-
Bug
-
Resolution: Fixed
-
Minor
-
None
use case:
podTemplate(label: 'jenkpod', containers: [ containerTemplate(name: 'golang', image: 'golang:1.8', ttyEnabled: true, command: 'cat') ], volumes: [ secretVolume(secretName: 'jenkins-key-secret', mountPath: '/root/.ssh') ]) { node ('jenkpod') { container('golang') { stage('Pre-Build') { sh 'ls -al /root/.ssh' sh 'ssh -vT -i /root/.ssh/ssh-publickey -o "StrictHostKeyChecking=no" git@github.com' } } } }
- apiVersion: v1
kind: Pod
metadata:
spec:
containers:
- command:
- cat
env:
- name: JENKINS_LOCATION_URL
value: http://
- name: HOME
value: /home/jenkins
image: golang:1.8
name: golang
tty: true
volumeMounts:
- mountPath: /root/.ssh
name: volume-0
- mountPath: /home/jenkins
name: workspace-volume
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token
readOnly: true
workingDir: /home/jenkins
volumes:
- name: volume-0
secret:
defaultMode: 420
secretName: jenkins-key-secret
- emptyDir: {}
name: workspace-volume
- name: default-token
secret:
defaultMode: 420
secretName: default-token
NOTE: at the moment, I think becuase of this bug, the keys are also too open, and so I need to run this before using the key:
sh 'find /root/.ssh -type f -exec chmod 400 {} \;'
- is duplicated by
-
JENKINS-49641 Add Secret files permissions
-
- Resolved
-
- is related to
-
-
- Resolved
-
[JENKINS-42851] secretVolume not created read only
This works as expected, no permissions are passed to kubernetes
see https://kubernetes.io/docs/concepts/configuration/secret
You can also specify the permission mode bits files part of a secret will have. If you don’t specify any, 0644 is used by default. You can specify a default mode for the whole secret volume and override per key if needed.
You can override the default by using the yaml syntax in the plugin
Sorry, for the dumb question, but how to use the yaml syntax of the plugin? Not sure where I can find it in the docs
Bill Warner
added a comment - csanchez is there an example on how to get the defaultmode injected into the correct array index of the secret volume?
Bill Warner
added a comment - csanchez is there an example on how to get the defaultmode injected into the correct array index of the secret volume? something like the example k8s provides
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: maven
image: maven:alpine
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
defaultMode: 256
yan-hong wang
added a comment - Hello Carlos,
In original podTemplate definition, is that possible to indicate defaultMode for securetVolume?
secretVolume(secretName: 'jenkins-key-secret', mountPath: '/root/.ssh', defaultMode: '256')
And since I tried to use yaml format to define podTemplate. I found the pod name of Jenkins agent become
'jenkins-slave-qk297-4f5q7'
Even I indicated the name of pod in yaml format of podTemplate. That pod name still can't customized...
Is that normal behavior?
Thanks very much.
BR
Hong
yan-hong wang
added a comment - Hello Carlos,
In original podTemplate definition, is that possible to indicate defaultMode for securetVolume?
secretVolume(secretName: 'jenkins-key-secret', mountPath: '/root/.ssh', defaultMode : '256')
And since I tried to use yaml format to define podTemplate. I found the pod name of Jenkins agent become
' jenkins-slave-qk297-4f5q7 '
Even I indicated the name of pod in yaml format of podTemplate. That pod name still can't customized...
Is that normal behavior?
Thanks very much.
BR
Hong 
Wes Couch
added a comment - This has been resolved in this PR https://github.com/jenkinsci/kubernetes-plugin/pull/452 . You can now set defaultMode in the pod template since version 1.15.0
Wes Couch
added a comment - This has been resolved in this PR https://github.com/jenkinsci/kubernetes-plugin/pull/452 . You can now set defaultMode in the pod template since version 1.15.0 
I had the same issue. I mount private key as a secret volume and actually, the permissions are 777 on pod side