Ability to mount the CSI as ReadWrite

[ryphon]

Describe the solution you'd like Mount in a secret via provider, and be allowed to edit the secret depending on the providers allowance.

So, mount a secret as a CSI, app itself changes secret in some way, edits the mounted "file", file changes get pushed up to the remote source.

Anything else you would like to add: Both AWS and Vault would technically have resource side policies to handle authZ for these secrets. Vault handles the idea through policies to allow read vs update vs create etc, and AWS Secret Manager similarly has access rules via AWS IAM. I'd be surprised if other providers didn't have a similar concept.

• Secrets Store CSI Driver version: (use the image tag): v1.1.1
• Kubernetes version: (use kubectl version): 1.20.7 (I know it's old)

[ryphon]

Looks like #6 and the corresponding PR #117 just hard enforces it, just not sure that's actually something that needs to be enforced?

[tam7t]

I think ReadWrite would be needed for https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/36 though

[phillipgibson]

@ryphon can you provide more details to clarify the use case for this.

[ryphon]

The context is for something like the Vault provider. Vault has a method to allow read/write on the Vault secret objects. So through the Kubernetes Service Accounts, it has the ability to authenticate/authorize the Kubernetes service account to do different operations for the secret depending on the policy.

In most cases, read only is fine. However, if my service account has 'UPDATE' permissions, I would want to be able to update the secret mounted in via CSI, and have that propagated back up through to the provider.

Secret A is mounted into Pod X. Pod X's service account has ['READ','UPDATE'] in Vault's authentication schema. Process in Pod X can modify/update the secret (just like it's a file) and said changes propagate back upwards. Secret A's data is now what Pod X has written to it. If Pod X is destroyed and recreated, now Pod X has the updated contents of Secret A.

[MarsianMan]

This would be useful for a scenario where some action is needed to modify the secret data before app startup. For example, Hashicorp Vault requires base64 encoded secrets. This does not work well with binary secrets which need to be decoded before/on application startup. We would like to mount our secrets to /var/secrets and then decode them into the same (sub-)directory for the application to read.

Note, there would NOT be any "syncing" in this scenario.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ryphon]

Related, and solves our issue specifically, as we've moved to ESO over CSI mounts: https://github.com/external-secrets/external-secrets/pull/1338

Similar ideology though.

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.