KEP-3619: Fine-grained SupplementalGroups control (#117842)

* Add `Linux{Sandbox,Container}SecurityContext.SupplementalGroupsPolicy` and `ContainerStatus.user` in cri-api * Add `PodSecurityContext.SupplementalGroupsPolicy`, `ContainerStatus.User` and its featuregate * Implement DropDisabledPodFields for PodSecurityContext.SupplementalGroupsPolicy and ContainerStatus.User fields * Implement kubelet so to wire between SecurityContext.SupplementalGroupsPolicy/ContainerStatus.User and cri-api in kubelet * Clarify `SupplementalGroupsPolicy` is an OS depdendent field. * Make `ContainerStatus.User` is initially attached user identity to the first process in the ContainerStatus It is because, the process identity can be dynamic if the initially attached identity has enough privilege calling setuid/setgid/setgroups syscalls in Linux. * Rewording suggestion applied * Add TODO comment for updating SupplementalGroupsPolicy default value in v1.34 * Added validations for SupplementalGroupsPolicy and ContainerUser * No need featuregate check in validation when adding new field with no default value * fix typo: identitiy -> identity
kubernetes · May 29, 2024 · 552fd7e · 552fd7e
1 parent ee2c1ff
commit 552fd7e
Show file tree

Hide file tree

Showing 98 changed files with 4,782 additions and 1,801 deletions.
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
diff --git a/api/openapi-spec/v3/api__v1_openapi.json b/api/openapi-spec/v3/api__v1_openapi.json
@@ -1595,6 +1595,14 @@
             "default": {},
             "description": "State holds details about the container's current condition."
           },
+          "user": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.core.v1.ContainerUser"
+              }
+            ],
+            "description": "User represents user identity information initially attached to the first process of the container"
+          },
           "volumeMounts": {
             "description": "Status of volume mounts.",
             "items": {
@@ -1623,6 +1631,20 @@
         ],
         "type": "object"
       },
+      "io.k8s.api.core.v1.ContainerUser": {
+        "description": "ContainerUser represents user identity information",
+        "properties": {
+          "linux": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.core.v1.LinuxContainerUser"
+              }
+            ],
+            "description": "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so."
+          }
+        },
+        "type": "object"
+      },
       "io.k8s.api.core.v1.DaemonEndpoint": {
         "description": "DaemonEndpoint contains information about a single Daemon endpoint.",
         "properties": {
@@ -3202,6 +3224,38 @@
         ],
         "type": "object"
       },
+      "io.k8s.api.core.v1.LinuxContainerUser": {
+        "description": "LinuxContainerUser represents user identity information in Linux containers",
+        "properties": {
+          "gid": {
+            "default": 0,
+            "description": "GID is the primary gid initially attached to the first process in the container",
+            "format": "int64",
+            "type": "integer"
+          },
+          "supplementalGroups": {
+            "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container",
+            "items": {
+              "default": 0,
+              "format": "int64",
+              "type": "integer"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "uid": {
+            "default": 0,
+            "description": "UID is the primary uid initially attached to the first process in the container",
+            "format": "int64",
+            "type": "integer"
+          }
+        },
+        "required": [
+          "uid",
+          "gid"
+        ],
+        "type": "object"
+      },
       "io.k8s.api.core.v1.LoadBalancerIngress": {
         "description": "LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.",
         "properties": {
@@ -5304,7 +5358,7 @@
             "description": "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows."
           },
           "supplementalGroups": {
-            "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.",
+            "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified).  If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.",
             "items": {
               "default": 0,
               "format": "int64",
@@ -5313,6 +5367,10 @@
             "type": "array",
             "x-kubernetes-list-type": "atomic"
           },
+          "supplementalGroupsPolicy": {
+            "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.",
+            "type": "string"
+          },
           "sysctls": {
             "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.",
             "items": {
@@ -5502,7 +5560,7 @@
                 "$ref": "#/components/schemas/io.k8s.api.core.v1.PodOS"
               }
             ],
-            "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup"
+            "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup"
           },
           "overhead": {
             "additionalProperties": {