kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #25 from ApsOps/remove-chmod 

Remove chmod command since we can specify permissions for a Secret Volume
This commit is contained in:
Tim Hockin 2016-12-21 18:46:01 -08:00 committed by GitHub
parent 5b24e1793d ea98806bc9
commit b29839f333
2 changed files with 5 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmd/git-sync/main.go
View File

@ -471,17 +471,13 @@ func setupGitAuth(username, password, gitURL string) error {
func setupGitSSH() error { func setupGitSSH() error {
log.V(1).Infof("setting up git SSH credentials") log.V(1).Infof("setting up git SSH credentials")
if _, err := os.Stat("/etc/git-secret/ssh"); err != nil { fileInfo, err := os.Stat("/etc/git-secret/ssh")
if err != nil {
return fmt.Errorf("error: could not find SSH key Secret: %v", err) return fmt.Errorf("error: could not find SSH key Secret: %v", err)
} }
// Kubernetes mounts Secret as 0444 by default, which is not restrictive enough to use as an SSH key. if fileInfo.Mode() != 0400 {
// TODO: Remove this command once Kubernetes allows for specifying permissions for a Secret Volume. return fmt.Errorf("Permissions %s for SSH key are too open. It is recommeded to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode())
// See https://github.com/kubernetes/kubernetes/pull/28936.
if err := os.Chmod("/etc/git-secret/ssh", 0400); err != nil {
// If the Secret Volume is mounted as readOnly, the read-only filesystem nature prevents the necessary chmod.
return fmt.Errorf("error running chmod on Secret (make sure Secret Volume is NOT mounted with readOnly=true): %v", err)
} }
return nil return nil

4
docs/ssh.md
View File

@ -73,6 +73,4 @@ In your git-sync container configuration, mount the Secret Volume at "/etc/git-s
], ],
} }
``` ```
**Note: Do not mount the Secret Volume with "readOnly: true".** Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so the container runs a chmod command on the Secret. Mounting the Secret Volume as a read-only filesystem prevents chmod and thus prevents the use of the Secret as an SSH key. **Note:** Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so make sure you use secret volume with `defaultMode: 256` (decimal number for octal 0400).
***TODO***: Remove the chmod command once Kubernetes allows for specifying permissions for a Secret Volume. See https://github.com/kubernetes/kubernetes/pull/28936.