New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide RunAsGroup feature for Containers in a Pod #213

Open
krmayankk opened this Issue Mar 19, 2017 · 49 comments

Comments

Projects
None yet
@krmayankk

krmayankk commented Mar 19, 2017

Feature Description

As a Kubernetes User, i should be able to specify both user id and group id for the containers running inside a pod on a per Container basis, similar to how docker allows that using docker run options -u, --user="" Username or UID (format: <name|uid>[:<group|gid>]) format. Currently kubernetes only allows us to control the primary user id and allows us to add supplemental groups. There is no way to control the primary group id of the running container which is always 0(root).
This feature would enable enterprises to run containers as non root(non zero uid and non zero gid) and hence improve the level of security for the running containers. More discussion and agreement was gathered in this issue 22179

  • One-line feature description (can be used as a release note): Provide RunAsGroup feature for Containers in a Pod
  • Primary contact (assignee): @krmayankk
  • Responsible SIGs: sig-node, sig-auth
  • Design proposal link (community repo): kubernetes/community#756
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred: @pmorie @liggitt @tallclair
  • Approver (likely from SIG/area to which feature belongs): TBD
  • Feature target (which target equals to which milestone):
    Alpha release target: v1.10
    Beta release target v1.13
    Stable release target TBD

List of Work Items:-

  • RunAsGroup Implementation
  • Add feature flag , mark it alpha and disable by default
  • PSP Implementation for RunAsGroup
  • RunAsNonRootGroup implementation ([In Progress PR # 62216] (https://github.com/kubernetes/kubernetes/pull/62216/files)) On Hold Currently
  • Verify e2e and Unit test Coverage --- In progress
  • Verify Containerd and cri-o coverage

Containerd and Cri-o Implementation PR's

@urzds

This comment has been minimized.

urzds commented May 2, 2017

Is the progress listed above accurate?

@krmayankk

This comment has been minimized.

krmayankk commented May 2, 2017

@pineking

This comment has been minimized.

pineking commented May 24, 2017

@krmayankk any progress to update?

@krmayankk

This comment has been minimized.

krmayankk commented Jun 7, 2017

@pineking i have the proposal , and the code almost ready. Will send out the proposal by Friday while i try to figure the unit tests and api changes.

@jduncan-rva

This comment has been minimized.

jduncan-rva commented Aug 10, 2017

@krmayankk is this still on your radar?

@krmayankk

This comment has been minimized.

krmayankk commented Aug 11, 2017

@jduncan-rva yes the proposal is already out. I have some review comments which i will address. I should have a PR by next week.

@kincl

This comment has been minimized.

kincl commented Aug 24, 2017

@krmayankk any updates?

@krmayankk

This comment has been minimized.

krmayankk commented Aug 28, 2017

@kincl the proposal is already out and nearing lgtm. We are waiting one more reviewer to review. I was out last week on vacation. I should have the actual PR this week

@krmayankk

This comment has been minimized.

krmayankk commented Aug 30, 2017

Here is the proposal under review kubernetes/community#756

@php-coder

This comment has been minimized.

php-coder commented Oct 10, 2017

Responsible SIGs: sig-node

Sounds like it falls into sig-auth area.

@php-coder

This comment has been minimized.

php-coder commented Oct 10, 2017

For the history: here is an implementation of the proposal -- kubernetes/kubernetes#52077

@fejta-bot

This comment has been minimized.

fejta-bot commented Jan 8, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@fejta-bot

This comment has been minimized.

fejta-bot commented Jan 8, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

1 similar comment
@fejta-bot

This comment has been minimized.

fejta-bot commented Jan 8, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@fejta-bot

This comment has been minimized.

fejta-bot commented Feb 10, 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@php-coder

This comment has been minimized.

php-coder commented Feb 11, 2018

/remove-lifecycle rotten

@krmayankk

This comment has been minimized.

krmayankk commented Mar 7, 2018

/sig auth

@krmayankk

This comment has been minimized.

krmayankk commented Mar 14, 2018

/sig node

@justaugustus

This comment has been minimized.

Member

justaugustus commented Apr 17, 2018

@krmayankk
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@krmayankk

This comment has been minimized.

krmayankk commented Aug 24, 2018

@tallclair why has this moved to 1.13 ? The code freeze date is Sept 4.

@krmayankk

This comment has been minimized.

krmayankk commented Aug 24, 2018

@zparnold sorry i was on on vacation. can you point me to instructions on how to do this

@krmayankk

This comment has been minimized.

krmayankk commented Aug 24, 2018

@zparnold i created this PR kubernetes/website#10076, let me know if this is in the right direction

@tallclair

This comment has been minimized.

Member

tallclair commented Aug 24, 2018

It's still in alpha, and I don't see us promoting it to beta next week. We can still discuss getting your open PRs in, but I think we should keep it alpha for 1.12.

@Kymb3rl33

This comment has been minimized.

