Running Copilot #24
CopilotAnnotations
1 error and 1 warning
|
copilot
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /azp/_work/_temp/kubectlTask/1234/config\n```\n\n\n### Relevant log output\n\n```shell\n##[error]WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /azp/_work/_temp/kubectlTask/1234/config\n```\n\n\n### Aditional info\n\n```shell\nTo repro:\r\n\r\n- task: Kubernetes@1\r\n inputs:\r\n connectionType: 'Azure Resource Manager'\r\n azureSubscriptionEndpoint: your-sub\r\n azureResourceGroup: your-rg\r\n kubernetesCluster: your-cluster\r\n command: 'login'\r\n\r\n# This will end up writing a kubeconfig file to a temporary path e.g. /azp/_work/_temp/kubectlTask/1234/config\r\n\r\nThen run:\r\n\r\n- task: HelmDeploy@0\r\n inputs:\r\n connectionType: None\r\n publishPipelineMetadata: false\r\n command: upgrade\r\n namespace: your-ns\r\n releaseName: some-release\r\n chartType: FilePath\r\n chartPath: /path/to/chart\r\n\r\nThe HelmDeploy task will chmod() the kubeconfig file to 600 but NOT if the connectionType is `None` - which is what the value needs to be in order to authenticate to an AKS cluster using a non-admin service principal (via the Kubernetes@1 task, which calls `kubelogin` to generate the proper kubeconfig file for you). That's irrelevant though, because the kubeconfig shouldn't even be allowed to exist on-disk with insecure permissions.\r\n\r\nThe bug is the Kubernetes task generating a kubeconfig with insecure mode bits. It should ensure that the file is properly secured BEFORE it writes anything to it, since when `kubelogin` is called with `-l spn` the actual service principal secret is written to the file and could be stolen.\n```\n","author_association":"NONE","user":{"login":"jackmtpt","id":115712715,"node_id":"U_kgDOBuWiyw","avatar_url":"https://avatars.githubusercontent.com/u/115712715?v=4","html_url":"https://github.com/jackmtpt","gravatar_id":"","type":"User","site_admin":false,"url":"https://api.github.com/users/jackmtpt","events_url":"https://api.github.com/users/jackmtpt/events{/privacy}","following_url":"https://api.github.com/users/jackmtpt/following{/other_user}","followers_url":"https://api.github.com/users/jackmtpt/followers","gists_url":"https://api.github.com/users/jackmtpt/gists{/gist_id}","organizations_url":"https://api.github.com/users/jackmtpt/orgs","received_events_url":"https://api.github.com/users/jackmtpt/received_events","repos_url":"https://api.github.com/users/jackmtpt/repos","starred_url":"https://api.github.com/users/jackmtpt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jackmtpt/subscriptions"},"labels":[{"id":154814011,"url":"https://api.github.com/repos/microsoft/azure-pipelines-tasks/labels/bug","name":"bug","color":"d73a4a","description":"","default":true,"node_id":"MDU6TGFiZWwxNTQ4MTQwMTE="},{"id":391088230,"url":"https://api.github.com/repos/microsoft/azure-pipelines-tasks/labels/Area:%20Release","name":"Area: Release","color":"5319e7","default":false,"node_id":"MDU6TGFiZWwzOTEwODgyMzA="},{"id":1280943362,"url":"https://api.github.com/repos/microsoft/azure-pipelines-tasks/labels/triage","name":"triage","color":"bf054c","description":"","default":false,"node_id":"MDU6TGFiZWwxMjgwOTQzMzYy"}],"comments":8,"created_at":"2023-11-10T08:50:29Z","updated_at":"2025-11-03T12:13:13Z","url":"https://api.github.com/repos/microsoft/azure-pipelines-tasks/issues/19259","html_url":"https://github.com/microsoft/azure-pipelines-tasks/issues/19259","comments_url":"https://api.github.com/repos/microsoft/azure-pipelines-tasks/issues/19259/comments","events_url":"https://api.github.com/repos/microsoft/azure-pipelines-tasks/issues/19259/events","labels_url":"https://api.github.com/repos/microsoft/azure-pipelines-tasks/issues/19259/labels{/name}","repository_url":"https://api.github.com/repos/microsoft/azure-pipelines-tasks","reactions":{"total_count":0,"+1":0,"-1":0,"laugh":0,"confused":0,"heart":0,"hooray":0,"rocket":0,"eyes":0,"url":"https://api.github.com/repos/microsoft/azure-pipelines-tasks/issues/19259/reaction
