Problem:
When deploying the Vault Radar agent using the Deploy Vault Radar agent documentation on an OpenShift cluster, users may encounter the following error while using the Kubernetes deployment:
Error storing config: open /.vault-radar.json: permission denied
This happens because, by default, the Vault Radar agent tries to write its configuration file to the container’s root directory (/). In OpenShift’s secure environment, containers typically run as non-root users and do not have write permissions to the root directory. As a result, the agent fails to store its configuration file and terminates with a permission error.
Solution:
To resolve this, update your Kubernetes deployment manifest to include:
-
Add a writable volume (
emptyDir) mounted inside the container at a directory where the agent has write permissions, e.g.,/app/config.volumeMounts: - name: radar-config mountPath: /app/config volumes: - name: radar-config emptyDir: {} -
Set either or both of the below environment variables to redirect Vault Radar’s config file storage away from the root directory:
env: - name: HOME value: /app/config - name: VAULT_RADAR_STATE_CONFIG_PATH value: /app/config/.vault-radar.json
Below is an example deployment manifest with these changes applied:
---
apiVersion: v1
kind: Namespace
metadata:
name: vault-radar
labels:
app: vault-radar-agent
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-radar-agent
namespace: vault-radar
labels:
app: vault-radar-agent
---
apiVersion: v1
kind: Secret
metadata:
name: vault-radar-secrets
namespace: vault-radar
labels:
app: vault-radar-agent
type: Opaque
data:
HCP_CLIENT_SECRET: <Base64 Encoded HCP_CLIENT_SECRET>
VAULT_RADAR_GIT_TOKEN: <Base64 Encoded VAULT_RADAR_GIT_TOKEN>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-radar-agent
namespace: vault-radar
labels:
app: vault-radar-agent
spec:
replicas: 2
selector:
matchLabels:
app: vault-radar-agent
template:
metadata:
labels:
app: vault-radar-agent
spec:
serviceAccountName: vault-radar-agent
automountServiceAccountToken: true
containers:
- name: vault-radar-agent
image: docker.io/hashicorp/vault-radar:latest
command: ["vault-radar"]
args: ["agent", "exec"]
imagePullPolicy: Always
tty: true
resources:
limits:
cpu: 1000m
memory: 1024Mi
requests:
cpu: 100m
memory: 512Mi
volumeMounts:
- name: radar-config
mountPath: /app/config
env:
- name: HOME
value: /app/config
- name: VAULT_RADAR_STATE_CONFIG_PATH
value: /app/config/.vault-radar.json
- name: HCP_PROJECT_ID
value: <HCP_PROJECT_ID>
- name: HCP_RADAR_AGENT_POOL_ID
value: <HCP_RADAR_AGENT_POOL_ID>
- name: HCP_CLIENT_ID
value: <HCP_CLIENT_ID>
- name: HCP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vault-radar-secrets
key: HCP_CLIENT_SECRET
- name: VAULT_RADAR_GIT_TOKEN
valueFrom:
secretKeyRef:
name: vault-radar-secrets
key: VAULT_RADAR_GIT_TOKEN
volumes:
- name: radar-config
emptyDir: {}Mounting a writable volume and setting either or both of the environment variables,
HOMEandVAULT_RADAR_STATE_CONFIG_PATHredirect the agent’s configuration file to/app/config/.vault-radar.json, a writable path inside the container.Once the updated manifest is applied, the Vault Radar agent starts successfully without the permission error.
References:
HashiCorp Official Documentation – Deploy Vault Radar Agent
OpenShift Documentation – Understanding Security Context Constraints
Need Help?
If you still face any challenges or have further questions, please contact HashiCorp Support.