-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Christoph Petrausch
committed
Apr 16, 2020
1 parent
6ae68f4
commit f3b3263
Showing
1 changed file
with
4 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f3b3263
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please revert this, it doesn't make it more secure just because it reads from a file and makes running this on Kubernetes much more hackier.
f3b3263
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello,
I think injecting the password via the command line is more hacky in Kubernetes. The server query password should be stored in a kubernetes secret. To consume this secret via command line you have to inject that password as environment variable into the container. Than use that environment variable in the
pod.spec.container.args
list.However mounting a kubernetes secret as file is a native secrets feature: https://kubernetes.io/docs/concepts/configuration/secret/#use-case-dotfiles-in-a-secret-volume
I agree with you that this requires more lines of yaml code but I think that is less hacky. However, I will add a method to consume the password via an environment variable.
Implemented: b5acfc6
f3b3263
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The thing is, I use my own ts3exporter image that among other improvements to yours, doesn't run the binary as root in the container. So when mounting the secret as a file with
0600
permissions I cannot set the file's owner UID, so the process can't read it. Link to my image, let me know if you want a PR.I've seen you've added reading the password from an env. variable, thanks!
f3b3263
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Go ahead an create a PR for the static linked build and the scratch image. However I'm not a fan of alpine as builder image. Their busy box and muslc created too much hassle in the past. Those hassles are not worth the size reduction while building.
Regarding the fsgroup of the mounted secret: Have a look at the security context of a Pod. The property
fsGroup
allows you to change the ownership of mounted volumes.https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
f3b3263
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll make the PR for the glibc-based image then soon.
About
fsGroup
that sets the group ownership, butts3exporter
demands0400
permissions, that's user ownership exclusively. IffsUser
existed or0440
were enough, then that would work.