mirrors/velero
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/velero.git synced 2025-12-23 06:15:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Mounted cloud credentials should not be world-readable (#8919)

Browse Source 
Signed-off-by: Scott Seago <sseago@redhat.com>
This commit is contained in:
Scott Seago
2025-07-17 22:45:38 -04:00
committed by GitHub
parent e88fbb6fa5
commit 29a8bc4492
4 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
changelogs/unreleased/8919-sseago Normal file
View File

@@ -0,0 +1 @@
Mounted cloud credentials should not be world-readable

3
internal/credentials/file_store.go
View File

@@ -71,7 +71,8 @@ func (n *namespacedFileStore) Path(selector *corev1api.SecretKeySelector) (strin
keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))
file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
// owner RW perms, group R perms, no public perms
file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0640)
if err != nil {
return "", errors.Wrap(err, "unable to open credentials file for writing")
}

5
pkg/install/daemonset.go
View File

@@ -23,6 +23,7 @@ import (
appsv1api "k8s.io/api/apps/v1"
corev1api "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/ptr"
"github.com/vmware-tanzu/velero/internal/velero"
"github.com/vmware-tanzu/velero/pkg/nodeagent"
@@ -188,7 +189,9 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1api.DaemonSet
Name: "cloud-credentials",
VolumeSource: corev1api.VolumeSource{
Secret: &corev1api.SecretVolumeSource{
SecretName: "cloud-credentials",
// read-only for Owner, Group, Public
DefaultMode: ptr.To(int32(0444)),
SecretName: "cloud-credentials",
},
},
},

5
pkg/install/deployment.go
View File

@@ -24,6 +24,7 @@ import (
appsv1api "k8s.io/api/apps/v1"
corev1api "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/ptr"
"github.com/vmware-tanzu/velero/internal/velero"
"github.com/vmware-tanzu/velero/pkg/builder"
@@ -411,7 +412,9 @@ func Deployment(namespace string, opts ...podTemplateOption) *appsv1api.Deployme
Name: "cloud-credentials",
VolumeSource: corev1api.VolumeSource{
Secret: &corev1api.SecretVolumeSource{
SecretName: "cloud-credentials",
// read-only for Owner, Group, Public
DefaultMode: ptr.To(int32(0444)),
SecretName: "cloud-credentials",
},
},
},