Capability to set file-system permissions for mounted secrets

[dimbleby]

Describe the solution you'd like

Supposing my secret is an ssh key. Then I'm going to want the file to have permissions 0600, else I'll get

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

etc

Looks like everything that this driver mounts gets permissions 0644 - here and here if my grep is good.

I'd like a mechanism to set the permissions to 0600.

Anything else you would like to add:

Common advice seems to be to run an initContainer and adjust the permissions on files as needed from that. But the secrets-store-csi-driver insists that I mount the volume as read-only, so that doesn't work.

Environment:

• Secrets Store CSI Driver version: (use the image tag):
• Kubernetes version: (use kubectl version):

[tam7t]

Some notes to myself:

The driver sets 0644 as the default permission in the request to the providers as described above.

The provider process maps external secrets to individual files (the SecretProviderClass CRD definition is not aware of what files will actually be created within the mount).

Providers return a MountResponse with a view of the filesystem and each file has a mode property.

The returned modes for each file are passed through to and honored by the atomic_writer

I believe that providers could currently extend their configuration to accept per-file/mount permission overrides.

Propose that providers try out provider-specific filesystem permissions (likely copy the k8s pattern of a parameter mode: <octal>) and if successful the SecretProviderClass could introduce a new defaultMode parameter that would override (or replace) the MountRequest.permission field to providers.

[jochristian]

Hi,

Got the same issue.
Need to access an private ssh key mounted into the kubernetes pod.
But does not work because of 0644 permission. Any suggestions how I can use the mounted file?

[tam7t]

Closing this in favor of #858.

Currently providers can be extended to support per-file permissions (as done in Azure/secrets-store-csi-driver-provider-azure#712 for the azure provider). If you need this in one of the other providers please file a bug agains their repo.