origin icon indicating copy to clipboard operation
origin copied to clipboard
verified publisher icon openshift

Volumes created from ConfigMaps and Secrets have 777 permissions by default

Open Cris-GarGon opened this issue 4 months ago • 1 comments

Environmental Info: Node(s) CPU architecture, OS, and Version: Red Hat Enterprise Linux release 8.10 (Ootpa)

Cluster Configuration: 1 master, 4 workers

Describe the bug: Creating a ConfigMap or a Secret and mounting it as a volume in a Deployment, the resulting volume has 777 permissions. This can be a security issue, as it allows any system user to read and write to the volume.

Steps To Reproduce:

  1. Create a ConfigMap or a Secret in Openshift.
  2. Mount the ConfigMap or Secret as a volume in a Deployment.
  3. Verify the permissions of the created volume.

Expected behavior: The created volume should have more restrictive permissions, such as 644 or 600, depending on the configuration and intended use.

Actual behavior: The created volume has 777 permissions, allowing full access to any system user.

Additional context / logs: Example command to verify permissions: sudo find / -perm -007 \( -type f -o -type d \) -ls

Example output: 262958 4 drwxrwxrwx 3 root root 4096 Aug 10 13:49 /var/lib/kubelet/pods/ad05694c-d570-4b8f-8a63-adb9b8e6787f/volumes/kubernetes.io~configmap/config-volume

Configuration used:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-nginx
  namespace: default
data:
  nginx.conf: |
  ...
---  
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app
  namespace: default
...
        volumeMounts:
            - name: config-volume
              subPath: ./nginx.conf
              mountPath: /etc/nginx/conf.d/default.conf
      volumes:
        - name: config-volume
          configMap:
            name: app-nginx

Cris-GarGon avatar Aug 21 '25 13:08 Cris-GarGon

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot avatar Nov 20 '25 01:11 openshift-bot

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot avatar Dec 20 '25 08:12 openshift-bot