Kymb3rl33 commented Aug 24, 2018

@zparnold

This comment has been minimized.

Member

zparnold commented Aug 25, 2018

@krmayankk Really close! Could you set the base as kubernetes:release-1.12 as opposed to kubernetes:master?

@justaugustus

This comment has been minimized.

Member

justaugustus commented Aug 27, 2018

Removing this from the sheet, per @tallclair's comment:

It's still in alpha, and I don't see us promoting it to beta next week. We can still discuss getting your open PRs in, but I think we should keep it alpha for 1.12.

@krmayankk

This comment has been minimized.

krmayankk commented Aug 28, 2018

May be i misunderstand @tallclair @justaugustus does marking a feature issue for a specific milestone means promoting it to at least beta in that milestone ?

@kacole2

This comment has been minimized.

Contributor

kacole2 commented Oct 8, 2018

@krmayankk is this targeting to make it in 1.13?

This release is targeted to be more ‘stable’ and will have an aggressive timeline. Please only include this enhancement if there is a high level of confidence it will meet the following deadlines:

  • Docs (open placeholder PRs): 11/8
  • Code Slush: 11/9
  • Code Freeze Begins: 11/15
  • Docs Complete and Reviewed: 11/27

Thanks!

@tfogo

This comment has been minimized.

Member

tfogo commented Oct 14, 2018

Hi @krmayankk, this docs PR was merged in 1.12: kubernetes/website#10076

Was this documentation intended to go in during 1.12? If RunAsGroup is feature gated then we should make sure the documentation mentions this.

@krmayankk

This comment has been minimized.

krmayankk commented Oct 15, 2018

This specific documentation was earlier meant for 1.12, but the code didnt merge in time, so ideally it should go now in 1.13. Currently there are two pieces of documentation needed:-

  • RunAsGroup at pod/container level documentation
  • RunAsGroup in PodSecurityPolicy

I will try to find the right places for this documentation and make a PR

@tfogo

This comment has been minimized.

Member

tfogo commented Oct 15, 2018

Ah, thanks for the info. Could you please create a PR against k/website master to remove that documentation if it's documenting something which isn't actually in 1.12?

Then please could you open a placeholder PR against the dev-1.13 for the 1.13 docs?

@AishSundar

This comment has been minimized.

AishSundar commented Oct 17, 2018

@krmayankk other than docs, is there any more pending code or test work for this feature in 1.13? if so can you plz point us to it and indicate when you expect to get all of them merged? thanks

@krmayankk

This comment has been minimized.

krmayankk commented Oct 26, 2018

@AishSundar need to see if there is unit and e2e coverage that need to be improved. No more new features are needed as far as i see. PR's are not yet ready

@claurence

This comment has been minimized.

claurence commented Nov 6, 2018

@krmayankk I'm an enhancements shadow checking in on how this issue is tracking. Code slush is on 11/9 and code freeze is coming up on 11/15 do you have a status update on the likelihood that this will make the the code freeze date?

@kacole2

This comment has been minimized.

Contributor

kacole2 commented Nov 8, 2018

@krmayankk can you please drop in a link to the unit and e2e coverage tests that are being improved as a part of this release?

@krmayankk

This comment has been minimized.

krmayankk commented Nov 9, 2018

@claurence @kacole2 there are no additional PR's that i already initiated. So 11/9 wont be possible. Will update with PR links in a week.

@tfogo

This comment has been minimized.

Member

tfogo commented Nov 9, 2018

Hi @krmayankk I just wanted to follow up about this docs PR: kubernetes/website#10076

You mentioned the documentation was meant for 1.12, but the code didn't merge in time. Does that mean that kubernetes/website#10076 should be reverted?

@AishSundar

This comment has been minimized.

AishSundar commented Nov 10, 2018

there are no additional PR's that i already initiated. So 11/9 wont be possible. Will update with PR links in a week.

@krmayankk are you saying there are no PRs in-progress for this enhancement yet? or are all code PRs merged already?

We already entered Code slush today for 1.13 and Code freeze is coming up in a week (11/16). Having PRs opened next week (or) in a week will be too late for this cycle pushing us into cherrypicking the PRs during freeze. At this point in the cycle, we expect all 1.13 features to have merged code and tests or have PRs close to merging. Especially this feature is slated to go to Beta in 1.13 which means we need good e2e test coverage and atleast a few days of CI runs to see that its stable.

As I currently see the status of this enhancement, the release team is not comfortable taking this in 1.13. If my understanding of pending work is incorrect please clarify asap. In absence of this info, we plan to untrack this for 1.13 on Monday. Thanks

@kacole2 as FYI

@kacole2

This comment has been minimized.

Contributor

kacole2 commented Nov 13, 2018

This is being pulled from the 1.13 milestone. Will revisit if it will be on 1.14 or not during the next cycle

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.13 milestone Nov 13, 2018

@kacole2 kacole2 added tracked/no and removed tracked/yes labels Nov 13, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment