From 5b079b308aad03d356f6b2dff566f8620bc54610 Mon Sep 17 00:00:00 2001 From: rabi Date: Wed, 21 Jan 2026 08:56:13 +0530 Subject: [PATCH] Set SSH private key file permissions to 0600 OpenSSH requires private keys to have mode 0600 when the file owner matches the process UID. With restricted-v2 SCC (default), the process runs as a random UID different from the file owner, so OpenSSH skips the check. But when using NFS mounts for development (hostmount-anyuid SCC), ansible-ee containers run as root which matches the key file owner, triggering the strict permission check. Set defaultMode to 384 (0600) for SSH key volumes to ensure OpenSSH accepts the key. Signed-off-by: rabi --- internal/dataplane/util/ansible_execution.go | 11 +++++--- .../01-assert.yaml | 28 +++++++++---------- .../02-assert.yaml | 4 +-- .../02-assert.yaml | 4 +-- .../01-assert.yaml | 26 ++++++++--------- .../02-assert.yaml | 2 +- .../04-assert.yaml | 2 +- .../06-assert.yaml | 4 +-- .../07-assert.yaml | 2 +- .../dataplane-deploy-tls-test/02-assert.yaml | 4 +-- .../dataplane-deploy-tls-test/03-assert.yaml | 4 +-- .../dataplane-extramounts/00-assert.yaml | 2 +- .../dataplane-service-config/00-assert.yaml | 2 +- .../00-assert.yaml | 2 +- .../dataplane-service-failure/00-assert.yaml | 2 +- 15 files changed, 51 insertions(+), 48 deletions(-) diff --git a/internal/dataplane/util/ansible_execution.go b/internal/dataplane/util/ansible_execution.go index a5addc974..0a50ed875 100644 --- a/internal/dataplane/util/ansible_execution.go +++ b/internal/dataplane/util/ansible_execution.go @@ -30,6 +30,7 @@ import ( corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" apimachineryvalidation "k8s.io/apimachinery/pkg/util/validation" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" networkv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1" @@ -324,7 +325,7 @@ func SetAeeSSHMounts( sshKeyMountSubPath = fmt.Sprintf("ssh_key_%s", sshKeyNodeName) sshKeyMountPath = fmt.Sprintf("/runner/env/ssh_key/%s", sshKeyMountSubPath) - CreateVolume(ansibleEEMounts, sshKeyName, sshKeyMountSubPath, sshKeySecret, "ssh-privatekey") + CreateVolume(ansibleEEMounts, sshKeyName, sshKeyMountSubPath, sshKeySecret, "ssh-privatekey", ptr.To(int32(0600))) CreateVolumeMount(ansibleEEMounts, sshKeyName, sshKeyMountPath, sshKeyMountSubPath) } } @@ -361,18 +362,20 @@ func SetAeeInvMounts( inventoryMountPath = "/runner/inventory/hosts" } - CreateVolume(ansibleEEMounts, inventoryName, inventoryName, inventorySecrets[nodeName], "inventory") + CreateVolume(ansibleEEMounts, inventoryName, inventoryName, inventorySecrets[nodeName], "inventory", nil) CreateVolumeMount(ansibleEEMounts, inventoryName, inventoryMountPath, inventoryName) } } // CreateVolume creates a volume configuration for Ansible Execution Environment mounts -func CreateVolume(ansibleEEMounts *storage.VolMounts, volumeName string, volumeMountPath string, secretName string, keyToPathKey string) { +// If defaultMode is nil, Kubernetes default (0644) is used +func CreateVolume(ansibleEEMounts *storage.VolMounts, volumeName string, volumeMountPath string, secretName string, keyToPathKey string, defaultMode *int32) { volume := storage.Volume{ Name: volumeName, VolumeSource: storage.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: secretName, + SecretName: secretName, + DefaultMode: defaultMode, Items: []corev1.KeyToPath{ { Key: keyToPathKey, diff --git a/test/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml b/test/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml index b92baff25..a4f302632 100644 --- a/test/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml @@ -162,7 +162,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -258,7 +258,7 @@ spec: volumes: - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -362,7 +362,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -460,7 +460,7 @@ spec: volumes: - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -558,7 +558,7 @@ spec: volumes: - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -656,7 +656,7 @@ spec: volumes: - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -808,7 +808,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -917,7 +917,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -1056,7 +1056,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -1165,7 +1165,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -1274,7 +1274,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -1383,7 +1383,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -1492,7 +1492,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global @@ -1631,7 +1631,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-global secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-global diff --git a/test/kuttl/tests/dataplane-deploy-global-service-test/02-assert.yaml b/test/kuttl/tests/dataplane-deploy-global-service-test/02-assert.yaml index b1f78f83a..bc67e74f6 100644 --- a/test/kuttl/tests/dataplane-deploy-global-service-test/02-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-global-service-test/02-assert.yaml @@ -151,7 +151,7 @@ spec: volumes: - name: ssh-key-edpm-compute-beta-nodeset secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-beta-nodeset @@ -254,7 +254,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-beta-nodeset secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-beta-nodeset diff --git a/test/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml b/test/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml index 554345c71..3e8b9e8c4 100644 --- a/test/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml @@ -212,7 +212,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-openstack-edpm-tls secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_openstack-edpm-tls @@ -319,7 +319,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-openstack-edpm-tls secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_openstack-edpm-tls diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/01-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/01-assert.yaml index 2bda8af19..3b7fafb8b 100644 --- a/test/kuttl/tests/dataplane-deploy-no-nodes-test/01-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-no-nodes-test/01-assert.yaml @@ -147,7 +147,7 @@ spec: volumes: - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -252,7 +252,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -352,7 +352,7 @@ spec: volumes: - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -452,7 +452,7 @@ spec: volumes: - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -552,7 +552,7 @@ spec: volumes: - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -700,7 +700,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -810,7 +810,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -950,7 +950,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -1060,7 +1060,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -1170,7 +1170,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -1280,7 +1280,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -1390,7 +1390,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes @@ -1530,7 +1530,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/02-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/02-assert.yaml index 88cb2d32f..16b3c18b0 100644 --- a/test/kuttl/tests/dataplane-deploy-no-nodes-test/02-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-no-nodes-test/02-assert.yaml @@ -90,7 +90,7 @@ spec: volumes: - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/04-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/04-assert.yaml index 049a87c8e..d11666214 100644 --- a/test/kuttl/tests/dataplane-deploy-no-nodes-test/04-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-no-nodes-test/04-assert.yaml @@ -165,7 +165,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/06-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/06-assert.yaml index 7cfeb3cef..07566a5fa 100644 --- a/test/kuttl/tests/dataplane-deploy-no-nodes-test/06-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-no-nodes-test/06-assert.yaml @@ -157,7 +157,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-beta-nodeset secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-beta-nodeset @@ -258,7 +258,7 @@ spec: volumes: - name: ssh-key-edpm-compute-beta-nodeset secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-beta-nodeset diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/07-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/07-assert.yaml index ce057fd14..32c1b4ca8 100644 --- a/test/kuttl/tests/dataplane-deploy-no-nodes-test/07-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-no-nodes-test/07-assert.yaml @@ -85,7 +85,7 @@ spec: volumes: - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes diff --git a/test/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml b/test/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml index d91df3c37..822f53935 100644 --- a/test/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml @@ -249,7 +249,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-openstack-edpm-tls secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_openstack-edpm-tls @@ -361,7 +361,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-openstack-edpm-tls secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_openstack-edpm-tls diff --git a/test/kuttl/tests/dataplane-deploy-tls-test/03-assert.yaml b/test/kuttl/tests/dataplane-deploy-tls-test/03-assert.yaml index f9769a336..e4d6f62b2 100644 --- a/test/kuttl/tests/dataplane-deploy-tls-test/03-assert.yaml +++ b/test/kuttl/tests/dataplane-deploy-tls-test/03-assert.yaml @@ -234,7 +234,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-openstack-edpm-tls secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_openstack-edpm-tls @@ -345,7 +345,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-openstack-edpm-tls secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_openstack-edpm-tls diff --git a/test/kuttl/tests/dataplane-extramounts/00-assert.yaml b/test/kuttl/tests/dataplane-extramounts/00-assert.yaml index 9378776b4..f9a49ca68 100644 --- a/test/kuttl/tests/dataplane-extramounts/00-assert.yaml +++ b/test/kuttl/tests/dataplane-extramounts/00-assert.yaml @@ -119,7 +119,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-extramounts secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-extramounts diff --git a/test/kuttl/tests/dataplane-service-config/00-assert.yaml b/test/kuttl/tests/dataplane-service-config/00-assert.yaml index 02692c4ee..2fdbdc962 100644 --- a/test/kuttl/tests/dataplane-service-config/00-assert.yaml +++ b/test/kuttl/tests/dataplane-service-config/00-assert.yaml @@ -172,7 +172,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes diff --git a/test/kuttl/tests/dataplane-service-custom-image/00-assert.yaml b/test/kuttl/tests/dataplane-service-custom-image/00-assert.yaml index ea8adfa90..09c48ba92 100644 --- a/test/kuttl/tests/dataplane-service-custom-image/00-assert.yaml +++ b/test/kuttl/tests/dataplane-service-custom-image/00-assert.yaml @@ -141,7 +141,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-no-nodes-custom-svc secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-no-nodes-custom-svc diff --git a/test/kuttl/tests/dataplane-service-failure/00-assert.yaml b/test/kuttl/tests/dataplane-service-failure/00-assert.yaml index c7c3e05df..874414526 100644 --- a/test/kuttl/tests/dataplane-service-failure/00-assert.yaml +++ b/test/kuttl/tests/dataplane-service-failure/00-assert.yaml @@ -102,7 +102,7 @@ spec: secretName: combined-ca-bundle - name: ssh-key-edpm-compute-no-nodes secret: - defaultMode: 420 + defaultMode: 384 items: - key: ssh-privatekey path: ssh_key_edpm-compute-no-nodes