On Fri, Jun 03, 2016 at 12:09:43PM -0700, 'Tim Hockin' via Containers at Google wrote: > I would either: > > a) start with a proposal doc (problem statement, proposed solution, > alterantives) > b) hack something together that demonstrates that your idea is sound, then (a) > > Specifically, we have a struct that maps keys to paths (`type > KeyToPath`) which could easily carry a 'mode' field or something. > Naively it sounds like it would work.
I just had a look at the code, I understand where changes can be made. Thanks a lot for the pointer! But when thinking about this, I realized (and tested, just in case) that a secret mounted as a volume has it's files world readable (r--r--r--) too! This is not clear to me, from the code, that is on purpose (the roMask is 0440 but as the end result is 444, maybe because it's ORed with the file mode, haven't tested to confirm) This isn't a nice default for a secret and changing the default may break things (and this is part of the stable API, we generally shouldn't do this). So, one option is to say this was a bug and consider it's worth changing the permissions by default on secrets or another one is to add a way to change the permissions. Any suggestions? Or maybe I should open a proposal and have the chat there :) Thanks a lot, Rodrigo -- You received this message because you are subscribed to the Google Groups "Containers at Google" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-containers. For more options, visit https://groups.google.com/d/optout.
