Filippos added a comment - 2023-09-13 14:29 - edited We are having a similar issue after updating to kubernetes: 4029.v5712230ccb_f8 . We have a similar pod spec (see below), which was working before the update. After the update, we notice in the console logs that the defaultMode gets rendered as 272 when set as 420. Before the update, the value was passed through. The permissions we want to set is 0644. We set 420 in decimal notation which results to 0644 in octal notation. 272 in decimal notation is 0420 in octal notation. The docs mention that octal notations are not supported on podTemplate . volumes . secretVolume . defaultMode defaultMode : String The file permissions for the secret volume. Does not support Octal notation. The issue seems to be related to a recent change Pod spec: kubernetes { inheritFrom 'parent' label some-label yaml """\ metadata: .. spec: containers: - name: builder image: some-image imagePullPolicy: Always env: - name: AWS_ROLE_ARN value: some-arn - name: AWS_WEB_IDENTITY_TOKEN_FILE value: / var /run/secrets/eks.amazonaws.com/serviceaccount/token .. resources: .. volumeMounts: - mountPath: / var /run/secrets/eks.amazonaws.com/serviceaccount name: aws-iam-token readOnly: true volumes: - name: aws-iam-token projected: defaultMode: 420 sources: - serviceAccountToken: path: token audience: sts.amazonaws.com expirationSeconds: 1800 """.stripIndent() defaultContainer 'builder' } Rendered manifest before the update, as seen in the logs (emphasis on defaultMode): apiVersion: "v1" kind: "Pod" metadata: .. spec: containers: - env: - name: "AWS_ROLE_ARN" value: "some-arn" - name: "AWS_WEB_IDENTITY_TOKEN_FILE" value: "/ var /run/secrets/eks.amazonaws.com/serviceaccount/token" image: "some-image" imagePullPolicy: "Always" name: "builder" resources: .. volumeMounts: - mountPath: "/ var /run/secrets/eks.amazonaws.com/serviceaccount" name: "aws-iam-token" readOnly: true .. .. volumes: .. - name: "aws-iam-token" projected: defaultMode: 420 sources: - serviceAccountToken: audience: "sts.amazonaws.com" expirationSeconds: 1800 path: "token" Rendered manifest after the update, as seen in the logs: apiVersion: "v1" kind: "Pod" metadata: .. spec: containers: - env: - name: "AWS_ROLE_ARN" value: "some-arn" - name: "AWS_WEB_IDENTITY_TOKEN_FILE" value: "/ var /run/secrets/eks.amazonaws.com/serviceaccount/token" image: "some-image" imagePullPolicy: "Always" name: "builder" resources: .. volumeMounts: - mountPath: "/ var /run/secrets/eks.amazonaws.com/serviceaccount" name: "aws-iam-token" readOnly: true .. .. volumes: .. - name: "aws-iam-token" projected: defaultMode: 272 sources: - serviceAccountToken: audience: "sts.amazonaws.com" expirationSeconds: 1800 path: "token"

Viktor added a comment - 2024-01-18 21:32 We're also hit by this, would appreciate any tips on how to move forward here.

Philippe added a comment - 2024-01-23 10:41 Same issue here. I actually rollbacked the plugin to fix this issue

yordan added a comment - 2024-01-31 07:17 Still affected. Version: 4186.v1d804571d5d4    

Jonathan Rogers added a comment - 2024-02-01 16:23 I had been avoiding this issue by using "defaultMode: 256" to grant read and write permission to only the user. Yesterday, I upgraded the kubernetes plugin to 4186.v1d804571d5d4, which broke permissions by changing "defaultMode: 256" to "defaultMode: 174" in the YAML sent to Kubernetes. It seems that defaultMode values are now always interpreted as octal whether they start with "0" or not, though YAML in the log still displays decimal. This is very surprising behavior. The good news is that I fixed my problem by replacing "defaultMode: 256" with "defaultMode: 0400". However, it should be possible to enable use of octal literals without breaking decimals.

Allan BURDAJEWICZ added a comment - 2024-04-24 05:29 Proposed to use Jackson in the meantime: https://github.com/jenkinsci/kubernetes-plugin/pull/1537