|
|
copilot
Warning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.`\n\n### Environment type (Please select at least one enviroment where you face this issue)\n\n- [ ] Self-Hosted\n- [X] Microsoft Hosted\n- [X] VMSS Pool\n- [ ] Container\n\n### Azure DevOps Server type\n\ndev.azure.com (formerly visualstudio.com)\n\n### Azure DevOps Server Version (if applicable)\n\n_No response_\n\n### Operation system\n\nWindows Server 2022\n\n### Relevant log output\n\n```shell\nC:\\ProgramData\\Chocolatey\\bin\\kubectl.exe scale deployment/tenant000-prime-1-services-deploy --replicas=0 --namespace tenant000\r\nWarning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.\r\ndeployment.apps/tenant000-prime-1-services-deploy scaled\r\n##[warning]Warning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.\r\n\r\nC:\\ProgramData\\Chocolatey\\bin\\kubectl.exe rollout status deployment/tenant000-prime-1-services-deploy --timeout 10s --namespace t200000-ns\r\nWarning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.\r\ndeployment \"tenant000-prime-1-services-deploy\" successfully rolled out\r\n##[warning]Warning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.\r\n\r\nC:\\ProgramData\\Chocolatey\\bin\\kubectl.exe annotate deployment tenant000-prime-1-services-deploy azure-pipelines/run=tenant000 \"azure-pipelines/pipeline=\\\"EMEA - Dev Upgrade SINGLE - EUWE-AKSLAB00001\\\"\" \"azure-pipelines/pipelineId=\\\"200\\\"\" \"azure-pipelines/jobName=\\\"Upgrade tenant000\\\"\" azure-pipelines/runuri=https://dev.azure.com/PaletteSoftware/Operations/_build/results?buildId=203240 azure-pipelines/project=Operations azure-pipelines/org=https://dev.azure.com/PaletteSoftware/ --overwrite --namespace tenant000\r\nWarning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.\r\ndeployment.apps/tenant000-prime-1-services-deploy annotated\r\n##[warning]Warning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.\r\n\r\nC:\\ProgramData\\Chocolatey\\bin\\kubectl.exe annotate pod tenant000-prime-1-services-deploy-7899bb84c6-vctnw azure-pipelines/run=tenant000 \"azure-pipelines/pipeline=\\\"EMEA - Dev Upgrade SINGLE - EUWE-AKSLAB00001\\\"\" \"azure-pipelines/pipelineId=\\\"200\\\"\" \"azure-pipelines/jobName=\\\"Upgrade tenant000\\\"\" azure-pipelines/runuri=https://dev.azure.com/PaletteSoftware/Operations/_build/results?buildId=203240 azure-pipelines/project=Operations azure-pipelines/org=https://dev.azure.com/PaletteSoftware/ --overwrite --namespace tenant000\r\nWarning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.\r\npod/tenant000-prime-1-services-deploy-7899bb84c6-vctnw annotated\r\n##[warning]Warning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.\n```\n\n\n### Full task logs with system.debug enabled\n\n<details>\r\n <pre> [REPLACE THIS WITH YOUR INFORMATION] </pre>\r\n</details>\r\n\n\n### Repro steps\n\n```yml\n- task: KubernetesManifest@0\r\n displayName: 'Stop existing services pod if found'\r\n inputs:\r\n action: 'scale'\r\n kubernetesServiceConnection: EUWE-AKSLAB00001\r\n namespace: 'tenant000'\r\n kind: 'deployment'\r\n name: 'tenant000-prime-1-services-deploy'\r\n replicas: '0'\r\n rolloutStatusTimeout: '10'\r\n continueOnError: true\n```\n","author_association":"NONE","user":{"login":"shurick81","id":11289124,"node_id":"MDQ6VXNlcjExMjg5MTI0","avatar_url":"https://avatars.githubusercontent.com/u/11289124?v=4","html_url":"https://github.com/shurick81","gravatar_id":"","type":"
|
Artifacts
Produced during runtime
| Name | Size | Digest | |
|---|---|---|---|
|
results
|
11.6 KB |
sha256:15371612ec3d95c604b58615ba9aa17253d6591394d26160b52e97c4f6617ae2
|
|