-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support User Namespaces in pods #127
Comments
This work is being done by @pweil- and is reviewed by @derekwaynecarr, it is sponsored by @kubernetes/sig-node |
@derekwaynecarr Could you help create a user story card for this feature? |
@derekwaynecarr can you confirm that this feature targets alpha for 1.5? |
Yes, this feature is experimental only so it would be considered alpha. |
@derekwaynecarr @pweil- can you confirm that this item targets beta in 1.6? |
@derekwaynecarr, the proposal kubernetes/kubernetes#34569 was closed by bot due to inactivity. @pweil-, in kubernetes/kubernetes#34569 (comment) you've proposed the approach pweil-/kubernetes@16f29eb which changes the group of |
@pweil-, I also wonder if similar to docker's |
@adelton in the end, I think having this be transparent to Kubernetes is the right approach. Whether that be something like shiftfs or implementation in the CRI (moby/moby#28593). You are correct that my existing proposal is not currently tracked in an open PR anymore. The reasoning behind using the chgrp was to follow our |
Thanks @pweil-. When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with As for the I have now filed kubernetes/kubernetes#55707 as an alternative approach where I make the remapped uid/gid an explicit option, and use those values to chown/chgrp the necessary directories. |
that would be ideal. Whether that is feasible (or more likely, feasible in an acceptable time frame) is another question 😄
Yes
👍 subscribed |
Ideally, the pod would specify how many distinct uids/gids it would require / list of uids it wants to see inside of the containers, and docker or different container runtime would setup the user namespace accordingly. But unless docker also changes ownership of the volumes mounted to the containers, Kubernetes will have to do that as part of the setup. |
@pwel-, what is the best way to get some review and comments on kubernetes/kubernetes#55707, to get it closer to mergeable state? |
@pweil- ^ |
@adelton I would try to engage the sig-node folks either at their Tuesday meeting or on slack: https://github.com/kubernetes/community/tree/master/sig-node |
@derekwaynecarr, could you please bring kubernetes/kubernetes#55707 to sig-node's radar? |
@pweil- @derekwaynecarr any progress on this feature is expected? |
thanks for your response @rata |
Hey again @derekwaynecarr 👋 Enhancements team here, Just checking in as we approach code freeze at 02:00 UTC Wednesday 6th March 2024 . Here's where this enhancement currently stands:
For this enhancement, it looks like the following PR is open and needs to be merged before code freeze: Also, please let me know if there are other PRs in k/k we should be tracking for this KEP. |
@rata Thank you for your interest in the 1.30 Feature Blog please can you open a placeholder PR by February 26th ? |
@Checksumz Here it is (against dev-1.30): kubernetes/website#45354 Thanks! |
Hello @derekwaynecarr 👋, Enhancements team here. With all the implementation(code related) PRs merged as per the issue description: This enhancement is now marked as |
Hello 👋, 1.31 Enhancements Lead here. If you wish to progress this enhancement in v1.31, please have the SIG lead opt-in your enhancement by adding the lead-opted-in label and set the milestone to v1.31 before the Production Readiness Review Freeze. /remove-label lead-opted-in |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
What are the plans for 1.32? |
No plans for 1.32 so far, just trying to get final releases of runc and so to use this. We will be back afterwards :) |
@rata runc and containerd released the version having support for UN and id mapped mount. And, I realized that NFS haven't support |
@utam0k We should link to the mount_setattr manpage, that list the supported fs and the kernel that added support for it. I send a patch to update it a few months ago, I think it is still up to date. The manpages was not updating the website often, but now it is. Wanna do a doc patch to link to this page https://man7.org/linux/man-pages/man2/mount_setattr.2.html ? |
@rata I've updated my commend because I made a mistake.
hmm... It's one of the good ideas, but out-of-tree fs, e.g., zfs doesn't list on the man page. |
@rata Are you aiming for |
I don't have a good solution, but I'll write down one concern. I think there will be a security problem if a filesystem that doesn't support id-mapped mounts ignores the option and mounts it. NFS doesn't support id-mapped mounts, but it returns an error properly, so the Pod will fail to start. It is not known whether it is worth warning about in the user documentation. However, I am a beginner in the filesystem, so please let me know if there are any mistakes. |
Can we allow customizing the hard-coded 65536 limit? |
Enhancement Description
k/enhancements
) update PR(s):k/k
) update PR(s):k/website
) update PR(s):k/enhancements
) update PR(s): KEP-127: graduate to Beta for 1.30 #4439k/k
) update PR(s):k/website
) update(s):Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.
The text was updated successfully, but these errors were encountered: