Question

I'm trying to use the id_rsa file as a secret inside a container. So I create as secret out of it using kubectl:

kubectl create secret generic hcom-secret --from-file=ssh-privatekey=./.ssh/id_rsa

Then I mount it into the container:

"volumeMounts": [
        {"name": "cfg", "readOnly": false, "mountPath": "/home/hcom/.ssh"}
      ]

"volumes": [
      {"name": "cfg", "secret": { "secretName": "hcom-ssh" }}
    ],

What should be id_rsa becomes ssh-privatekey and also the permissions on it are not 600 which ssh needs. Am I doing something wrong here. Please shine some light?

Answer 1

Check the official docs here for a similar use case. Create the secret using:

$ kubectl create secret generic my-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub

Now mount it using this pod config:

{
  "kind": "Pod",
  "apiVersion": "v1",
  "metadata": {
    "name": "secret-test-pod",
    "labels": {
      "name": "secret-test"
    }
  },
  "spec": {
    "volumes": [
      {
        "name": "secret-volume",
        "secret": {
          "secretName": "my-secret"
        }
      }
    ],
    "containers": [
      {
        "name": "ssh-test-container",
        "image": "mySshImage",
        "volumeMounts": [
          {
            "name": "secret-volume",
            "readOnly": true,
            "mountPath": "/etc/secret-volume"
          }
        ]
      }
    ]
  }
}

Kubernetes in itself does not have any way of controlling file permissions for a secret right now. You can check out this if it helps:

• https://github.com/kubernetes/kubernetes/issues/4789
• https://github.com/kubernetes/kubernetes/issues/28317