run control-plane as non-root #2473
Comments
neolit123
added
priority/important-soon
|
/assign vinayakankugoyal |
I don't think this can be assigned to me because I am not a kubernetes org member. But to anyone following this bug, I will be working on it. |
|
Can we update the |
|
@vinayakankugoyal https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/#how-to-use-a-csi-volume |
no because it is not the kube-apiserver that needs to run as privileged pod, it is the csi driver that needs to run as privileged pod. --allow-privileged=true allows privileged containers it does not make kube-apiserver's container privileged. (Same for kubelet but that is anyways out of scope of this KEP.) |
|
/assign vinayakankugoyal |
neolit123
added
the
lifecycle/active
|
Can we update e2e section above with PR: #2511 |
|
our e2e for this feature started failing yesterday. i have no explanation for the time being. but i don't think it's a kubeadm problem, so maybe something in core? |
Yes kubernetes/kubernetes#113548 may fix it. (a revert of kubernetes/kubernetes#113408 that was merged hours before that. ) |
|
it looks like the job has been green for a while, so maybe something else fixed it. the failures were in late august. i completely forgot about this.. https://k8s-testgrid.appspot.com/sig-cluster-lifecycle-kubeadm#kubeadm-kinder-rootless-latest |
|
I opened the test grid(You post months ago) and find it failed yesterday(😓).
Yesterday's failure is caused by that. Not failures in August.😄 |
|
Is this actually important-longterm? It's been a few years. |
|
/remove-priority important-soon
This feature is an alternative way for the user namespace feature. As we prefer to use the user namespace to gain the security control plane in the future, we decided to not promote this one to beta. But we should keep this FG until user namespace kubernetes/enhancements#127 is beta. |
k8s-ci-robot
removed
the
priority/important-soon
pacoxu
added
the
priority/important-longterm
|
kubernetes/enhancements#127 |
|
Is this expected to be completed? For which pods it is expected to change the user to non root? |
this feature is alpha and deprecated. please use UserNamespaces instead: once UserNamespaces becomes GA kubeadm will enable it by default. |
KEP
https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2568-kubeadm-non-root-control-plane
k/e issue: kubernetes/enhancements#2568
ALPHA 1.22:
runtime/default Seccomp Profile in kubeadm control-plane components. kubernetes#100234
Add a feature-gate to kubeadm to enable/disable rootless control-plane. kubernetes#102158
Add utils to add and remove users and groups to kubeadm. kubernetes#102195
kubeadm: add utilities to manage users and groups kubernetes#102463
Add user and group name constants for kubeadm rootless control-plane. kubernetes#102494
Add utils to set file/directory owners and permissions. kubernetes#102604
Update CreateInitStaticPodManifestFiles, CreateStaticPodFiles and CreateLocalEtcdStaticPodManifestFile to take into account if the command was run as dry-run. kubernetes#102722
Update kubeadm control-plane to run as non-root. kubernetes#102759
Update etcd in kubeadm to run as non-root. kubernetes#102862
kubeadm: fix wrong check for keys/certs during "download-certs" kubernetes#103313
Add e2e tests for rootless control-plane. #2511
Add e2e tests for rootless control-plane in kubeadm. test-infra#22676
kinder: use the "auto" mode for the "rootless" workflow #2520
Use pgrep -f to do a full match and use regular expression to make su… #2521
kinder: include upgrade artifacts in rootless workflow #2522
BETA x.yy:
on hold until further notice we are watching the user namespaces KEP:
kubernetes/enhancements#3065
https://github.com/kubernetes/kubeadm/blob/main/kinder/ci/tools/update-workflows/templates/workflows/rootless-tasks.yaml
we need to ensure that we have test coverage for upgrading from "FG off" -> "FG on" by default and then checking if CP is rootless.
The text was updated successfully, but these errors were encountered: