Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] providersDir should not default to /etc/kubernetes as primarily contains .sock files better held in /var/run or /tmp/ #823

Closed
paulczar opened this issue Dec 16, 2021 · 1 comment · Fixed by #851
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@paulczar
Copy link
Contributor

When deployed the Secrets Store CSI Driver creates a socket in /etc/kubernetes/secrets-store-csi-providers, the /etc/ path is really meant for configuration files, not unix sockets. The more standard place to put socket files is /var/run/ or somewhere in /tmp If you explore a debian, redhat, or ubuntu box you'll find most sockets are in one of the two.

This can be a problem for Operating System and Security Controls that are protective of a systems /etc contents.

While this can be overridden in the helm chart by setting linux.providersDir the default is re-used in various providers, not all have a method to override it without manually editing the resources.

I would recommend modifying the default and cutting a major release to signify a breaking change to downstream projects.

@paulczar paulczar added the kind/bug Categorizes issue or PR as related to a bug. label Dec 16, 2021
@aramase
Copy link
Member

aramase commented Dec 16, 2021

Thanks for the feedback! I'll add this to our community call for discussion.

tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 2, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 4, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 4, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 14, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 14, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 14, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 14, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 14, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 14, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 14, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 17, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 17, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Feb 17, 2022
This allows the driver to check multiple paths when looking for a provider,
addressing kubernetes-sigs#823 as the semantically correct path is /var not /etc.

-additional-provider-volume-paths is added to so that providers that have not
migrated to the /var location will continue to operate.

In a future release when all supported providers are migrated to the /var path
the -additional-provider-volume-paths flag can be removed or changed to an
empty string.
conjur-jenkins pushed a commit to cyberark/conjur-k8s-csi-provider that referenced this issue Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants