It seems like whenever I use a secret/config they are always group writable, even when I set the mode explicitly non-group writable. Example compose file:
version: "3.4" services: alpine: image: alpine entrypoint: ["stat", "/foo"] secrets: - source: foo target: /foo mode: 400 secrets: foo: file: foo
Permissions from stat:
Access: (0620/-rw--w----) Uid: ( 0/ root) Gid: ( 0/ root)
This seems a bit odd and is problematic for me as I want to use this for ssh authorized_keys, which will error by default if group writable. A short term fix could be just to disable that check, but it still seems weird that docker would change the mode like that.