Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support node-level user namespace remapping #127

Open
derekwaynecarr opened this Issue Oct 10, 2016 · 65 comments

Comments

@derekwaynecarr
Copy link
Member

derekwaynecarr commented Oct 10, 2016

Support node-level user namespace remapping

PRs

@derekwaynecarr

This comment has been minimized.

Copy link
Member Author

derekwaynecarr commented Oct 10, 2016

This work is being done by @pweil- and is reviewed by @derekwaynecarr, it is sponsored by @kubernetes/sig-node

@idvoretskyi idvoretskyi modified the milestone: v1.5 Oct 11, 2016

@mdshuai

This comment has been minimized.

Copy link
Contributor

mdshuai commented Oct 26, 2016

@derekwaynecarr Could you help create a user story card for this feature?

@idvoretskyi

This comment has been minimized.

Copy link
Member

idvoretskyi commented Nov 15, 2016

@derekwaynecarr can you confirm that this feature targets alpha for 1.5?

@pweil-

This comment has been minimized.

Copy link
Member

pweil- commented Nov 16, 2016

@derekwaynecarr can you confirm that this feature targets alpha for 1.5?

Yes, this feature is experimental only so it would be considered alpha.

@idvoretskyi

This comment has been minimized.

Copy link
Member

idvoretskyi commented Dec 13, 2016

@derekwaynecarr @pweil- can you confirm that this item targets beta in 1.6?

@adelton

This comment has been minimized.

Copy link

adelton commented Nov 14, 2017

@derekwaynecarr, the proposal kubernetes/kubernetes#34569 was closed by bot due to inactivity.

@pweil-, in kubernetes/kubernetes#34569 (comment) you've proposed the approach pweil-/kubernetes@16f29eb which changes the group of /var/lib/kubelet/pods to the remapped root group. Do I understand it correctly that this is currently not tracked in any pull request?

@adelton

This comment has been minimized.

Copy link

adelton commented Nov 14, 2017

@pweil-, I also wonder if similar to docker's /var/lib/docker/<uid>.<gid> approach when --userns-remap is used, it might make sense to use /var/lib/kubelet/pods-<uid>.<gid> and just chown/chgroup everything in those subdirectories to the remapped <uid>.<gid>. Why did you opt for just the chgrp and not the full chown?

@pweil-

This comment has been minimized.

Copy link
Member

pweil- commented Nov 14, 2017

@adelton in the end, I think having this be transparent to Kubernetes is the right approach. Whether that be something like shiftfs or implementation in the CRI (moby/moby#28593). You are correct that my existing proposal is not currently tracked in an open PR anymore.

The reasoning behind using the chgrp was to follow our fsgroup strategy where we just ensure group access instead of uid access.

@adelton

This comment has been minimized.

Copy link

adelton commented Nov 14, 2017

Thanks @pweil-.

When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with userns-remap?

As for the fsgroup strategy, do you mean https://kubernetes.io/docs/concepts/policy/pod-security-policy/#fsgroup or some generic methodology within Kubernetes?

I have now filed kubernetes/kubernetes#55707 as an alternative approach where I make the remapped uid/gid an explicit option, and use those values to chown/chgrp the necessary directories.

@pweil-

This comment has been minimized.

Copy link
Member

pweil- commented Nov 14, 2017

When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with userns-remap?

that would be ideal. Whether that is feasible (or more likely, feasible in an acceptable time frame) is another question 😄

As for the fsgroup strategy, do you mean https://kubernetes.io/docs/concepts/policy/pod-security-policy/#fsgroup or some generic methodology within Kubernetes?

Yes

I have now filed kubernetes/kubernetes#55707 as an alternative approach where I make the remapped uid/gid an explicit option, and use those values to chown/chgrp the necessary directories.

👍 subscribed

@adelton

This comment has been minimized.

Copy link

adelton commented Nov 14, 2017

When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with userns-remap?

that would be ideal. Whether that is feasible (or more likely, feasible in an acceptable time frame) is another question

Ideally, the pod would specify how many distinct uids/gids it would require / list of uids it wants to see inside of the containers, and docker or different container runtime would setup the user namespace accordingly. But unless docker also changes ownership of the volumes mounted to the containers, Kubernetes will have to do that as part of the setup.

@adelton

This comment has been minimized.

Copy link

adelton commented Dec 7, 2017

@pwel-, what is the best way to get some review and comments on kubernetes/kubernetes#55707, to get it closer to mergeable state?

@kargakis

This comment has been minimized.

Copy link
Member

kargakis commented Dec 7, 2017

@pweil-

This comment has been minimized.

Copy link
Member

pweil- commented Dec 7, 2017

@adelton I would try to engage the sig-node folks either at their Tuesday meeting or on slack: https://github.com/kubernetes/community/tree/master/sig-node

@adelton

This comment has been minimized.

Copy link

adelton commented Dec 18, 2017

@derekwaynecarr, could you please bring kubernetes/kubernetes#55707 to sig-node's radar?

@idvoretskyi

This comment has been minimized.

Copy link
Member

idvoretskyi commented Jan 22, 2018

@pweil- @derekwaynecarr any progress on this feature is expected?

@kacole2

This comment has been minimized.

Copy link
Member

kacole2 commented Oct 22, 2018

@derekwaynecarr there has been no communication on the status but I see @spiffxp has attached a current k/k PR. Are we confident this is going to make the v1.13 milestone? Enhancement freeze is tomorrow COB. If there is no communication on this issue or activity on the PR, this is going to be pulled from the milestone as it doesn't fit with our "stability" theme. If there is no communication after COB tomorrow, an exception will be required to add it back to the milestone. Please let me know where we stand. Thanks!

@kacole2

This comment has been minimized.

Copy link
Member

kacole2 commented Oct 24, 2018

lack of communication so this is being removed from 1.13 tracking.

/milestone clear

@kacole2 kacole2 removed the tracked/yes label Oct 24, 2018

@kacole2 kacole2 removed this from the v1.13 milestone Oct 24, 2018

@AishSundar

This comment has been minimized.

Copy link

AishSundar commented Oct 24, 2018

@derekwaynecarr this enhancement has been moved out of 1.13 due to lack of clarity on whats pending for this to land . We are officially in Enhancement freeze now. If this is a critical enhancement you need added back, it will require filing an exception with details as outlined there.

@justaugustus

This comment has been minimized.

Copy link
Member

justaugustus commented Nov 20, 2018

(Some automation I'm testing accidentally sent out a comment, which I've deleted to not make things confusing. Sorry!)

@derekwaynecarr

This comment has been minimized.

Copy link
Member Author

derekwaynecarr commented Nov 30, 2018

@svenefftinge

This comment has been minimized.

Copy link

svenefftinge commented Nov 30, 2018

Is there anything we could help with? We really need this feature in gitpod.io to give our users root privileges.

@vikaschoudhary16

This comment has been minimized.

Copy link
Member

vikaschoudhary16 commented Dec 18, 2018

@svenefftinge Please review implementation PR, kubernetes/kubernetes#64005
Hoping to get it merged in 1.14

@claurence

This comment has been minimized.

Copy link

claurence commented Jan 16, 2019

@derekwaynecarr Hello - I’m the enhancement’s lead for 1.14 and I’m checking in on this issue to see what work (if any) is being planned for the 1.14 release. Enhancements freeze is Jan 29th and I want to remind that all enhancements must have a KEP

@vikaschoudhary16

This comment has been minimized.

Copy link
Member

vikaschoudhary16 commented Jan 18, 2019

Hi @claurence -- KEP(Proposal) for this was already merged, kubernetes/community#2067. Hoping to get following implementation PR merged in 1.14:
kubernetes/kubernetes#64005

Along with updates to the original design proposal:
kubernetes/community#2595

@claurence

This comment has been minimized.

Copy link

claurence commented Jan 18, 2019

Thanks @vikaschoudhary16 - will this be implemented as alpha in 1.14 then? Based on the tagging it still has the alpha label but let me know if that is incorrect.

@claurence claurence added this to the v1.14 milestone Jan 22, 2019

@claurence

This comment has been minimized.

Copy link

claurence commented Feb 11, 2019

@vikaschoudhary16 Hello - is there a link to the KEP for this enhancement? I see links to the PR merges but I'm having trouble finding the KEP

Additionally for 1.14 are there any open PRs that should be merged for that release? if so let me know so we can add them to our sheet.

@jimangel

This comment has been minimized.

Copy link
Member

jimangel commented Feb 13, 2019

Hey @vikaschoudhary16 @derekwaynecarr 👋 I'm the v1.14 docs release lead. Just a friendly reminder we're looking for a PR against k/website (branch dev-1.14) due by Friday, March 1. It would be great if it's the start of the full documentation, but even a placeholder PR is acceptable. Let me know if you have any questions!

@vikaschoudhary16

This comment has been minimized.

Copy link
Member

vikaschoudhary16 commented Feb 14, 2019

@claurence @jimangel We are going back and forth between implementation and design. As i mentioned in above comment, kubernetes/community#2595 is the design proposal PR that i am trying to get merged and based on that i will update implementation PR, kubernetes/kubernetes#64005.

@claurence

This comment has been minimized.

Copy link

claurence commented Feb 18, 2019

@vikaschoudhary16 do you have a link to the KEP? There isn't one in the KEP folder that I can find - https://github.com/kubernetes/enhancements/tree/master/keps

@spiffxp

This comment has been minimized.

Copy link
Member

spiffxp commented Feb 19, 2019

@vikaschoudhary16 The linked proposal is not a KEP. It lacks a test plan, it lacks graduation criteria in the form of a checklist the release team can consume, and lacks discussion of upgrade/downgrade considerations. We need a KEP. It can link or reference the original design proposal to fill out some of the wordy bits around motivation, design, etc, but it needs what I just listed spelled out explicitly.

There seems to be continued unresolved discussion on the update to the proposal (ref: kubernetes/community#2595)

I’m inclined to suggest that the release team block anything related to this landing in v1.14 until a KEP exists and is submitted through the exception process

@claurence

This comment has been minimized.

Copy link

claurence commented Feb 27, 2019

@vikaschoudhary16 any update on a KEP for this issue? Currently this issue is at risk for the 1.14 release because we can't locate a KEP with test plans. Can you please share test plans and graduation criteria for this issue?

@braderhart

This comment has been minimized.

Copy link

braderhart commented Feb 28, 2019

Really hoping this makes 1.14. Any plans to support this with Minikube as well?

@liggitt liggitt removed this from 1.14, Unassigned in API Reviews Feb 28, 2019

@claurence

This comment has been minimized.

Copy link

claurence commented Mar 6, 2019

As there hasn't been responses on the above questions in over two weeks, and no responses in slack when asked about it in sig-node slack channel this item is being removed from the 1.14 milestone.

@claurence claurence added tracked/no and removed tracked/yes labels Mar 6, 2019

@claurence claurence removed this from the v1.14 milestone Mar 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.