Allow specifying the primary group id of the container #756
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
@kubernetes/sig-node-proposals |
| ## Abstract | ||
|
|
||
|
|
||
| As a Kubernetes User, i should be able to specify both user id and group id for the containers running |
| inside a pod on a per Container basis, similar to how docker allows that using docker run options -u, | ||
| --user="" Username or UID (format: <name|uid>[:<group|gid>]) format. | ||
|
|
||
| PodSecurityContext allows Kubernetes users to specify RUnAsUser which can be overriden by RunAsUser |
| --user="" Username or UID (format: <name|uid>[:<group|gid>]) format. | ||
|
|
||
| PodSecurityContext allows Kubernetes users to specify RUnAsUser which can be overriden by RunAsUser | ||
| in SecurtiyContext on a per Container basis. There is no equivalent field for specifying the primary |
| ## Motivation | ||
|
|
||
| Enterprise Kubernetes users want to run containers as non root. This means running containers with a | ||
| non zero user id and non zero group id. This gives Enterprises confidence that their customer code |
There was a problem hiding this comment.
Group zero essentially means nothing and has zero security implications. I'm not saying that this isn't a valid use case, but you don't gain anything, to my knowledge, by running as GID 0.
There was a problem hiding this comment.
I would buy that someone wants to be able to use GIDs as part of a security scheme, though, possibly derived from LDAP or another identity system.
| ## Use Cases | ||
|
|
||
| Use case 1: | ||
| As a cluster operator, i should be able to control both user id and primary group id of containers |
There was a problem hiding this comment.
I think this is 'as a Kubernetes user', and what's the "so that I can _____________" part of this use-case?
| launched using Kubernetes. | ||
|
|
||
| Use case 2: | ||
| As a cluster operator, i should be able to override user id and primary group id of a container as |
There was a problem hiding this comment.
Isn't this the same use case as the first one?
| } | ||
|
|
||
|
|
||
| type PoddSecurityContext struct { |
| // +optional | ||
| RunAsUser *int64 | ||
| // The GID to run the entrypoint of the container process. | ||
| // Defaults to user specified in image metadata if unspecified. |
| - If no RunAsGroup is provided in the PodSecurityContext and SecurityContext, and none in the image, | ||
| the container will run with primary Group as root(0). | ||
|
|
||
| ## Not In Scope |
There was a problem hiding this comment.
How is this not in scope? We need to add the policy control surface to govern features like this as we implement them.
There was a problem hiding this comment.
Any additions to PodSecurityContext will changes to PodSecurityPolicy - both are part of the API and should evolve together.
|
Can you at least compare to the alternative, which is pushing an /etc/groups file to all your nodes and using that for group membership? |
|
@pmorie @smarterclayton addressed comments. @erictune Are you suggesting controlling the gid through the file, while controlling uid through existing runtime mechanisms. It can be done, but not dynamically configurable and one /etc/groups file will affect all containers of a host. Do you still think we should discuss that option in the proposal ? |
|
@erictune Also isnt /etc/groups only for controlling secondary/supplemental group ids? Here we are talking about controlling the primary group id the container runs as |
|
@krmayankk, @erictune I think that the groups file on the host OS does not affect UID and GID allocation in the container. I have user and group 1000 in the group file on the host. |
|
I have no objections to this as stated. For symmetry I see no reason why this should be prohibited when the primary UID is allowed. |
|
Something seems to be wrong with lowercase 'i''s in the markdown being converted to capital I. |
smarterclayton
added
sig/apps
|
@kubernetes/sig-auth-feature-requests can you chime in if you see any additional implications. I don't see any reason not to add this or enable it as long as the PSP work is done at the same time. |
|
Disregard my comment about /etc/groups.
…On Tue, Aug 15, 2017 at 3:53 PM, Clayton Coleman ***@***.***> wrote:
@kubernetes/sig-auth-feature-requests
<https://github.com/orgs/kubernetes/teams/sig-auth-feature-requests> can
you chime in if you see any additional implications. I don't see any reason
not to add this or enable it as long as the PSP work is done at the same
time.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#756 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHuudqchstCVUhYMmVuyd88UUTdIH9Rqks5sYiFYgaJpZM4OB0P7>
.
|
k8s-github-robot
added
the
size/L
|
I'd like at least another sig node reviewer to comment before I mark lgtm. |
krmayankk
force-pushed
the
runasg
branch
3 times, most recently
from
7ae009f to
a3c70ae
Compare
|
|
||
| As a Kubernetes User, we should be able to specify both user id and group id for the containers running | ||
| inside a pod on a per Container basis, similar to how docker allows that using docker run options `-u, | ||
| --user="" Username or UID (format: <name|uId>[:<group|gid>]) format`. |
| // May also be set in PodSecurityContext. If set in both SecurityContext and | ||
| // PodSecurityContext, the value specified in SecurityContext takes precedence. | ||
| // +optional | ||
| RunAsUser *Int64 |
|
|
||
| PodSecurityPolicy defines strategies or conditions that a pod must run with in order to be accepted | ||
| into the system. Two of the relevant strategies are RunAsUser and SupplementalGroups. We introduce | ||
| a new strategy called RunAsGroup which will support the following options:- |
|
|
||
| ### Model | ||
|
|
||
| Introduce a new API field in SecurityContext and PodSecurityContext called `RunAsGroup` |
There was a problem hiding this comment.
