Volumes created from ConfigMaps and Secrets have 777 permissions by default #30147
Description
Environmental Info:
Node(s) CPU architecture, OS, and Version:
Red Hat Enterprise Linux release 8.10 (Ootpa)
Cluster Configuration:
1 master, 4 workers
Describe the bug:
Creating a ConfigMap or a Secret and mounting it as a volume in a Deployment, the resulting volume has 777 permissions. This can be a security issue, as it allows any system user to read and write to the volume.
Steps To Reproduce:
- Create a ConfigMap or a Secret in Openshift.
- Mount the ConfigMap or Secret as a volume in a Deployment.
- Verify the permissions of the created volume.
Expected behavior:
The created volume should have more restrictive permissions, such as 644 or 600, depending on the configuration and intended use.
Actual behavior:
The created volume has 777 permissions, allowing full access to any system user.
Additional context / logs:
Example command to verify permissions:
sudo find / -perm -007 \( -type f -o -type d \) -ls
Example output:
262958 4 drwxrwxrwx 3 root root 4096 Aug 10 13:49 /var/lib/kubelet/pods/ad05694c-d570-4b8f-8a63-adb9b8e6787f/volumes/kubernetes.io~configmap/config-volume
Configuration used:
apiVersion: v1
kind: ConfigMap
metadata:
name: app-nginx
namespace: default
data:
nginx.conf: |
...
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
namespace: default
...
volumeMounts:
- name: config-volume
subPath: ./nginx.conf
mountPath: /etc/nginx/conf.d/default.conf
volumes:
- name: config-volume
configMap:
name: app-nginx