Merge pull request #21034 from jqmichael/patch-4

Clarified Secrets file mode

Author: k8s-ci-robot

content/en/docs/concepts/configuration/secret.md

@@ -580,7 +580,7 @@ spec:
   - name: foo
     secret:
       secretName: mysecret
-      defaultMode: 256
+      defaultMode: 0400
 ```
 
 Then, the secret will be mounted on `/etc/foo` and all the files created by the
@@ -590,6 +590,38 @@ Note that the JSON spec doesn't support octal notation, so use the value 256 for
 0400 permissions. If you use YAML instead of JSON for the Pod, you can use octal
 notation to specify permissions in a more natural way.
 
+Note if you `kubectl exec` into the Pod, you need to follow the symlink to find
+the expected file mode. For example,
+
+Check the secrets file mode on the pod.
+```
+kubectl exec mypod -it sh
+
+cd /etc/foo
+ls -l
+```
+
+The output is similar to this:
+```
+total 0
+lrwxrwxrwx 1 root root 15 May 18 00:18 password -> ..data/password
+lrwxrwxrwx 1 root root 15 May 18 00:18 username -> ..data/username
+```
+
+Follow the symlink to find the correct file mode.
+
+```
+cd /etc/foo/..data
+ls -l
+```
+
+The output is similar to this:
+```
+total 8
+-r-------- 1 root root 12 May 18 00:18 password
+-r-------- 1 root root  5 May 18 00:18 username
+```
+
 You can also use mapping, as in the previous example, and specify different
 permissions for different files like this:
 
@@ -612,12 +644,12 @@ spec:
       items:
       - key: username
         path: my-group/my-username
-        mode: 511
+        mode: 0777
 ```
 
 In this case, the file resulting in `/etc/foo/my-group/my-username` will have
-permission value of `0777`. Owing to JSON limitations, you must specify the mode
-in decimal notation.
+permission value of `0777`. If you use JSON, owing to JSON limitations, you
+must specify the mode in decimal notation, `511`.
 
 Note that this permission value might be displayed in decimal notation if you
 read it later.