Mounted cloud credentials should not be world-readable (#8919)

Signed-off-by: Scott Seago <sseago@redhat.com>
2026-01-05 21:14:56 +00:00 · 2025-07-17 22:45:38 -04:00
parent e88fbb6fa5
commit 29a8bc4492
4 changed files with 11 additions and 3 deletions
--- a/pkg/install/daemonset.go
+++ b/pkg/install/daemonset.go
@@ -23,6 +23,7 @@ import (
 	appsv1api "k8s.io/api/apps/v1"
 	corev1api "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"

 	"github.com/vmware-tanzu/velero/internal/velero"
 	"github.com/vmware-tanzu/velero/pkg/nodeagent"
@@ -188,7 +189,9 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1api.DaemonSet
 				Name: "cloud-credentials",
 				VolumeSource: corev1api.VolumeSource{
 					Secret: &corev1api.SecretVolumeSource{
-						SecretName: "cloud-credentials",
+						// read-only for Owner, Group, Public
+						DefaultMode: ptr.To(int32(0444)),
+						SecretName:  "cloud-credentials",
 					},
 				},
 			},
--- a/pkg/install/deployment.go
+++ b/pkg/install/deployment.go
@@ -24,6 +24,7 @@ import (
 	appsv1api "k8s.io/api/apps/v1"
 	corev1api "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"

 	"github.com/vmware-tanzu/velero/internal/velero"
 	"github.com/vmware-tanzu/velero/pkg/builder"
@@ -411,7 +412,9 @@ func Deployment(namespace string, opts ...podTemplateOption) *appsv1api.Deployme
 				Name: "cloud-credentials",
 				VolumeSource: corev1api.VolumeSource{
 					Secret: &corev1api.SecretVolumeSource{
-						SecretName: "cloud-credentials",
+						// read-only for Owner, Group, Public
+						DefaultMode: ptr.To(int32(0444)),
+						SecretName:  "cloud-credentials",
 					},
 				},
 			},