-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.13.z, 4.12.z, 4.14.z, 4.15.z
-
No
-
False
-
Description of problem:
The default serviceaccount automounted token "/var/run/secrets/kubernetes.io/serviceaccount/token" does not get the correct permissions. The defaultMode is 420 and the token gets 640 permission instead of 644. Reproduced and found that this happening for a custom namespace. For ex: 1. Created a pod in the default namespace, and the file gets 644 and root owner and root user: ~~~ sh-4.4$ ls -lahL /var/run/secrets/kubernetes.io/serviceaccount/..data/ total 20K drwxr-xr-x. 2 root root 120 May 21 21:55 . drwxrwxrwt. 3 root root 160 May 21 21:55 .. -rw-r--r--. 1 root root 7.2K May 21 21:55 ca.crt -rw-r--r--. 1 root root 7 May 21 21:55 namespace -rw-r--r--. 1 root root 1.2K May 21 21:55 service-ca.crt -rw-r--r--. 1 root root 1.3K May 21 21:55 token sh-4.4$ ~~~ 2. When creating the same pod in a new namespace called test, it gets the 640 permissions and random UID/GID. ~~~ sh-4.4$ ls -lahL /var/run/secrets/kubernetes.io/serviceaccount/..data/ total 20K drwxr-sr-x. 2 root 1000780000 120 May 21 21:57 . drwxrwsrwt. 3 root 1000780000 160 May 21 21:57 .. -rw-r--r--. 1 root 1000780000 7.2K May 21 21:57 ca.crt -rw-r--r--. 1 root 1000780000 7 May 21 21:57 namespace -rw-r--r--. 1 root 1000780000 1.2K May 21 21:57 service-ca.crt -rw-r-----. 1 1000780000 1000780000 1.3K May 21 21:57 token sh-4.4$ ~~~
Version-Release number of selected component (if applicable):
Reproduced in OCP 4.12.55, 4.15.9
How reproducible:
Always
Steps to Reproduce:
1. Create a new namespace. 2. Deploy a pod/deployment and rsh to the pod. 3. Check the file permission : $ ls -lahL /var/run/secrets/kubernetes.io/serviceaccount/..data/
Actual results:
token file ingnores defaultMode value and gets 640 permission.
Expected results:
token file should get correct permissions by respecting defaultMode value
Additional info: