proposal for projected service account volume file permission handling

kubernetes · Mar 6, 2020 · 1512e54 · 1512e54
1 parent a61531f
commit 1512e54
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/keps/sig-storage/20180515-svcacct-token-volumes.md b/keps/sig-storage/20180515-svcacct-token-volumes.md
@@ -4,16 +4,18 @@ authors:
   - "@smarterclayton"
   - "@liggitt"
   - "@mikedanese"
+  - "@zshihang"
 owning-sig: sig-storage
 participating-sigs:
   - sig-auth
 reviewers:
-  - TBD
+  - "@mikedanese"
+  - "@liggitt"
 approvers:
   - TBD
 editor: "@zshihang"
 creation-date: 2018-05-15
-last-updated: 2020-03-04
+last-updated: 2020-03-05
 status: implemented
 see-also:
   - "https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/svcacct-token-volume-source.md"
@@ -160,6 +162,16 @@ sources:
     audience: ca.istio.io
 ```
 
+### File Permission
+
+1. if there is only one user id (non-root) shared by all the containers in a
+pod,  set the owner of projected service account volume to that user id and mode
+to 0600.
+2. otherwise, set the owners to be the user ID of first container in the pod and
+the group specified by `fsGroup` in the `PodSecurityContext`, and set the mode
+to 0640.
+
+
 ### Alternatives
 
 1.  Instead of implementing a service account token volume projection, we could