Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR]: implement fsUser option for securityContext #119507

Closed
xhejtman opened this issue Jul 21, 2023 · 6 comments
Closed

[FR]: implement fsUser option for securityContext #119507

xhejtman opened this issue Jul 21, 2023 · 6 comments
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@xhejtman
Copy link

Hello,

currently, it seems not to be possible to project secrets or configmaps to files with strict permissions to containers.

Some applications such as sshd require strict permissions on some files like ~/.ssh/authorized_keys, mainly, it requires that this file is owned by the user. For the sshd there is an option to bypass this restriction StrictModes. However, there are different like psql that is able to use ~/.pgpass only with the correct permissions. Operators like cloudnative-pg create a secret that could be projected to ~/.pgpass, but owner cannot be set thus psql refuses to use it.

I think it would be great, if fsUser option could be implemented or some other option that could be used to specify the owner of projected secrets/configmaps.
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 21, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@neolit123
Copy link
Member

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 21, 2023
@colearendt
Copy link

colearendt commented Aug 30, 2023
edited

Totally agree. This is super important in order to handle such permission-sensitive services. Especially in a "minimum access" context where the container is not running as root or (worse?) the filesystem is read only. That is where this issue shows up the most.

Workarounds with init containers are awkward and delay container startup time too.

@colearendt
Copy link

colearendt commented Aug 30, 2023
edited

Related to #82263 and #81089

@stlaz
Copy link
Member

stlaz commented Sep 18, 2023

/close
in favour of #81089

@k8s-ci-robot
Copy link
Contributor

@stlaz: Closing this issue.

In response to this:

/close
in favour of #81089

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
SIG Auth
Archived in project
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neolit123 @stlaz @k8s-ci-robot @xhejtman @colearendt