New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: RunAsUser causes pods to not start on Windows #110235
test: RunAsUser causes pods to not start on Windows #110235
Conversation
test/e2e/framework/pod/utils.go
Outdated
|
||
# setting RunAsUser in Windows results invalid permissions being set on projected volumes | ||
# https://github.com/kubernetes/kubernetes/issues/102849 | ||
if framework.NodeOSDistroIs("windows") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
huh... I didn't expect this bit... do we not have any e2es that test non-homogenous clusters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I more expected to just drop RunAsUser
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have a test in Windows that explicitly tests that network connectivity work across Windows and Linux. But otherwise, the assumption is the cluster we run tests against would either be Linux nodes or Windows nodes not both (other than the control plane node for Linux)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, ok so we should just drop the RunAsUser? (#109946 (comment))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we drop it, the callers still need to set RunAsUser for a bunch of the tests to pass on linux, which is still going to run into the same issues of either breaking windows or needing to determine the node OS...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the callers still need to set RunAsUser for a bunch of the tests to pass on linux
is that true? I didn't think most tests were explicitly setting RunAsUser, and instead were running images that weren't built to use root by default
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most of them use the pause image, which should be ok, but there's also a handful using busybox which doesn't set a user.
ba86be9
to
2648881
Compare
/test pull-kubernetes-e2e-capz-windows-containerd |
/test pull-kubernetes-node-kubelet-serial-containerd |
looking into the failure which seems to be that the apiserver pod didn't start. Don't believe it was related to this /test pull-kubernetes-e2e-capz-windows-containerd |
2648881
to
061b8e8
Compare
/test pull-kubernetes-e2e-capz-windows-containerd |
SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, | ||
} | ||
|
||
if NodeOSDistroIs("windows") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since --node-os-distro is set as a e2e.test argument and we do schedule some linux containers during some Windows specific e2e tests this would add windows options with RunAsUserName set for those linux containers.
I don't think this will be an issue but did want to call that out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
option: make 2 versions of GetRestrictedPodSecurityContext
, one that guesses the OS and one that lets it be explicitly specified.
Then, the Mixin function should use the PodOS if present.
func GetRestrictedPodSecurityContext() *v1.PodSecurityContext {
if NodeOSDistroIs("windows") {
return GetRestrictedPodSecurityContextForOS(v1.WindowsPodOS) // could just be a string until PodOS merges?
}
return GetRestrictedPodSecurityContextForOS(v1.LinuxPodOS) // default
}
func GetRestrictedPodSecurityContextForOS(os PodOS) *v1.PodSecurityContext {
// Bulk of the work
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked at doing this but seems like it should really be done when // TODO(#105919): Handle PodOS for windows pods.
is completed. It made things a bit messier than it is now because there are a couple different cases too cover (framework.NodeOSDistroIs
and handling PodOS
since this needs to be addressed in MixinRestrictedPodSecurity
as well.
That failure was similiar to earlier, I haven't been able to figure out what it is yet. The control plane didn't start:
/test pull-kubernetes-e2e-capz-windows-containerd |
Windows job passed, created kubernetes-sigs/cluster-api-provider-azure#2338 to track issue with capz cluster. /assign @marosset @liggitt @tallclair |
LGTM for me from Windows. |
/triage accepted |
@marosset: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
if NodeOSDistroIs("windows") && pod.Spec.SecurityContext.WindowsOptions == nil { | ||
pod.Spec.SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{} | ||
pod.Spec.SecurityContext.WindowsOptions.RunAsUserName = pointer.StringPtr(DefaultNonRootUserName) | ||
} | ||
} | ||
for i := range pod.Spec.Containers { | ||
mixinRestrictedContainerSecurityContext(&pod.Spec.Containers[i]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to add similar securityContext checks for containers? It may not be a problem unless pod's explicitly have containers that have Windows options set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't look to set the users for the containers currently, so left it out for now.
/lgtm |
@liggitt @tallclair any further thoughts on these changes? |
/priority critical-urgent |
/approve /hold for previous reviewers to chime in again. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, jsturtevant The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
We might be able to clean this up further, but if this fixes currently failing tests we should probably merge it and iterate. |
// If the Node OS is windows, we return nill due to issue with invalid permissions set on projected volumes | ||
// https://github.com/kubernetes/kubernetes/issues/102849 | ||
func GetDefaultNonRootUser() *int64 { | ||
if NodeOSDistroIs("windows") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Is there a constant defined for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There doesn't seem to be, If you search for it you will find it mostly used like this https://github.com/kubernetes/kubernetes/search?q=NodeOSDistroIs&type=code.
SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, | ||
} | ||
|
||
if NodeOSDistroIs("windows") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: consider just clearing the RunAsUser here, to cut down on the number of places we need to check the OS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried this but it is also needed in MixRestrictedPodSecurty and without using podOS (which has a TODO) I think it gets a bit unwieldy
SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, | ||
} | ||
|
||
if NodeOSDistroIs("windows") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
option: make 2 versions of GetRestrictedPodSecurityContext
, one that guesses the OS and one that lets it be explicitly specified.
Then, the Mixin function should use the PodOS if present.
func GetRestrictedPodSecurityContext() *v1.PodSecurityContext {
if NodeOSDistroIs("windows") {
return GetRestrictedPodSecurityContextForOS(v1.WindowsPodOS) // could just be a string until PodOS merges?
}
return GetRestrictedPodSecurityContextForOS(v1.LinuxPodOS) // default
}
func GetRestrictedPodSecurityContextForOS(os PodOS) *v1.PodSecurityContext {
// Bulk of the work
}
@tallclair the feedback is valid but after trying it out it really feels like those changes should come in with the |
Our sig-windows jobs targeting master are currently failing some tests because of this issue. |
/hold cancel Yes, let's follow up. |
What type of PR is this?
/kind failing-test
What this PR does / why we need it:
#109946 Introduced Restricted policy for some of the pod tests. This broke due to #102849. See https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/ci-kubernetes-e2e-capz-master-containerd-windows/1529769915945324544
If the e2e suite is running with
nodeOSDistro = windows
then we set it to nil.Which issue(s) this PR fixes:
Fixes #
Related to https://github.com/kubernetes/kubernetes/pull/109946/files#r881112011
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/sig windows
/cc @marosset @liggitt @tallclair