fix(k8s): fix SSH host key permissions for non-root user#2
Merged
Conversation
- Add fsGroup: 1001 to pod security context - Change defaultMode from 0600 to 0640 for ssh-host-key secret - Create /app/data/ssh-keys as writable directory in Dockerfile - Allow nodejs user (UID 1001) to read mounted SSH host key
There was a problem hiding this comment.
Pull request overview
Fixes an SSH server crash on Kubernetes caused by the non-root nodejs (uid/gid 1001) user being unable to read the SSH host key mounted from a Secret with defaultMode: 0600. With a Secret volume, files are owned by root:fsGroup, so the fix sets fsGroup: 1001 on the pod and relaxes the file mode to 0640 so the group-mounted user can read it. The Dockerfile is also updated to provision a writable fallback directory for a self-generated host key.
Changes:
- Add
fsGroup: 1001to the pod'ssecurityContextso Kubernetes chgrps the mounted secret volume to the nodejs group. - Change the
ssh-host-keysecret volumedefaultModefrom0600to0640so the group can read it. - Create
/app/data/ssh-keysin the image (in addition to/app/ssh-keys) and chown both tonodejs:nodejsfor the generated-key fallback path used insrc/ssh-server.ts.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| k8s/app/base/deployment.yaml | Adds fsGroup: 1001 and changes secret volume defaultMode to 0640 so the non-root container can read the mounted SSH host key. |
| Dockerfile | Creates an additional writable /app/data/ssh-keys directory and recursively chowns it (and /app/ssh-keys) to the nodejs user for the generated-key fallback. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+28
to
+30
| # Create writable directories | ||
| RUN mkdir -p /app/ssh-keys /app/data/ssh-keys && \ | ||
| chown -R nodejs:nodejs /app/ssh-keys /app/data |
- Remove fallback key generation logic - Fail fast with clear error if memory-ssh-host-key secret is missing - Mount point: /app/ssh-keys/ssh_host_ed25519_key - Remove unused data directory creation in Dockerfile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
SSH-servern kraschade med permission denied när den försökte läsa mountad SSH host key som non-root user.
Ändringar
Test