Skip to content

hubble-ui backend container file permissions issue on loading client cert for hubble-relay  #18816

New issue
New issue
Closed
#32338
Closed
hubble-ui backend container file permissions issue on loading client cert for hubble-relay #18816
#32338
Assignees
geakstr
Labels
kind/bugThis is a bug in the Cilium logic.needs/triageThis issue requires triaging to establish severity and next steps.
@andy-v-h

Description

@andy-v-h
andy-v-h
opened on Feb 15, 2022

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

When using mTLS between hubble-relay and hubble-ui, the backend pod cannot open the client.crt with mode 0400 set (or 256 in decimal). This looks possibly related to #18732, but as that was closed with a workaround via kubectl port-forward I'd like to open an issue to address the file permissions in the pod.

A workaround is to manually set the default mode to 0404. I think this is because the projected volume is owned by root and we're running at uid 1001 per the security context

Cilium Version

v1.11.0

Kernel Version

5.10.96

Kubernetes Version

v1.22.5

Sysdump

n/a

Relevant log output

➤ kubectl logs po/hubble-ui-856f65c48f-f9twl backend  
level=info msg="initialized with TLS enabled\n" subsys=config
level=error msg="failed to initialize hubble-ui backend: failed to load keypair: open /var/lib/hubble-ui/certs/client.crt: permission denied\n" subsys=ui-backend


### Anything else?

_No response_

### Code of Conduct

- [X] I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

Labels

kind/bugThis is a bug in the Cilium logic.needs/triageThis issue requires triaging to establish severity and next steps.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions