how to change ownership and file permissions for the secrets copied using secrets-store-csi-driver

38 views Asked by At

I am not able to change the ownership of the files when mounted using secrets-store-csi-driver. the files are getting mounted as root with readonly permissions and 644 mode. Whereas I want to change the ownership of those files to different user and file permissions to 655.

I tried below things :

  1. setting defaultMode 0655 :- got error that defaultmode is not a valid attribute
  2. adding lifecycle policy
        lifecycle:
          postStart:
            exec:
              command:
              - /bin/sh
              - chown
              - -R
              - cfeapp:cfeapp
              - /www/cfe/certfrontend/cfeservices/build/clientcert.pem

but got error :

  Warning  FailedPostStartHook  13s   kubelet            PostStartHook failed
  Normal   Killing              13s   kubelet            FailedPostStartHook

3.adding init_containers to change the permissions , but the volume is not mounted correctly for that.

This is how I was trying through init containers :

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "cfe.fullname" . }}
  labels:
    {{- include "cfe.labels" . | nindent 4 }}
spec:
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "cfe.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "cfe.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "cfe.serviceAccountName" . }}
      securityContext:
          runAsUser: 1000
          runAsGroup: 1000
          fsGroup: 1000
      volumes:
        - name: ca-cert
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "secrets"  
    
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          env:
            {{- toYaml .Values.env | nindent 12 }}
          volumeMounts:
             - name: ca-cert
               mountPath: "/www/cfe/ca.crt"
               subPath: ca.crt
          
          ports:
            - name: http
              containerPort: {{ .Values.service.port }}
              protocol: TCP
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
      initContainers:
        - name: volume-mount-hack
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          env:
            {{- toYaml .Values.env | nindent 12 }}          
          command: ["/bin/sh", "-c", "chown -R cfeapp:cfeapp /www/cfe/ca.crt“]
          securityContext:
           runAsUser: 0
           privileged: true
          volumeMounts:
          - name: ca-cert
            mountPath: /www/cfe/ca.crt
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}

Can someone please help with this permission issue.

0

There are 0 answers