Remove filesystem permissions check

Question

Remove filesystem permissions check

uhthomas opened this issue a year ago · 1 comments

It's good practice to set strict security contexts for containers and pods in Kubernetes, but connect won't start if the directory is not owned by the current user - even if it can write to it. I feel this is counter-productive and should be removed. I don't see how this condition improves security, and only serves to weaken it in environments with proper security contexts.

❯ k logs onepassword-connect-85bf47bb57-4c9tc
Defaulted container "connect-api" out of: connect-api, connect-sync
Error: Server: (failed to OpenDefault), Wrapped: (failed to defaultPath), failed to ConfigDir: Can't continue. We can't safely access "/.op" because it's not owned by the current user. Change the owner or logged in user and try again.

security context

securityContext: {
	capabilities: drop: ["ALL"]
	readOnlyRootFilesystem:   true
	allowPrivilegeEscalation: false
}

pod security context

securityContext: {
	runAsUser:           1000
	runAsGroup:          3000
	runAsNonRoot:        true
	fsGroup:             2000
	seccompProfile: type: v1.#SeccompProfileTypeRuntimeDefault
}

FloSchick commented a year ago

+1