kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove chmod command since we can specify permissions for Secret Volumes 

- Fixed because of https://github.com/kubernetes/kubernetes/pull/28936
This commit is contained in:
Aman 2016-12-19 21:50:15 +05:30
parent 5b24e1793d
commit ea98806bc9
No known key found for this signature in database
GPG Key ID: EB978C0392F7CBCC
2 changed files with 5 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmd/git-sync/main.go
View File

@ -471,17 +471,13 @@ func setupGitAuth(username, password, gitURL string) error {
func setupGitSSH() error {
log.V(1).Infof("setting up git SSH credentials")
if _, err := os.Stat("/etc/git-secret/ssh"); err != nil {
fileInfo, err := os.Stat("/etc/git-secret/ssh")
if err != nil {
return fmt.Errorf("error: could not find SSH key Secret: %v", err)
}
// Kubernetes mounts Secret as 0444 by default, which is not restrictive enough to use as an SSH key.
// TODO: Remove this command once Kubernetes allows for specifying permissions for a Secret Volume.
// See https://github.com/kubernetes/kubernetes/pull/28936.
if err := os.Chmod("/etc/git-secret/ssh", 0400); err != nil {
// If the Secret Volume is mounted as readOnly, the read-only filesystem nature prevents the necessary chmod.
return fmt.Errorf("error running chmod on Secret (make sure Secret Volume is NOT mounted with readOnly=true): %v", err)
if fileInfo.Mode() != 0400 {
return fmt.Errorf("Permissions %s for SSH key are too open. It is recommeded to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode())
}
return nil

4
docs/ssh.md
View File

@ -73,6 +73,4 @@ In your git-sync container configuration, mount the Secret Volume at "/etc/git-s
],
}
```
**Note: Do not mount the Secret Volume with "readOnly: true".** Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so the container runs a chmod command on the Secret. Mounting the Secret Volume as a read-only filesystem prevents chmod and thus prevents the use of the Secret as an SSH key.
***TODO***: Remove the chmod command once Kubernetes allows for specifying permissions for a Secret Volume. See https://github.com/kubernetes/kubernetes/pull/28936.
**Note:** Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so make sure you use secret volume with `defaultMode: 256` (decimal number for octal 0400).