Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some CSI drivers write to /etc/kubernetes/secrets-store-csi-providers #1524

Closed
joebaro opened this issue Apr 26, 2021 · 3 comments · Fixed by #1544
Closed

Some CSI drivers write to /etc/kubernetes/secrets-store-csi-providers #1524

joebaro opened this issue Apr 26, 2021 · 3 comments · Fixed by #1544
Assignees
@bcressey
Labels
area/kubernetes K8s including EKS, EKS-A, and including VMW type/enhancement New feature or request
Milestone
v1.1.0

Comments

@joebaro
Copy link

joebaro commented Apr 26, 2021

Image I'm using:
EKS 1.17 with Bottlerocket OS 1.0.8 (ami-04f83bfb1bb568e28)

What I expected to happen:
Install and run the Secret Store CSI driver and the AWS provider plugin by following the setup instructions in the secrets-store-csi-driver-provider-aws README.

What actually happened:
The driver plugin fails with "permission denied" when binding to a unix domain socket in /etc/kubernetes/secrets-store-csi-providers/aws.sock (see also secrets-store-csi-driver-provider-aws issue). The Secret Store CSI driver is using /etc/kubernetes/secrets-store-csi-providers as a rendezvous point for unix domain sockets with its various provider plugins.

As directed by Ben Cressey we are opening this issue to ask for a compatibility symlink from /etc/kubernetes/secrets-store-csi-providers to somewhere under /var

How to reproduce the problem:
Install the Secret Store CSI driver, install the AWS plugin, run kubctl logs on one of secrets-store-csi-driver-provider-aws instances.
@joebaro joebaro mentioned this issue Apr 26, 2021
Closed
@jhaynes jhaynes added area/kubernetes K8s including EKS, EKS-A, and including VMW status/needs-triage Pending triage or re-evaluation type/enhancement New feature or request labels Apr 26, 2021
@zmrow
Copy link
Contributor

zmrow commented Apr 27, 2021

Thanks for opening this - we'll look into it!

@bcressey bcressey self-assigned this Apr 30, 2021
@bcressey bcressey added priority/p1 status/in-progress This issue is currently being worked on and removed status/needs-triage Pending triage or re-evaluation labels Apr 30, 2021
@bcressey bcressey added this to the v1.1.0 milestone Apr 30, 2021
@bcressey bcressey mentioned this issue Apr 30, 2021
Merged
@rverma-dev
Copy link

Can we cherry pick this fix in 1.0.8, its a blocker for us.

@jhaynes
Copy link
Contributor

jhaynes commented May 5, 2021

@rverma-nsl You're welcome to do the cherry-pick for a custom build if you'd like. However, we're slated to release 1.1.0 shortly which will have this fix in it. Hopefully you can upgrade to this 1.1.0 release and pick it up that way.

@bcressey bcressey removed the status/in-progress This issue is currently being worked on label Nov 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bcressey bcressey

Labels
area/kubernetes K8s including EKS, EKS-A, and including VMW type/enhancement New feature or request
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging a pull request may close this issue.

kubernetes: add symlink for secrets-store-csi-providers bcressey/bottlerocket
5 participants
@bcressey @jhaynes @zmrow @joebaro @rverma-dev