It's good practice to set strict security contexts for containers and pods in Kubernetes, but connect won't start if the directory is not owned by the current user - even if it can write to it. I feel this is counter-productive and should be removed. I don't see how this condition improves security, and only serves to weaken it in environments with proper security contexts.
❯ k logs onepassword-connect-85bf47bb57-4c9tc
Defaulted container "connect-api" out of: connect-api, connect-sync
Error: Server: (failed to OpenDefault), Wrapped: (failed to defaultPath), failed to ConfigDir: Can't continue. We can't safely access "/.op" because it's not owned by the current user. Change the owner or logged in user and try again.
FloSchick
commented
8 months ago
It's good practice to set strict security contexts for containers and pods in Kubernetes, but connect won't start if the directory is not owned by the current user - even if it can write to it. I feel this is counter-productive and should be removed. I don't see how this condition improves security, and only serves to weaken it in environments with proper security contexts.
security context
pod security context