Kubernetes Volume Mount Permissions Incorrect For Secret

Question

I am mounting a k8s secret as a volume mount, and the files in the pod have the wrong permissions.

In my Deployment I have this entry in the volumes array:

        - name: ssh-host-keys
          secret:
            secretName: ftp-ssh-host-keys
            defaultMode: 0600

which is then mounted like this:

            - mountPath: /etc/ssh/ssh_host_rsa_key
              name: ssh-host-keys
              subPath: ssh_host_rsa_key
              readOnly: true

However, when I look at the files in the Pod the file permissions are incorrect:

rw-r--r-- 1 root root 553122 Aug 21  2018 moduli
-rw-r--r-- 1 root root   1723 Aug 21  2018 ssh_config
-rw-r----- 1 root 1337    410 May 11 10:33 ssh_host_ed25519_key
-rw-r----- 1 root 1337   3242 May 11 10:33 ssh_host_rsa_key
-rw-r--r-- 1 root 1337    465 May 11 10:33 sshd_config

i.e. the keys have permissions 0644 instead of 0600.

I don't know why this might be happening.

Answer 1

According to the documentation, owing to JSON limitations, you must specify the mode in decimal notation.

Look to the example provided in the documentation:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      defaultMode: 256

256 decimal is equivalent to 0400 in octal. In your specific case, you should use defaultMode: 384 to get 0600 to have the desired permissions.

You can convert octal permissions here.

Answer 2

I think a common confusion is that the files are linked, so ls will show the link permissions by default. See more details here.

Simply add -L: ls -laL /path/to/directory/ to dereference the link

If that doesn't do the trick, maybe you are facing this bug.