Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accessing the IRSA service account token as a non-root user #27

Closed
jicowan opened this issue Aug 7, 2020 · 1 comment
Closed

Accessing the IRSA service account token as a non-root user #27

jicowan opened this issue Aug 7, 2020 · 1 comment
Assignees
@jicowan
Labels
enhancement Enhancement to an existing best practice

Comments

@jicowan
Copy link
Contributor

jicowan commented Aug 7, 2020

If you run your application as a non-root user [a best practice] you cannot access the IRSA service account token because it is assigned 0600 [root] permissions by default. If you update the securityContext for your container to include fsgroup=65534 [Nobody] the container will be able to read the token.

spec:
  securityContext:
    fsGroup: 65534

This is supposed to be fixed in an upcoming release of k8s, kubernetes/enhancements#1598.
@jicowan jicowan added documentation enhancement Enhancement to an existing best practice labels Aug 7, 2020
@jicowan jicowan self-assigned this Aug 7, 2020
@jicowan
Copy link
Contributor Author

jicowan commented Sep 13, 2020

Added to docs

@jicowan jicowan closed this as completed Sep 13, 2020
@sherifabdlnaby sherifabdlnaby mentioned this issue Feb 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jicowan jicowan

Labels
enhancement Enhancement to an existing best practice
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jicowan