Issue
If i create a secret from an id_rsa file using kubectl as:
kubectl create secret generic hcom-secret --from-file=ssh-privatekey=./.ssh/id_rsa
And then mount the secret into the container
"volumeMounts": [
{"name": "cfg", "readOnly": false, "mountPath": "/home/hcom/.ssh"}
]
"volumes": [
{"name": "cfg", "secret": { "secretName": "hcom-ssh" }}
],
The resultant file is not id_rsa but ssh-privatekey and the permits that are on it are not 600 which ssh expects
Is this a correct approach, or can anyone please detail how this should be done?
Solution
The official Kubernetes docs for secrets cover this exact use-case.
To create the secret, use:
$ kubectl create secret generic my-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub
To mount the secret in your containers, use the following Pod config:
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "secret-test-pod",
"labels": {
"name": "secret-test"
}
},
"spec": {
"volumes": [
{
"name": "secret-volume",
"secret": {
"secretName": "my-secret"
}
}
],
"containers": [
{
"name": "ssh-test-container",
"image": "mySshImage",
"volumeMounts": [
{
"name": "secret-volume",
"readOnly": true,
"mountPath": "/etc/secret-volume"
}
]
}
]
}
}
Kubernetes doesn't actually have a way to control file permissions for a secret as of now, but a recent Pull Request did add support for changing the path of secrets. This support was added with 1.3
as per this comment
Here are the permissions related Github Issues:
- https://github.com/kubernetes/kubernetes/issues/4789
- https://github.com/kubernetes/kubernetes/issues/28317
Answered By - ffledgling Answer Checked By - Willingham (WPSolving Volunteer)