Skip to content

secretNamespace volume attribute ignored when used in a container volume definition #2098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
david-garcia-garcia opened this issue Sep 9, 2024 · 0 comments · Fixed by #2102
Closed

secretNamespace volume attribute ignored when used in a container volume definition #2098

david-garcia-garcia opened this issue Sep 9, 2024 · 0 comments · Fixed by #2102

Comments

@david-garcia-garcia
Copy link

What happened:

When using secretNamespace in a container volume definition, the driver seems only to be looking for the secret in the same namespace where the container is deployed to. If it is different it will not work.

i.e.

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "2"
  generation: 4
  labels:
    app: modsecurity
  name: modsecurity
  namespace: traefik
spec:
  selector:
    matchLabels:
      app: modsecurity
  template:
    metadata:
      labels:
        app: modsecurity
    spec:
      automountServiceAccountToken: true
      containers:
        image: owasp/modsecurity-crs:4.6-nginx-alpine-202409030409
        imagePullPolicy: IfNotPresent
        name: modsecurity
        volumeMounts:
        - mountPath: /etc/nginx/templates/modsecurity.d/modsecurity.conf.template
          mountPropagation: None
          name: modsecurity-config
          readOnly: true
          subPath: modsecurity.conf
        - mountPath: /var/log
          mountPropagation: None
          name: log
          subPath: aks-development/traefik/modsecurity/var/log
      initContainers:
      - args:
        - -c
        - mkdir -p /var/log/nginx
        command:
        - /bin/sh
        image: alpine
        name: bootstrap
        volumeMounts:
        - mountPath: /var/log
          mountPropagation: None
          name: log
          subPath: aks-development/traefik/modsecurity/var/log
      volumes:
      - configMap:
          defaultMode: 511
          name: modsecurity-config
        name: modsecurity-config
      - csi:
          driver: file.csi.azure.com
          fsType: ""
          readOnly: false
          volumeAttributes:
            resourceGroup: rg-dev-shared
            secretName: az-storage-rg-dev-shared-xx-log
            secretNamespace: kube-system
            shareName: applog
            subscriptionId: xxxxxx
            volumeHandle: rg-dev-shared#xx#applog#none#7ab84548-c847-7012-3943-980393d8d7de#kube-system
        name: log

This might be a deisgn decision to align with K8S scoping of secrets. If that is the case, I believe the docs should be updated. And maybe even the error message improved.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

doc: update inline volume doc kubernetes-sigs/azurefile-csi-driver
1 participant
@david-garcia-garcia