New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supplemental groups on PVs mutate pod spec in kubelet #27197
Comments
@vishh - this is similar to some of the discussions we had where we should not mutate internal caches in kubelet. |
@pweil- touch point with security policy here. |
@derekwaynecarr My main concern with the copy approach is that the kubelet code might become too complicated to understand/reason. That concern can be solved through code cleanup and clear abstractions I hope. |
Discussed a fix for the pod mutation with @saad-ali here: https://github.com/kubernetes/kubernetes/pull/26801/files#r66683068 |
This could also cause performance issues if objects such as pods are copied on every call, even though most components in kubelet don't need to mutate the objects. |
This is a P0 with no assignee. Anyone know who it should go to? |
@goltermann I'm trying to figure that out now. Might be @saad-ali -- we have a 1:1 today and we'll know more after that. |
@matchstick at this point I was lowering it because I don't think it should block the beta. |
I'd like to know what @dchen1107 thinks of what they are doing in the kubelet to a (supposedly) ro object. If she doesn't scream and rip our her hair, I think we could wait until 1.4 with little/reasonable negative affect for end users. |
although @liggitt this is going to bite us for openshift. |
Here are the reasons we decided to push the priority to p2 after talking to related parties:
@pmorie please correct me if anything is missing? cc/ @matchstick @saad-ali |
@mfojtik let's create a bug/issue/card to make sure this isn't missed as a post-rebase item. At a minimum we'll need to do a policy check to ensure the groups are allowed (build already does something similar for UID access). Edit: created openshift/origin#9361 |
So we are removing most of the P2s from the v1.3 milestone as they can be pushed to v1.4. Due to this special nature I think that a) everyone in the @kubernetes/sig-storage will be keeping it in our minds and try our best to not let it fall through the cracks (I know saad and I feel that way). After we release v1.3 we should revisit this issue. I am going to mark it with milestone "next-candidate" and raising to P0 which is where we are bucketing many issues we wish we could have gotten into the latest release. There are a few other of these. Hopefully this makes sense. |
Automatic merge from submit-queue Remove pod mutation for volumes annotated with supplemental groups Removes the pod mutation added in #20490 -- partially resolves #27197 from the standpoint of making the feature inactive in 1.3. Our plan is to make this work correctly in 1.4. @kubernetes/sig-storage
#20490 added a beta feature which allows PVs to be annotated with a GID that owns them. This is to facilitate volumes like NFS that cannot be safely chowned/chmoded from the client and thus do not work with FSGroup. There are a couple issues with this PR that need to be sorted out:
api.Pod
they are passed is a read-only view and should not be mutated. We should probably do a copy of the pod when creating Mounters.@kubernetes/sig-storage
The text was updated successfully, but these errors were encountered: