Capability to set file-system permissions for mounted secrets

[milokrisko]

Describe the solution you'd like

Supposing my secret is an ssh key. Then I'm going to want the file to have permissions 0600, else I'll get

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Anything else you would like to add:

Common advice seems to be to run an initContainer and adjust the permissions on files as needed from that. But the secrets-store-csi-driver insists that I mount the volume as read-only, so that doesn't work.

This request was copied from the kubernetes-sigs/secrets-store-csi-driver#722
As the resolution from there was to submit this as Request under specific cloud provider and i didn't notice any request to be filled for AWS as for now.

[milokrisko]

My Current workaround is "terrible".

I forced the secret-store-csi-driver to sync the files as k8s secret (which i didn't need before) and then i set up to mount this secret as volume where those change are enabled via k8s:

- name: ssh_keys secret: defaultMode: 420 items: - key: users.json path: users.json - key: ssh_host_ed25519_key mode: 256 path: ssh_host_ed25519_key - key: ssh_host_rsa_key mode: 256 path: ssh_host_rsa_key secretName: {{ .Release.Name }}-secret-fs

This way the mounting works even though i do have this configuration there twice under diff paths for example:
/data/keys/aws
and from k8s it's synced into
/data/keys/

[jbct]

Thank you for the feature enhancement request. We will look into this.

[colearendt]

We are encountering the same problem. We have a product that requires 600 permissions on its secrets.

Just for clarity, we used the same workaround / solution discussed above:

• create a SecretObject in the SecretProviderClass
• mount a secret as an env var (to ensure that the kubernetes secret gets created)
• mount the secret to disk and set defaultMode

Tedious to set up and clutters our kubernetes cluster with an extra secret resource. Worth noting that permissions are also pretty complicated in Kubernetes Secrets / volume mounts.

[fgoura]

I am not able to change the permission of the files mounted using secretprovider-csi-driver in aws provider.
My files are getting mounted as root with 644 permissions, while I want my mounted files to have 655 permissions.
I tried setting defaultMode, but it is throwing error for defaultMode as not a valid attribute.
I also tried adding filePermissions in secretprovider.yaml , but that is also not working .
reference : kubernetes-sigs/secrets-store-csi-driver#858

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: awssecrets
spec:
  provider: aws
  parameters:
    objects: |
        - objectName: "/tmp/dev/ca.pem"
          objectType: "secretsmanager"
          objectAlias: "ca.pem"
          filePermission: 0655

Could someone please help here update the file ownership and file permissions.
It seems this issue is resolved for azure provider, but I am not able to find any solution for aws provider.
Kindly help.

[bankmonitor-gabor-viczai]

+1

Same situation here. We would also like to mount secure strings from parameter store as non-root user with 400 permission.
Failed even to set ownership with standard k8s fsGroup attribute...

Worth to mention here that a guy solved this for Microsoft Azure two years ago:
Azure/secrets-store-csi-driver-provider-azure#225