-
Sub-task
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
False
-
ToDo
-
-
-
Very Likely
-
0
-
None
-
Unset
-
Unknown
Update Velero's /credentials/cloud permissions from the current 0644 to something more restrictive.
Currently, Velero's /credentials/cloud secret is mounted as world-readable. I believe this is the result of it being mounted with 420 (decimal) permissions. This translates to octal 0644:
$ oc get deploy/velero -o jsonpath='\{.spec.template.spec.volumes[?(@.name=="cloud-credentials")].secret.defaultMode}{"\n"}'
420
$ oc exec -ti -c velero velero-6f8b6d6797-7jlb5 -- ls -lL /credentials/cloud
-rw-r--r--. 1 root 1000740000 243 Jul 16 16:37 /credentials/cloud{color}
Ideally only the owner and group would be able to read this file, as it contains the storage access key, among other sensible information.
<wes>
requesting change to 0640 on creds
Use cases to be addressed:
spec: backupLocations: - velero: config: profile: default region: us-east-1 default: true objectStorage: bucket: my-bucket-name prefix: velero provider: aws configuration: velero: defaultPlugins: - openshift - aws
spec: backupLocations: - velero: config: profile: default region: us-east-1 credential: key: cloud name: cloud-credentials default: true objectStorage: bucket: my-bucket-name prefix: velero provider: aws configuration: velero: defaultPlugins: - openshift - aws
spec: backupLocations: - velero: config: profile: default region: us-east-1 credential: key: cloud name: cloud-credentials default: true objectStorage: bucket: my-bucket-name prefix: velero provider: aws configuration: velero: defaultPlugins: - openshift - aws snapshotLocations: - velero: config: profile: default region: us-west-2 provider: aws
Please update as needed