Comments (13)
Please remind me why git-sync
checks the permissions of the ssh key? Things seem to work just fine with a read-only secret mount and this patch:
~ $ ls -l /etc/git-secret/..data/ssh
-rw-r--r-- 1 root root 3247 Jan 24 19:59 /etc/git-secret/..data/ssh
~ $ whoami
nobody
~ $ /git-sync
I0124 20:00:13.780489 11 main.go:164] starting up: ["/git-sync"]
I0124 20:00:14.617866 11 main.go:326] cloned git@...
I0124 20:00:14.620342 11 main.go:270] syncing to HEAD (c894417410d94e2c17023f3ae21759df4dedb5e3)
I0124 20:00:15.375681 11 main.go:283] added worktree /git/rev-c894417410d94e2c17023f3ae21759df4dedb5e3 for origin/master
I0124 20:00:15.377998 11 main.go:303] reset worktree /git/rev-c894417410d94e2c17023f3ae21759df4dedb5e3 to c894417410d94e2c17023f3ae21759df4dedb5e3
diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go
index 4817762..38ab36a 100644
--- a/cmd/git-sync/main.go
+++ b/cmd/git-sync/main.go
@@ -476,15 +476,11 @@ func setupGitSSH(setupKnownHosts bool) error {
var pathToSSHSecret = "/etc/git-secret/ssh"
var pathToSSHKnownHosts = "/etc/git-secret/known_hosts"
- fileInfo, err := os.Stat(pathToSSHSecret)
+ _, err := os.Stat(pathToSSHSecret)
if err != nil {
return fmt.Errorf("error: could not find SSH key Secret: %v", err)
}
- if fileInfo.Mode() != 0400 {
- return fmt.Errorf("Permissions %s for SSH key are too open. It is recommended to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode())
- }
-
if setupKnownHosts {
_, err := os.Stat(pathToSSHKnownHosts)
if err != nil {
from git-sync.
Let me throw in a "please!" to this ticket.
My team is using Rancher. Rancher's environment template for Kubernetes includes SecurityContextDeny
in the admission-control
flag provided to the API container. Naturally, this prevents using the runAsUser
setting in the pod configuration.
We also need to provide an SSH key to access our private Git repo. So, we add a k8s secret containing the private key, but it's owned by root, and the container runs as nobody. You can see the dilemma here.
from git-sync.
Do we have a good enumeration of why it needs root?
from git-sync.
Creating the .netrc file does need more permissions than available without running root. Files are owned by root (when I remember right), but the container is only running with nobody.
Additionally the ssh key mounted via secrets is owned by root and needs root to be used as the defaultMode is locking it down to only be used by root. Probably needs an FS mount as user nobody, which I'm looking into.
The specifics are still under investigation.
from git-sync.
from git-sync.
from git-sync.
will be working on the git sync issues end of this week. it's high on my prio list.
from git-sync.
Had a first look at the issue, but nothing satisfying yet. Had less time on my hands to get a deep dive on it. Next time frame will be just after KubeConEU.
from git-sync.
Is this still going to be fixed?
from git-sync.
It's still on the roadmap. We are also happy to take PRs on this. Sorry for the slow progress. Didn't have the highest priority yet.
from git-sync.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Prevent issues from auto-closing with an /lifecycle frozen
comment.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or @fejta
.
/lifecycle stale
from git-sync.
/lifecycle frozen
/remove-lifecycle stale
from git-sync.
Unless you're using the SSH functionality you do not need to run as root at all, and I am not sure even SSH needs it, as you point out. We still want the SSH keys to be protected, so I don't think we want to remove the checking of perms, but I don't think it needs root anywhere.
I'm just going to remove that from docs.
from git-sync.
Related Issues (20)
- Remediate 4.2.2 security vulnerabilities HOT 1
- Support GitHub App authentication HOT 8
- TODO: tests need secrets for GH App auth HOT 2
- Curious about real example raising race condition when using v3 HOT 1
- exechook working HOT 8
- TODO: shellcheck test_e2e.sh and test_git.sh HOT 5
- /bin/sh: ./build/test.sh: not found
- test_e2e.sh: use `local` for all variables defined inside functions HOT 2
- git-sync Multiple Vulnerabilities HOT 3
- how can put specific html folder from my git repo to nginx pod? HOT 2
- git-sync produced an intermediate file,the path of command is wrong HOT 1
- How to use GITSYNC_SYNC_ON_SIGNAL parameter through helm in k8s? HOT 2
- Issue with building Git Sync Container HOT 3
- Issue with Git-sync repo inside a repo, Nested repo for airflow files HOT 7
- On initial sync, all files are in deleted status HOT 5
- V4: GITSYNC_REF or V3: GIT_SYNC_BRANCH HOT 13
- Adding monitoring mixin HOT 1
- invalid argument when using git-sync v4 with GitLab repository HOT 12
- Git-Sync with ssh HOT 11
- git-sync vulnerabilities
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from git-sync.