Question:
I set up an EKS cluster which entirely uses pods on Fargate. I want to run something as a non-root user in a container which needs access to S3. For this, I created a ServiceAccount and added an IAM role with the appropriate S3 policies.
I started a bare-bones pod which just waits indefinitely and used kubectl exec to drop to a bash in the container as root. There I installed the AWS CLI and tried some s3 operations on the command line, which works fine, so the pod can talk to S3 and get data.
Now, my real workload runs as non-root, and has to access stuff on S3, but when it tries to access it, it fails because the token’s permissions are set to 600 and belong to root. The non-root user in the container also can’t sudo and this is intended. This means I get “permission denied”.
Is it possible to give a non-root user access to the serviceaccount token in a Fargate pod or do I have to allow my user to sudo and chmod the token to 644 in the startup script?
Answer:
The fact that the token is mounted via permissions 600 is actually a known issue. A workaround is to specify an fsGroup.
Something like this works for me:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
--- apiVersion: v1 kind: Pod metadata: name: foo labels: name: foo spec: containers: - name: foo image: foo:bar resources: limits: memory: "128Mi" cpu: "500m" command: - "/do-something.sh" securityContext: fsGroup: 65534 serviceAccountName: serviceAccountWithAccessToS3 |