Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide RunAsGroup feature for Containers in a Pod #213

Closed
5 tasks done
krmayankk opened this issue Mar 19, 2017 · 135 comments · Fixed by #2614
Closed
5 tasks done

Provide RunAsGroup feature for Containers in a Pod #213

krmayankk opened this issue Mar 19, 2017 · 135 comments · Fixed by #2614
Assignees
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Milestone

Comments

@krmayankk
Copy link
Contributor

krmayankk commented Mar 19, 2017

Feature Description

As a Kubernetes User, i should be able to specify both user id and group id for the containers running inside a pod on a per Container basis, similar to how docker allows that using docker run options -u, --user="" Username or UID (format: <name|uid>[:<group|gid>]) format. Currently kubernetes only allows us to control the primary user id and allows us to add supplemental groups. There is no way to control the primary group id of the running container which is always 0(root).
This feature would enable enterprises to run containers as non root(non zero uid and non zero gid) and hence improve the level of security for the running containers. More discussion and agreement was gathered in this issue 22179

List of Work Items:-

  • RunAsGroup Implementation
  • Add feature flag , mark it alpha and disable by default
  • PSP Implementation for RunAsGroup
  • Verify e2e and Unit test Coverage
  • Verify Containerd and cri-o Test coverage

Containerd and Cri-o Implementation PR's

Test Results for CRI-O PR with latest Kubernetes Master
https://k8s-testgrid.appspot.com/sig-node-cri-o#crio-e2e-fedora

Test Coverage for CRI-O and containerd tests running as part of critest

@ghost
Copy link

ghost commented May 2, 2017

Is the progress listed above accurate?

@krmayankk
Copy link
Contributor Author

krmayankk commented May 2, 2017

@pineking
Copy link

pineking commented May 24, 2017

@krmayankk any progress to update?

@krmayankk
Copy link
Contributor Author

krmayankk commented Jun 7, 2017

@pineking i have the proposal , and the code almost ready. Will send out the proposal by Friday while i try to figure the unit tests and api changes.

@jduncan-rva
Copy link

jduncan-rva commented Aug 10, 2017

@krmayankk is this still on your radar?

@krmayankk
Copy link
Contributor Author

krmayankk commented Aug 11, 2017

@jduncan-rva yes the proposal is already out. I have some review comments which i will address. I should have a PR by next week.

@kincl
Copy link

kincl commented Aug 24, 2017

@krmayankk any updates?

@krmayankk
Copy link
Contributor Author

krmayankk commented Aug 28, 2017

@kincl the proposal is already out and nearing lgtm. We are waiting one more reviewer to review. I was out last week on vacation. I should have the actual PR this week

@krmayankk
Copy link
Contributor Author

krmayankk commented Aug 30, 2017

Here is the proposal under review kubernetes/community#756

@php-coder
Copy link
Contributor

php-coder commented Oct 10, 2017

Responsible SIGs: sig-node

Sounds like it falls into sig-auth area.

@php-coder
Copy link
Contributor

php-coder commented Oct 10, 2017

For the history: here is an implementation of the proposal -- kubernetes/kubernetes#52077

@fejta-bot
Copy link

fejta-bot commented Jan 8, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 8, 2018
@fejta-bot
Copy link

fejta-bot commented Jan 8, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

1 similar comment
@fejta-bot
Copy link

fejta-bot commented Jan 8, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@fejta-bot
Copy link

fejta-bot commented Feb 10, 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 10, 2018
@php-coder
Copy link
Contributor

php-coder commented Feb 11, 2018

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Feb 11, 2018
@krmayankk
Copy link
Contributor Author

krmayankk commented Mar 7, 2018

/sig auth

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Mar 14, 2018
@krmayankk
Copy link
Contributor Author

krmayankk commented Mar 14, 2018

/sig node

@justaugustus
Copy link
Member

justaugustus commented Apr 17, 2018

@krmayankk
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@annajung annajung added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Feb 10, 2021
@annajung annajung added this to the v1.21 milestone Feb 10, 2021
@arunmk
Copy link

arunmk commented Feb 20, 2021

Hi @krmayankk,

Since your Enhancement is scheduled to be in 1.21, please keep in mind the important upcoming dates:

  • Tuesday, March 9th: Week 9 - Code Freeze
  • Tuesday, March 16th: Week 10 - Docs Placeholder PR deadline
    • If this enhancement requires new docs or modification to existing docs, please follow the steps in the Open a placeholder PR doc to open a PR against k/website repo.

As a reminder, please link all of your k/k PR(s) and k/website PR(s) to this issue so we can track them.

Thanks!

@arunmk
Copy link

arunmk commented Mar 2, 2021

Hi @krmayankk ,

Enhancements team is currently tracking the following PRs

With the PRs merged, can we mark this enhancement complete for code freeze or do you have other PR(s) that are being worked on as part of the release?

Thanks

@arunmk
Copy link

arunmk commented Mar 6, 2021

Hi @krmayankk , I see that the PRs linked to this ticket are merged. Could you mention if this KEP is done? If so, I can mark it done for the code freeze coming up on 3/9.

Thanks

@arunmk
Copy link

arunmk commented Mar 6, 2021

(Adding this as a note sent to all)

Hi @krmayankk ,

A friendly reminder that Code freeze is 3 days away, March 9th EOD PST

Any enhancements that are NOT code complete by the freeze will be removed from the milestone and will require an exception to be added back.

Please also keep in mind that if this enhancement requires new docs or modification to existing docs, you'll need to follow the steps in the Open a placeholder PR doc to open a PR against k/website repo by March 16th EOD PST

Thanks!

@krmayankk
Copy link
Contributor Author

krmayankk commented Mar 8, 2021

@arunmk yes i think this enhancement can be marked as done afaict. @tallclair @liggitt please confirm .

@krmayankk
Copy link
Contributor Author

krmayankk commented Mar 8, 2021

I believe this documentation needs some update, @arunmk do documentations fixes also need to be completed by coed freeze date ?

@arunmk
Copy link

arunmk commented Mar 8, 2021

@krmayankk i believe 3/16 is the deadline to have a placeholder doc and it should also include such documentation. Let me check with the team and confirm.

@arunmk
Copy link

arunmk commented Mar 8, 2021

Hi @krmayankk it is confirmed that we do NOT need docs to be updated by the code freeze on 3/9.

@annajung
Copy link
Member

annajung commented Apr 8, 2021

Hi @krmayankk 1.21 Enhancement Lead here.

Can you update the kep.yaml to reflect a status of implemented:

Once that merges, we can close out this issue.

@JamesLaverack JamesLaverack added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Apr 25, 2021
@krmayankk
Copy link
Contributor Author

krmayankk commented May 13, 2021

@JamesLaverack can we now close this issue since its stable ?

@JamesLaverack
Copy link
Member

JamesLaverack commented May 13, 2021

Hey @krmayankk. The last thing is what Anna mentions above — setting the status to be implemented in your kep.yaml. It looks like there's already a PR for this in #2614, which has /closes on this issue too, so as soon as that is merged, this should be closed.

@k8s-triage-robot
Copy link

k8s-triage-robot commented Aug 11, 2021

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 11, 2021
@krmayankk
Copy link
Contributor Author

krmayankk commented Aug 11, 2021

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 11, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Nov 9, 2021

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 9, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Dec 9, 2021

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 9, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Jan 8, 2022

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jan 8, 2022

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Projects
None yet
Development

Successfully merging a pull request may close this issue.