Workload cannot access the service account token on Juju 3.5.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
Critical
|
Harry Pidcock |
Bug Description
The workload from a K8s charm cannot access the service account token on Juju 3.5.0. It works fine until Juju 3.4.2.
Error message from pebble logs (when deploying `juju deploy postgresql-k8s --channel 14/edge --trust`, which runs the workload with another user - postgres - and then checking the error through `pebble logs`):
2024-05-
3.4.2 permissions:
root@postgresql
lrwxrwxrwx 1 root root 12 May 22 14:38 /var/run/
root@postgresql
-rw-r--r-- 1 root root 977 May 22 14:38 /var/run/
3.5.0 permissions:
root@postgresql
lrwxrwxrwx 1 root 170 12 May 22 14:04 /var/run/
root@postgresql
-rw-r----- 1 root 170 1142 May 22 14:04 /var/run/
Others cannot access the token anymore.
description: | updated |
Changed in juju: | |
assignee: | nobody → Harry Pidcock (hpidcock) |
importance: | Undecided → Critical |
milestone: | none → 3.5.1 |
status: | New → In Progress |
Changed in juju: | |
status: | In Progress → Fix Committed |
Changed in juju: | |
status: | Fix Committed → Fix Released |
One way to deploy the charm was to add a name to group 170 and use that group in the pebble layer for the service, which needed access to the service account token. However, it doesn't seem to be the proper way to fix this.
Do you have any recommendations on how to handle this situation? Thanks in advance.