Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIle permissions changes during mutation #56

Open
1 task done
vistasunil opened this issue May 31, 2024 · 2 comments
Open
1 task done

FIle permissions changes during mutation #56

vistasunil opened this issue May 31, 2024 · 2 comments

Comments

@vistasunil
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

We see this policy changing file permissions during fsgroup changes, which is undesirable and impacting workloads to run as expected. Policy should only change the fsgroup to minimum range value if not defined in the pod yaml but its goes beyond that and changes mounted file permissions as well.

Below is the example:
Actual yaml file deployed with example mount:

...
terminationGracePeriodSeconds: 30
volumes:
- name: example
  secret:
    defaultMode: 400
    secretName: example
 ...

During deployment, policy mutates the fsgroup to 1 for the pod and changes permission on the file as well:

/example/..2024_05_30_14_22_45.1613250004:
total 8
drwxr-sr-x. 2 root bin   80 May 30 13:30 .
drwxrwsrwt. 3 root bin  120 May 30 13:30 ..
-r--r-----. 1 root **bin** 1679 May 30 13:30 example

Expected Behavior

Permissions on the file must not be touched by mutating policy. Because this is impacting the work expected from pods.

So, after mount the file permission should look like below:

/example/..2024_05_30_14_22_45.1613250004:
total 8
drwxr-xr-x. 2 root root   80 May 30 14:22 .
drwxrwxrwt. 3 root root  120 May 30 14:22 ..
-r--------. 1 root **root** 1679 May 30 14:22 example

Steps To Reproduce

This can be reproduced by deploying any pod without fsgroup defined and mounting a secret file with 400 permissions.

Environment

- OS: Linux
- Architecture: x86_64

Anything else?

No response
@jvanz jvanz added this to Kubewarden May 31, 2024
@vistasunil
Copy link
Author

@jvanz any update on this issue?

@viccuad
Copy link
Member

viccuad commented Jun 4, 2024

Hi, thanks for opening this issue.

Policy should only change the fsgroup to minimum range value if not defined in the pod yaml but its goes beyond that and changes mounted file permissions as well.

This is not performed by the policy per se, the policy only sets the Pods' securityContext.fsGroups.

Changing the mounted file permissions is done by Kubernetes when securityContext.fsGroup is set. It is its default behavior. One can configure the securityContext further via securityContext.fsGroupChangePolicy, but note that it doesn't apply to Secrets, as the reproducer you provided. You can learn more about it here:

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods

Steps To Reproduce
This can be reproduced by deploying any pod without fsgroup defined and mounting a secret file with 400 permissions.

If you want the policy to accept without performing mutations when no fsgroup has been defined, one can configure the policy settings using MayRunAs as explained on the readme. Eg:

rule: MayRunAs
ranges:
  - min: 1000
    max: 2000

If you want the policy to reject without performing mutations, one can configure the policy settings using MustRunAs, and can deploy the policy with spec.mutating to false.

I hope I'm understanding the problem correctly. Does this solve the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Kubewarden
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@viccuad @vistasunil