changing permission for kubeconfig file inside the shell pod

rancher · Mar 7, 2024 · 663d58d · 663d58d
1 parent 7913f27
commit 663d58d
Showing 1 changed file with 38 additions and 5 deletions.
diff --git a/pkg/podimpersonation/podimpersonation.go b/pkg/podimpersonation/podimpersonation.go
@@ -512,10 +512,12 @@ func (s *PodImpersonation) adminKubeConfig(user user.Info, role *rbacv1.ClusterR
 
 func (s *PodImpersonation) augmentPod(pod *v1.Pod, sa *v1.ServiceAccount, secret *v1.Secret, imageOverride string) *v1.Pod {
 	var (
-		zero = int64(0)
-		t    = true
-		f    = false
-		m    = int32(420)
+		zero      = int64(0)
+		t         = true
+		f         = false
+		m         = int32(0o644)
+		m2        = int32(0o600)
+		shellUser = 1000
 	)
 
 	pod = pod.DeepCopy()
@@ -535,11 +537,18 @@ func (s *PodImpersonation) augmentPod(pod *v1.Pod, sa *v1.ServiceAccount, secret
 		},
 		v1.Volume{
 			Name: "user-kubeconfig",
+			VolumeSource: v1.VolumeSource{
+				EmptyDir: &v1.EmptyDirVolumeSource{},
+			},
+		},
+		v1.Volume{
+			Name: "user-kube-configmap",
 			VolumeSource: v1.VolumeSource{
 				ConfigMap: &v1.ConfigMapVolumeSource{
 					LocalObjectReference: v1.LocalObjectReference{
 						Name: s.userConfigName(),
 					},
+					DefaultMode: &m2,
 				},
 			},
 		},
@@ -559,9 +568,33 @@ func (s *PodImpersonation) augmentPod(pod *v1.Pod, sa *v1.ServiceAccount, secret
 				continue
 			}
 
+			vmount := v1.VolumeMount{
+				Name:      "user-kubeconfig",
+				MountPath: "/tmp/.kube",
+			}
+			cfgVMount := v1.VolumeMount{
+				Name:      "user-kube-configmap",
+				MountPath: "/home/.kube/config",
+				SubPath:   "config",
+			}
+
+			pod.Spec.InitContainers = []v1.Container{
+				{
+					Name:         "init-container",
+					Image:        "registry.suse.com/bci/bci-busybox",
+					Command:      []string{"sh", "-c", fmt.Sprintf("cp %s %s && chown %d %s/config", cfgVMount.MountPath, vmount.MountPath, shellUser, vmount.MountPath)},
+					Resources:    v1.ResourceRequirements{},
+					ResizePolicy: nil,
+					SecurityContext: &v1.SecurityContext{
+						RunAsUser:  &zero,
+						RunAsGroup: &zero,
+					},
+					VolumeMounts: []v1.VolumeMount{cfgVMount, vmount},
+				},
+			}
+
 			pod.Spec.Containers[i].VolumeMounts = append(container.VolumeMounts, v1.VolumeMount{
 				Name:      "user-kubeconfig",
-				ReadOnly:  true,
 				MountPath: envvar.Value,
 				SubPath:   "config",
 			})