-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exec as user KEP #1224
Add exec as user KEP #1224
Conversation
Signed-off-by: Lei Gong <lgong@alauda.io>
Welcome @max88991! |
Hi @max88991. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: max88991 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/assign @dchen1107 |
/sig nodes |
@mattjmcnaughton @smarterclayton please take a look at this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your kep here!
Left some initial thoughts here - interested to know what other members of sig-node and sig-auth think.
- sig-cli | ||
- sig-auth | ||
reviewers: | ||
- "@smarterclayton" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we please add a reviewer from @kubernetes/sig-auth-api-reviews ?
|
||
> In the Kubernetes 1.5 release, we are proud to introduce the Container Runtime Interface (CRI) – a plugin interface which enables kubelet to use a wide variety of container runtimes, without the need to recompile. CRI consists of a protocol buffers and gRPC API, and libraries, with additional specifications and tools under active development. CRI is being released as Alpha in Kubernetes 1.5. | ||
|
||
But There are many container runtime implementation, e.g Docker, Kata, gVisior, most of which provide a way to enter the container as a special `user`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be sure I'm understanding, are you saying that this exec as user
feature will only work for certain container runtime implementations (i.e. Docker, Kata...)?
That's interesting to me - my sense is that k8s is trying to move towards less special casing of certain container runtime implementations.
I'd be interested to hear from others in the community about the risk of increasing featuring between different container runtime implementations.
|
||
> User specifies specific user (and group) information for the container process | ||
|
||
It brings convenience to debugging, and users are used to it. Adding a `user` option with `exec` in Kubernetes seems reasonable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you share a little bit more about the debugging experience?
What are the specific types of problems this would allow you to debug that you couldn't debug before?
I'm also curious about if some of the ideas proposed in the Ephemeral Containers KEP could be helpful w.r.t. these types of debugging (cc @verb ).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently we don't allow changing user in an ephemeral container, so what you get is what is in the dockerfile of the ephemeral container image. Likely some of the use cases here could be solved with an ephemeral debugging container (for example troubleshooting as root when a container image specifies a non-root user), but I see value in both approaches. They would be complementary.
I, too, would like to hear more about the debugging experience and agree that adding examples of things one cannot currently accomplish would help quite a bit.
Since the container does not have a uniform `exec` format, the format of `user` should be just a string. | ||
|
||
#### Story 2 | ||
By providing the `user` option for `exec`, user can do the auit inside the container. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for not knowing this :) but what is auit
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a typo :)
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
#### Story 2 | ||
By providing the `user` option for `exec`, user can do the auit inside the container. | ||
|
||
## Design Details |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There’s a lot of additional security protection which is required to make arbitrary exec safe, especially by username (which is only mappable inside a container).
Anyone using PSP or similar systems would need a way to control which users are allowed to exec.
The use of username is contrary to how kubernetes pods run so it needs substantially more justification.
The design would also have to take into account how windows exec would support exec, and how runtimes that don’t support exec changes would communicate that to users.
Co-Authored-By: Slava Semushin <slava.semushin@gmail.com>
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Co-Authored-By: Slava Semushin <slava.semushin@gmail.com>
|
||
### User Stories [optional] | ||
|
||
As a Kubernetes User, I should be able to control how people can enter the container, by default kubernetes use the default user in docker image. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't control how people access the containers. They'll have to specify user name when exec'ing, or are you suggesting using PSP to further restrict users?
-u, --user="" Username or UID (format: <string>]) format | ||
``` | ||
|
||
Since the container does not have a uniform `exec` format, the format of `user` should be just a string. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Windows does not support uid. For Linux, kubelet uses uid when starting the containers.
The current design may be confusing for cross-platform support.
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@max88991 are you still working this KEP? |
Signed-off-by: Lei Gong lgong@alauda.io