Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42851

secretVolume not created read only

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • kubernetes-plugin
    • None

      use case:

      pipeline
      podTemplate(label: 'jenkpod', containers: [
    containerTemplate(name: 'golang', image: 'golang:1.8', ttyEnabled: true, command: 'cat')
], volumes: [
    secretVolume(secretName: 'jenkins-key-secret', mountPath: '/root/.ssh')
]) {
    node ('jenkpod') { container('golang') {
        stage('Pre-Build') {
            sh 'ls -al /root/.ssh'
            sh 'ssh -vT -i /root/.ssh/ssh-publickey -o "StrictHostKeyChecking=no" git@github.com'
        }
    } }
}
      snippet of generated yaml
      - apiVersion: v1
  kind: Pod
  metadata:
  spec:
    containers:
    - command:
      - cat
      env:
      - name: JENKINS_LOCATION_URL
        value: http://
      - name: HOME
        value: /home/jenkins
      image: golang:1.8
      name: golang
      tty: true
      volumeMounts:
      - mountPath: /root/.ssh
        name: volume-0
      - mountPath: /home/jenkins
        name: workspace-volume
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: default-token
        readOnly: true
      workingDir: /home/jenkins
    volumes:
    - name: volume-0
      secret:
        defaultMode: 420
        secretName: jenkins-key-secret
    - emptyDir: {}
      name: workspace-volume
    - name: default-token
      secret:
        defaultMode: 420
        secretName: default-token

      NOTE: at the moment, I think becuase of this bug, the keys are also too open, and so I need to run this before using the key:
      sh 'find /root/.ssh -type f -exec chmod 400 {} \;'

          [JENKINS-42851] secretVolume not created read only

          J Knurek created issue -
          J Knurek made changes -
          Link New: This issue is related to JENKINS-42582 [ JENKINS-42582 ]

          Vladislav Trayanov added a comment -

          I had the same issue. I mount private key as a secret volume and actually, the permissions are 777 on pod side 

          Vladislav Trayanov added a comment - I had the same issue. I mount private key as a secret volume and actually, the permissions are 777 on pod side 

          Carlos Sanchez added a comment -

          This works as expected, no permissions are passed to kubernetes

          see https://kubernetes.io/docs/concepts/configuration/secret

          You can also specify the permission mode bits files part of a secret will have. If you don’t specify any, 0644 is used by default. You can specify a default mode for the whole secret volume and override per key if needed.

          You can override the default by using the yaml syntax in the plugin

          Carlos Sanchez added a comment - This works as expected, no permissions are passed to kubernetes see https://kubernetes.io/docs/concepts/configuration/secret You can also specify the permission mode bits files part of a secret will have. If you don’t specify any, 0644 is used by default. You can specify a default mode for the whole secret volume and override per key if needed. You can override the default by using the yaml syntax in the plugin
          Carlos Sanchez made changes -
          Resolution New: Not A Defect [ 7 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]

          Vladislav Trayanov added a comment -

          Sorry, for the dumb question, but how to use the yaml syntax of the plugin? Not sure where I can find it in the docs 

          Vladislav Trayanov added a comment - Sorry, for the dumb question, but how to use the yaml syntax of the plugin? Not sure where I can find it in the docs 

          Carlos Sanchez added a comment -

          https://github.com/jenkinsci/kubernetes-plugin/#using-yaml-to-define-pod-templates

          Carlos Sanchez added a comment - https://github.com/jenkinsci/kubernetes-plugin/#using-yaml-to-define-pod-templates

          Bill Warner added a comment -

          csanchez is there an example on how to get the defaultmode injected into the correct array index of the secret volume?

          Bill Warner added a comment - csanchez is there an example on how to get the defaultmode injected into the correct array index of the secret volume?

          Carlos Sanchez added a comment -

          something like the example k8s provides

          apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: maven
    image: maven:alpine
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      defaultMode: 256

          Carlos Sanchez added a comment - something like the example k8s provides apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: maven image: maven:alpine volumeMounts: - name: foo mountPath: "/etc/foo" volumes: - name: foo secret: secretName: mysecret defaultMode: 256
          Carlos Sanchez made changes -
          Link New: This issue is duplicated by JENKINS-49641 [ JENKINS-49641 ]

            csanchez Carlos Sanchez
            jknurek J Knurek
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: