Changing default file owner and group owner of kubernetes secrets files mounted on projected volumes
I am new to K8S. I have a yaml file which generates kubernetes secrets mounted on projected volumes. Upon execution, I found that the secret files (packaged with secrets) are showing "root" as file owner and group owner. I want to change the file owner and group owner to the same specific user (say 450).
I have tried using "chown" from init container (tried it but failed), but I got error saying "read-only file system" and could not modify file & group owner. I do not want to use "fsGroup" under securitycontext. I observed that the "mode:" option under "items" behaves in unpredictable manner when fsGroup is used.
Is there any way to modify default file and group owner of the kubernetes secret files that are mounted via projected volumes ?
I am providing the sample code below. Suppose I want to change the file & group owner of "password" file (under 'mysecret2') in the below sample. how to achieve it?
apiVersion: v1
kind: Pod
metadata:
name: volume-test
spec:
containers:
- name: container-test
image: busybox
volumeMounts:
- name: all-in-one
mountPath: "/projected-volume"
readOnly: true
volumes:
- name: all-in-one
projected:
sources:
- secret:
name: mysecret
items:
- key: username
path: username
- secret:
name: mysecret2
items:
- key: password
path: password
mode: 511
Answer
As far as I know, there's no way to change owner UID for secrets.
A workaround is to copy a secret to a normal file, then change its ownership and mode, like this:
apiVersion: v1
kind: Pod
metadata:
name: volume-test
spec:
containers:
- name: container-test
image: busybox
command: |
- "/bin/bash"
- "-exc"
cp /etc/secrets-mount/*_pgpass /etc/secrets
chown my-user /etc/*_pgpass
chmod 600 /etc/*_pgpass
exec su-exec my-user /entrypoint.sh
volumeMounts:
- name: secrets
mountPath: /etc/secrets-mount/
....