fix: correct kubeconfig ownership when running under sudo#3826
fix: correct kubeconfig ownership when running under sudo#3826saiyam1814 wants to merge 1 commit into
Conversation
saiyam1814
force-pushed
the
fix/sudo-kubeconfig-ownership
branch
from
f0dde8f to
0facfbf
Compare
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0facfbfe1f
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
saiyam1814
force-pushed
the
fix/sudo-kubeconfig-ownership
branch
from
0facfbf to
a39df25
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a39df25107
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
saiyam1814
force-pushed
the
fix/sudo-kubeconfig-ownership
branch
from
a39df25 to
df0d4ed
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: df0d4ed11c
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
saiyam1814
force-pushed
the
fix/sudo-kubeconfig-ownership
branch
from
df0d4ed to
df211b0
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: df211b09ad
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
saiyam1814
force-pushed
the
fix/sudo-kubeconfig-ownership
branch
from
df211b0 to
70d2176
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 70d2176ce2
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
When running "sudo vcluster create" on a machine without an existing ~/.kube/config, the newly created kubeconfig is owned by root with 0600 permissions, making it unreadable by the actual user. Fix by checking SUDO_UID/SUDO_GID after writing and chowning the file and parent directory back to the real user. This is a no-op when not running under sudo or when the file already existed (POSIX preserves ownership on overwrite).
saiyam1814
force-pushed
the
fix/sudo-kubeconfig-ownership
branch
from
70d2176 to
edc4f2f
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: edc4f2fc5b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| _ = os.Chown(filePath, uid, gid) | ||
| _ = os.Chown(filepath.Dir(filePath), uid, gid) |
There was a problem hiding this comment.
This helper validates filePath with a string prefix check, then calls os.Chown on both the file and its parent. Because os.Chown follows symlinks, a path like ~/.kube -> /etc passes the home-directory guard but causes the ownership change to apply to the symlink targets outside the user home (including the parent directory target). Under sudo, this can unexpectedly re-own system paths and break the host. Resolve and validate real paths (or reject symlink components) before performing ownership changes.
Useful? React with 👍 / 👎.
1 participant
Summary
sudo vcluster createon a machine without an existing~/.kube/config, the newly created kubeconfig is owned by root with0600permissions, making it unreadable by the actual userSUDO_UID/SUDO_GIDenv vars andos.Chownthe file + parent directory back to the real userChanges
pkg/cli/sudo.go(new):fixFileOwnershipUnderSudo()— readsSUDO_UID/SUDO_GID, chowns file + parent dirpkg/cli/connect_helm.go(+2 lines): calls the fix after both kubeconfig write paths inwriteKubeConfig()Test plan
go build ./pkg/cli/passesgo vet ./pkg/cli/passesgo test ./pkg/cli/passessudo vcluster create test --driver dockeron a machine with existing~/.kube/config— works as beforesudo vcluster create test --driver dockerafterrm ~/.kube/config— kubeconfig should be user-owned