Merge pull request kubernetes#25 from ApsOps/remove-chmod

thockin · web-flow · commit b29839f3338d · 2016-12-21T18:46:01.000-08:00
Remove chmod command since we can specify permissions for a Secret Volume
diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go
@@ -471,17 +471,13 @@ func setupGitAuth(username, password, gitURL string) error {
 func setupGitSSH() error {
 	log.V(1).Infof("setting up git SSH credentials")
 
-	if _, err := os.Stat("/etc/git-secret/ssh"); err != nil {
+	fileInfo, err := os.Stat("/etc/git-secret/ssh")
+	if err != nil {
 		return fmt.Errorf("error: could not find SSH key Secret: %v", err)
 	}
 
-	// Kubernetes mounts Secret as 0444 by default, which is not restrictive enough to use as an SSH key.
-	// TODO: Remove this command once Kubernetes allows for specifying permissions for a Secret Volume.
-	// See https://github.com/kubernetes/kubernetes/pull/28936.
-	if err := os.Chmod("/etc/git-secret/ssh", 0400); err != nil {
-
-		// If the Secret Volume is mounted as readOnly, the read-only filesystem nature prevents the necessary chmod.
-		return fmt.Errorf("error running chmod on Secret (make sure Secret Volume is NOT mounted with readOnly=true): %v", err)
+	if fileInfo.Mode() != 0400 {
+		return fmt.Errorf("Permissions %s for SSH key are too open. It is recommeded to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode())
 	}
 
 	return nil
diff --git a/docs/ssh.md b/docs/ssh.md
@@ -73,6 +73,4 @@ In your git-sync container configuration, mount the Secret Volume at "/etc/git-s
     ],
 }
 ```
-**Note: Do not mount the Secret Volume with "readOnly: true".** Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so the container runs a chmod command on the Secret. Mounting the Secret Volume as a read-only filesystem prevents chmod and thus prevents the use of the Secret as an SSH key.
-
-***TODO***: Remove the chmod command once Kubernetes allows for specifying permissions for a Secret Volume. See https://github.com/kubernetes/kubernetes/pull/28936.
+**Note:** Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so make sure you use secret volume with `defaultMode: 256` (decimal number for octal 0400).

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,4 @@ In your git-sync container configuration, mount the Secret Volume at "/etc/git-s`
`73`	`73`	`],`
`74`	`74`	`}`
`75`	`75`	```
`76`		`-Note: Do not mount the Secret Volume with "readOnly: true". Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so the container runs a chmod command on the Secret. Mounting the Secret Volume as a read-only filesystem prevents chmod and thus prevents the use of the Secret as an SSH key.`
`77`		`-`
`78`		`-*TODO*: Remove the chmod command once Kubernetes allows for specifying permissions for a Secret Volume. See https://github.com/kubernetes/kubernetes/pull/28936.`
	`76`	+Note: Kubernetes mounts the Secret with permissions 0444 by default (not restrictive enough to be used as an SSH key), so make sure you use secret volume with `defaultMode: 256` (decimal number for octal 0400).