Changing default file owner and group owner of kubernetes secrets files mounted on projected volumes
As far as I know, there's no way to change owner UID for secrets.
A workaround is to copy a secret to a normal file, then change its ownership and mode, like this:
apiVersion: v1kind: Podmetadata: name: volume-testspec: containers: - name: container-test image: busybox command: | - "/bin/bash" - "-exc" cp /etc/secrets-mount/*_pgpass /etc/secrets chown my-user /etc/*_pgpass chmod 600 /etc/*_pgpass exec su-exec my-user /entrypoint.sh volumeMounts: - name: secrets mountPath: /etc/secrets-mount/....
As Alexey said, it is not possible at this time, until github.com/kubernetes/kubernetes/issues/81089 is done.
His solution is working perfectly, unless you have securityContraint.runAsNonRoot
set, in which case the container wont have rights on the secret.
In my case, I had to do the following :
apiVersion: apps/v1kind: Deploymentspec: template: spec: ########################################## # Volumes definitions volumes: - name: key-volume emptyDir: sizeLimit: "8k" - name: root-owned-key-volume secret: secretName: my-secret items: - key: a_key_file path: a_key_file mode: 0600 ########################################## # initContainers definitions initContainers: - name: set-key-ownership image: alpine:3.6 command: ["sh", "-c", "cp /root-key/* /key && chown -R 33:33 /key"] volumeMounts: - mountPath: /key name: key-volume - mountPath: /root-key name: root-owned-key-volume ########################################## # Containers definitions containers: - name: my-main-container (...) securityContext: runAsNonRoot: true runAsUser: 33 (...) volumeMounts: - mountPath: /key name: key-volume
Basically, knowing that it is impossible to change the ownership of the secret file, an initContainer will copy it to another temporary folder and change ownership of this new file.
Gross, but at least, it's working.