:
postStart:
exec:
command:
- /bin/sh
- chown
- -R
- cfeapp:cfeapp
- /www/cfe/certfrontend/cfeservices/build/clientcert.pem
but got error :
Warning FailedPostStartHook 13s kubelet PostStartHook failed
Normal Killing 13s kubelet FailedPostStartHook
3.adding init_containers to change the permissions , but the volume is not mounted correctly for that.
This is how I was trying through init containers :
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "cfe.fullname" . }}
labels:
{{- include "cfe.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "cfe.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "cfe.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "cfe.serviceAccountName" . }}
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
volumes:
- name: ca-cert
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "secrets"
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
{{- toYaml .Values.env | nindent 12 }}
volumeMounts:
- name: ca-cert
mountPath: "/www/cfe/ca.crt"
subPath: ca.crt
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
resources:
{{- toYaml .Values.resources | nindent 12 }}
initContainers:
- name: volume-mount-hack
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
env:
{{- toYaml .Values.env | nindent 12 }}
command: ["/bin/sh", "-c", "chown -R cfeapp:cfeapp /www/cfe/ca.crt“]
securityContext:
runAsUser: 0
privileged: true
volumeMounts:
- name: ca-cert
mountPath: /www/cfe/ca.crt
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
Can someone please help with this permission issue.