aws / secrets-store-csi-driver-provider-aws

The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store, and mount them into Kubernetes pods.
Apache License 2.0
476 stars 134 forks source link

Capability to set file-system permissions for mounted secrets #263

Open milokrisko opened 1 year ago

milokrisko commented 1 year ago

Describe the solution you'd like

Supposing my secret is an ssh key. Then I'm going to want the file to have permissions 0600, else I'll get

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Anything else you would like to add:

Common advice seems to be to run an initContainer and adjust the permissions on files as needed from that. But the secrets-store-csi-driver insists that I mount the volume as read-only, so that doesn't work.

This request was copied from the https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/722 As the resolution from there was to submit this as Request under specific cloud provider and i didn't notice any request to be filled for AWS as for now.

milokrisko commented 1 year ago

My Current workaround is "terrible".

I forced the secret-store-csi-driver to sync the files as k8s secret (which i didn't need before) and then i set up to mount this secret as volume where those change are enabled via k8s:

` - name: ssh_keys secret: defaultMode: 420 items:

This way the mounting works even though i do have this configuration there twice under diff paths for example: /data/keys/aws and from k8s it's synced into /data/keys/

jbct commented 1 year ago

Thank you for the feature enhancement request. We will look into this.

colearendt commented 1 year ago

We are encountering the same problem. We have a product that requires 600 permissions on its secrets.

Just for clarity, we used the same workaround / solution discussed above:

Tedious to set up and clutters our kubernetes cluster with an extra secret resource. Worth noting that permissions are also pretty complicated in Kubernetes Secrets / volume mounts.

fgoura commented 9 months ago

I am not able to change the permission of the files mounted using secretprovider-csi-driver in aws provider. My files are getting mounted as root with 644 permissions, while I want my mounted files to have 655 permissions. I tried setting defaultMode, but it is throwing error for defaultMode as not a valid attribute. I also tried adding filePermissions in secretprovider.yaml , but that is also not working . reference : https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/858

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: awssecrets
spec:
  provider: aws
  parameters:
    objects: |
        - objectName: "/tmp/dev/ca.pem"
          objectType: "secretsmanager"
          objectAlias: "ca.pem"
          filePermission: 0655

Could someone please help here update the file ownership and file permissions. It seems this issue is resolved for azure provider, but I am not able to find any solution for aws provider. Kindly help.

bankmonitor-gabor-viczai commented 7 months ago

+1

Same situation here. We would also like to mount secure strings from parameter store as non-root user with 400 permission. Failed even to set ownership with standard k8s fsGroup attribute...

Worth to mention here that a guy solved this for Microsoft Azure two years ago: https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/225