'Read-only file system' error when using kubernetes secret for ssh auth
I am trying to establish SSH authentication between Jenkins and GitHub. For the same, I am using the kubernetes secret to store the private and public key and I am mounting the secrets when the pod is created. Command I have used to create the secret:
kubectl create secret generic test-ssh --from-file=id_rsa=id_rsa --from-file=id_rsa.pub=id_rsa.pub --namespace jenkins
and mapped it in pod configuration as:
volumes:
- secretVolume:
mountPath: "/root/.ssh"
secretName: "test-ssh"
When the pod is created, I can see that the secret is mapped correctly in the ~/.ssh folder as shown below.
but the problem is the ~/.ssh folder itself has the sticky bit permission enabled
and this is preventing the builds adding the known_hosts file when ssh-keyscan command is executed
ssh-keyscan github.com >> ~/.ssh/known_hosts
bash: ~/.ssh/known_hosts: Read-only file system
I was hoping to achieve one of the two solutions I can think of
- Remove the sticky permissions from
~/.sshfolder after it is created - While mounting the kubernetes secret, mount it without sticky permissions
Could anyone help me to understand if there is a possibility to achieve this?
I have already tried chmod -t .ssh and it gives me the same error chmod: changing permissions of '.ssh': Read-only file system
The owner of the ~/.ssh folder is root and I have logged in as root user. I have confirmed this by running the whoami command.
Secrets aren't mounts that allow for permissions to be alter, so you have to do some trickery to get it to work. Recently I ran into a similar issue, and had to make it work. We use a custom image to perform the ssh calls, so we added the .ssh dir and the known_hosts files to the image; setting the permissions in the Dockerfile. I then used the subPath to target the id_rsa and id_rsa.pub files in the deployment. I don't have my mappings handy but can tomorrow if necessary to show what I mean. I think the 'official' answer was to mount the files in a different location and cp them where they needed to be in an initContainer using a shared mount or in the entrypoint file/binary.
- How can I close over variables in kdb/Q?
- When is the EACH operator extension necessary in K besides mod/rotate?
- Handling single-character strings - in a function or in its caller? ssr()
- Kdb+ data fomat when writing to a file
- How to convert a symbol to a string in kdb+?
- Sum of each two elements using vector functions
- A dictionary with a single value and multiple keys
- Table transformation, table as list of dicts
- Accumulator gives different result then direct function applying
- Reshape [cols;table]
- FK field over IPC
- Protected execution, 2 cases
- Enums for tables
- Converge (fixed point) syntax difference in q and k
- .Q.trp and bt handling
- NULLs in q and in k.h
- Strange view declaration behaviour
- How to build a parse-tree of projections?
- Could not evaluate manually created equial ~ parse tree
- Select distinct for all columns from keyed table
- Parallel execution: blocking receive, deferred synchronous
- Multiple variable assignment in q
- Select a table from the inside of external select
- Select when one of filter-column may not exists
- What is the meaning of `s attribute on a table?
- On parallel execution - which side reports about an error?
- Validate if a keyed table have unique keys
- Applying dictionary to dictionary
- About xkey implementation
- Parse tree built on values from vars