Remove need to runAsUser: 0 about git-sync HOT 13 CLOSED

Please remind me why git-sync checks the permissions of the ssh key? Things seem to work just fine with a read-only secret mount and this patch:

~ $ ls -l /etc/git-secret/..data/ssh
-rw-r--r-- 1 root root 3247 Jan 24 19:59 /etc/git-secret/..data/ssh
~ $ whoami
nobody
~ $ /git-sync
I0124 20:00:13.780489      11 main.go:164] starting up: ["/git-sync"]
I0124 20:00:14.617866      11 main.go:326] cloned git@...
I0124 20:00:14.620342      11 main.go:270] syncing to HEAD (c894417410d94e2c17023f3ae21759df4dedb5e3)
I0124 20:00:15.375681      11 main.go:283] added worktree /git/rev-c894417410d94e2c17023f3ae21759df4dedb5e3 for origin/master
I0124 20:00:15.377998      11 main.go:303] reset worktree /git/rev-c894417410d94e2c17023f3ae21759df4dedb5e3 to c894417410d94e2c17023f3ae21759df4dedb5e3

diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go
index 4817762..38ab36a 100644
--- a/cmd/git-sync/main.go
+++ b/cmd/git-sync/main.go
@@ -476,15 +476,11 @@ func setupGitSSH(setupKnownHosts bool) error {
 	var pathToSSHSecret = "/etc/git-secret/ssh"
 	var pathToSSHKnownHosts = "/etc/git-secret/known_hosts"
 
-	fileInfo, err := os.Stat(pathToSSHSecret)
+	_, err := os.Stat(pathToSSHSecret)
 	if err != nil {
 		return fmt.Errorf("error: could not find SSH key Secret: %v", err)
 	}
 
-	if fileInfo.Mode() != 0400 {
-		return fmt.Errorf("Permissions %s for SSH key are too open. It is recommended to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode())
-	}
-
 	if setupKnownHosts {
 		_, err := os.Stat(pathToSSHKnownHosts)
 		if err != nil {

from git-sync.

Let me throw in a "please!" to this ticket.

My team is using Rancher. Rancher's environment template for Kubernetes includes SecurityContextDeny in the admission-control flag provided to the API container. Naturally, this prevents using the runAsUser setting in the pod configuration.

We also need to provide an SSH key to access our private Git repo. So, we add a k8s secret containing the private key, but it's owned by root, and the container runs as nobody. You can see the dilemma here.

from git-sync.

Do we have a good enumeration of why it needs root?

from git-sync.

Creating the .netrc file does need more permissions than available without running root. Files are owned by root (when I remember right), but the container is only running with nobody.

Additionally the ssh key mounted via secrets is owned by root and needs root to be used as the defaultMode is locking it down to only be used by root. Probably needs an FS mount as user nobody, which I'm looking into.

The specifics are still under investigation.

from git-sync.

from git-sync.

from git-sync.

will be working on the git sync issues end of this week. it's high on my prio list.

from git-sync.

Had a first look at the issue, but nothing satisfying yet. Had less time on my hands to get a deep dive on it. Next time frame will be just after KubeConEU.

from git-sync.

Is this still going to be fixed?

from git-sync.

It's still on the roadmap. We are also happy to take PRs on this. Sorry for the slow progress. Didn't have the highest priority yet.

from git-sync.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

from git-sync.

/lifecycle frozen
/remove-lifecycle stale

from git-sync.

Unless you're using the SSH functionality you do not need to run as root at all, and I am not sure even SSH needs it, as you point out. We still want the SSH keys to be protected, so I don't think we want to remove the checking of perms, but I don't think it needs root anywhere.

I'm just going to remove that from docs.

from git-sync.