Missing period at the end of this sentence. Can we mention explicitly what the behavior is if these fields are not defined?
krmayankk
force-pushed
the
runasg
branch
2 times, most recently
from
93d65b4 to
8a69db9
Compare
|
@pmorie there is a |
|
I think given that people may have NFS or other shared storage that might
be impacted by root group 0, that RunAsNonRootGroup makes sense for its
clear parallel to user in the API as well us not having a good reason for
it to be inconsistent.
…On Fri, Sep 15, 2017 at 5:42 PM, krmayankk ***@***.***> wrote:
This was in the outdated section so hidden. Repasting this here, so that
people can continue the discussion here.
@pmorie <https://github.com/pmorie> can you raise your concerns about not
adding RunAsNonRootGroup here. @pweil- <https://github.com/pweil->
@smarterclayton <https://github.com/smarterclayton> i have updated the
doc to also say we need RunAsNonRootGroup in addition to RunAsNonRoot
similar to PSP supporting two different strategies for Group and User.
RunAsNonRoot in SecurityContext and PodSecurityContext is specific to uid
and hence we need to add one one more bool RunAsNonRootGroup for gid. PTAL
and comment here
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#756 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p2mU4G8cg5M4wJpom2M9LBMVsAb-ks5siu9UgaJpZM4OB0P7>
.
|
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Automatic merge from submit-queue |
|
thanks to @pmorie for initial pointers, review and encouragement. And thanks to @pweil- @smarterclayton @vpal for reviewing and it and getting this in |
|
@krmayankk All of the design proposals moved into SIG-specific subdirectories last week. The security context proposal was moved to auth, so I'd appreciate it if this were moved into that subdirectory, also. |
|
Sounds good will move it today
On Mon, Sep 18, 2017 at 9:26 PM Brian Grant ***@***.***> wrote:
@krmayankk <https://github.com/krmayankk> All of the design proposals
moved into SIG-specific subdirectories last week. The security context
proposal was moved to auth, so I'd appreciate it if this were moved into
that subdirectory, also.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#756 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AP4-NCv-VmOfWuYuMrhRk6VW1zt8YH-Fks5sj0J3gaJpZM4OB0P7>
.
--
-Mayank
|
Automatic merge from submit-queue. add author to my proposal for reachability See here #756
Automatic merge from submit-queue (batch tested with PRs 56589, 56503). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. MustRunAsNonRoot should reject a pod if it has non-numeric USER **What this PR does / why we need it**: This PR modifies kubelet behavior to reject pods with non-numeric USER instead of showing a warning. **Special notes for your reviewer**: Related discussion: kubernetes/community#756 (comment) **Release note**: ```release-note kubelet: fix bug where `runAsUser: MustRunAsNonRoot` strategy didn't reject a pod with a non-numeric `USER`. ``` PTAL @pweil- @tallclair @liggitt @Random-Liu CC @simo5 @adelton
Automatic merge from submit-queue (batch tested with PRs 52077, 60456, 60591). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. API Changes for RunAsGroup First set of api changes for feature kubernetes/community#756 ```release-note Add ability to control primary GID of containers through pod Spec and PodSecurityPolicy ```
Automatic merge from submit-queue (batch tested with PRs 52077, 60456, 60591). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. API Changes for RunAsGroup First set of api changes for feature kubernetes/community#756 ```release-note Add ability to control primary GID of containers through pod Spec and PodSecurityPolicy ``` Kubernetes-commit: 16980f21d167b0166de7fb029e80f5da37ff2ebe
Automatic merge from submit-queue (batch tested with PRs 52077, 60456, 60591). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. API Changes for RunAsGroup First set of api changes for feature kubernetes/community#756 ```release-note Add ability to control primary GID of containers through pod Spec and PodSecurityPolicy ``` Kubernetes-commit: 16980f21d167b0166de7fb029e80f5da37ff2ebe
Automatic merge from submit-queue. add author to my proposal for reachability See here kubernetes/community#756
Automatic merge from submit-queue Allow specifying the primary group id of the container Allows specifying the Primary Group ID of the container, in addition to Primary User Id when running in Docker similar to how docker supports this.
Automatic merge from submit-queue. add author to my proposal for reachability See here kubernetes/community#756
Automatic merge from submit-queue. add author to my proposal for reachability See here kubernetes/community#756
Automatic merge from submit-queue. add author to my proposal for reachability See here kubernetes/community#756
Automatic merge from submit-queue. add author to my proposal for reachability See here kubernetes/community#756
Automatic merge from submit-queue. add author to my proposal for reachability See here kubernetes/community#756
Automatic merge from submit-queue. add author to my proposal for reachability See here kubernetes/community#756
Allows specifying the Primary Group ID of the container, in addition to Primary User Id when running in Docker similar to how docker supports this.