-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix AWS IAM Roles for Service Accounts permission problem. #1185
Fix AWS IAM Roles for Service Accounts permission problem. #1185
Conversation
Welcome @serialx! |
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Updated CLA account settings. |
Interesting. Do you know how the file permissions are for the Kubernetes service account token? Because this is mounted in a similar way and works with the |
Kubernetes tokens seems to be
|
Very interesting, this means containers must run as root to use this feature. I don't think this is intended and we should make at least AWS aware. |
Comparing the two codes doesn't show any hints on why they differ in permissions:
Strange. |
Reported to the amazon-eks-pod-identity-webhook repository. |
The problem is here: It's hardcoded to octal 0600. 🤦♂️ |
Damn. But both code uses |
No, this one is for projected service account tokens. |
I was able to read a projected service account token with nobody by using ...
securityContext:
fsGroup: 65534
volumes:
- name: token-vol
projected:
sources:
- serviceAccountToken:
path: token $ whoami
nobody
$ ls -la /var/run/secrets/kubernetes.io/serviceaccount/..data/
-rw-r----- 1 root nobody 1102 Sep 11 15:33 token |
Any chances to get a timeline when this is going to be released? |
I'd defer to @linki , but I think that if a change of configuration will allow to do that, I'd rather change the docs to mention this than change the dockerfile. |
https://stackoverflow.com/questions/34831861/can-i-assume-that-nobody-is-65534 You can't. nobody has had at least a few different IDs across distros and time: Historically, the user “nobody” was assigned UID -2 by several operating systems, although other values such as 2^(15)−1 = 32,767 are also in use, such as by OpenBSD. For compatibility between 16-bit and 32-bit UIDs, many Linux distributions now set it to be 2^(16)−2 = 65,534; the Linux kernel defaults to returning this value when a 32-bit UID does not fit into the return value of the 16-bit system calls. An alternative convention assigns the last UID of the range statically allocated for system use (0-99) to nobody: 99. |
Yeah, but the docker file already specifies 65534, so it doesn't really matter does it? https://github.com/kubernetes-incubator/external-dns/blob/master/Dockerfile#L36 |
Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens files to `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`. Unfortunately, external-dns runs as 'nobody' so it cannot access this file. External DNS is then unable to make any AWS API calls to work: ``` time="2019-09-11T07:31:53Z" level=error msg="WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token\ncaused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied" ``` See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html Below are the file permissions mounted on External DNS pod: ``` ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/ total 0 drwxrwxrwt 3 root root 100 Sep 11 06:40 . drwxr-xr-x 3 root root 28 Sep 11 06:40 .. drwxr-xr-x 2 root root 60 Sep 11 06:40 ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 31 Sep 11 06:40 ..data -> ..2019_09_11_06_40_49.865776187 lrwxrwxrwx 1 root root 12 Sep 11 06:40 token -> ..data/token ~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token -rw------- 1 root root 1028 Sep 11 06:40 /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token ``` This commit fixes this problem by specifying securityContext to make mounted volumes with 65534 (nobody) group ownership.
729557a
to
c97781a
Compare
Can confirm workaround by using securityContext. I've changed the PR to update AWS tutorial instead of changing the Dockerfile. Should work fine with future k8s updates too. |
/lgtm |
This is to fix the file permission of the access token file, see kubernetes-sigs/external-dns#1185
This is to fix the file permission of the access token file, see kubernetes-sigs/external-dns#1185
This is to fix the file permission of the access token file, see kubernetes-sigs/external-dns#1185
This is to fix the file permission of the access token file, see kubernetes-sigs/external-dns#1185
I tried configuring my Argo-Server to use s3 as an artifact repository, and then archive all logs automatically, and it worked fine. But then when I wanted to load those logs in the Argo-Server UI using the link `https://<arg_server_host>/artifacts/argo/<workflow_name>/<pod_name>/main-logs` I got the following error: ``` failed to create new S3 client: WebIdentityErr: failed fetching WebIdentity token: caused by: WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token caused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied ``` Reading through similar issues here: kubernetes-sigs/external-dns#1185 I found out that IRSA requires this setting on the Deployment: `spec.template.spec.securityContext.fsGroup: 65534` to fix the above issue. I thought it would be helpful to others to find information how to deal with it here, rather than search for the answers if they hit this problem. Signed-off-by: Dominik Deren <[email protected]>
Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens files to
/var/run/secrets/eks.amazonaws.com/serviceaccount/token
. Unfortunately, external-dns runs as 'nobody' so it cannot access this file. External DNS is then unable to make any AWS API calls to work:See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
Below are the file permissions mounted on External DNS pod:
Pinging @taharah for review.