KEP-3619: Fine-grained SupplementalGroups control #117842
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
release-note
k8s-ci-robot
added
area/code-generation
area/kubelet
kind/api-change
everpeace
force-pushed
the
kep-3619-SupplementalGroupsPolicy
branch
4 times, most recently
from
04cc30c to
8d38468
Compare
everpeace
force-pushed
the
kep-3619-SupplementalGroupsPolicy
branch
2 times, most recently
from
74b822e to
3052133
Compare
everpeace
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/approve for API Needs sig-node review, please |
k8s-ci-robot
added
the
approved
|
I will review for sig-node. |
| "$ref": "#/components/schemas/io.k8s.api.core.v1.ContainerUser" | ||
| } | ||
| ], | ||
| "description": "User represents user identitiy information of the first process in the container" |
There was a problem hiding this comment.
addressed in 5f0d761
pkg/apis/core/types.go
Outdated
| @@ -2741,6 +2741,31 @@ type ContainerStatus struct { | |||
| // +optional | |||
| // +featureGate=RecursiveReadOnlyMounts | |||
| VolumeMounts []VolumeMountStatus | |||
| // User represents user identitiy information of the first process in the container | |||
There was a problem hiding this comment.
addressed in 5f0d761
|
The node bits look fine. Only other nit I have is making the commits additive vs. fixing up earlier commits. |
Thanks🙌👍! And, my typo was fixed.
I think squashing my commits into one would be nice. Are we ready to squash now??
For container runtimes supporting this feature, we need to merge this PR first as defined in CRI API | Feature development. Thus, e2es will be added in another PR after containerd released the newer version which supports this. Am I right? |
This comment was marked as off-topic.
This comment was marked as off-topic.
Yes, that's right.
The PR looks ready to me. |
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
|
Thanks! /lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: c42214bbbcc0a9c46c00a8fc6bed4b676bd28450
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: everpeace, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
No, thank you for your patience and perseverance!
Message ID: ***@***.***>
… |
* Add `Linux{Sandbox,Container}SecurityContext.SupplementalGroupsPolicy` and `ContainerStatus.user` in cri-api
* Add `PodSecurityContext.SupplementalGroupsPolicy`, `ContainerStatus.User` and its featuregate
* Implement DropDisabledPodFields for PodSecurityContext.SupplementalGroupsPolicy and ContainerStatus.User fields
* Implement kubelet so to wire between SecurityContext.SupplementalGroupsPolicy/ContainerStatus.User and cri-api in kubelet
* Clarify `SupplementalGroupsPolicy` is an OS depdendent field.
* Make `ContainerStatus.User` is initially attached user identity to the first process in the ContainerStatus
It is because, the process identity can be dynamic if the initially attached identity
has enough privilege calling setuid/setgid/setgroups syscalls in Linux.
* Rewording suggestion applied
* Add TODO comment for updating SupplementalGroupsPolicy default value in v1.34
* Added validations for SupplementalGroupsPolicy and ContainerUser
* No need featuregate check in validation when adding new field with no default value
* fix typo: identitiy -> identity
* Add `Linux{Sandbox,Container}SecurityContext.SupplementalGroupsPolicy` and `ContainerStatus.user` in cri-api
* Add `PodSecurityContext.SupplementalGroupsPolicy`, `ContainerStatus.User` and its featuregate
* Implement DropDisabledPodFields for PodSecurityContext.SupplementalGroupsPolicy and ContainerStatus.User fields
* Implement kubelet so to wire between SecurityContext.SupplementalGroupsPolicy/ContainerStatus.User and cri-api in kubelet
* Clarify `SupplementalGroupsPolicy` is an OS depdendent field.
* Make `ContainerStatus.User` is initially attached user identity to the first process in the ContainerStatus
It is because, the process identity can be dynamic if the initially attached identity
has enough privilege calling setuid/setgid/setgroups syscalls in Linux.
* Rewording suggestion applied
* Add TODO comment for updating SupplementalGroupsPolicy default value in v1.34
* Added validations for SupplementalGroupsPolicy and ContainerUser
* No need featuregate check in validation when adding new field with no default value
* fix typo: identitiy -> identity
What type of PR is this?
/kind feature
What this PR does / why we need it:
Implements kubernetes/enhancements#3619
Special notes for your reviewer:
The actual policy enforcement will be implemented by container runtimes (cri-api implementations). Because most container runtimes (e.g. containerd) depend on https://github.com/kubernetes/cri-api, this PR should be merged before container runtimes implement actual policy enforcement. Please also see CRI API | Feature development.
My PR in containerd is already opened and in review: containerd/containerd#9737. It already got LGTM (containerd/containerd#9737 (review)) except for cri-api dependency, which will be updated once this PR gets merged and v1.31 alpha or beta version is released.
If you wanted to try running this feature, you can try it with kind easily: https://gist.github.com/everpeace/2ae0233cc91644ac8797cf192e40ba39
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: