-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Opt out of chowning and chmoding from kubectl cp. #69573
Conversation
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/sig cli |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please add a unit test in https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cp/cp_test.go ?
pkg/kubectl/cmd/cp/cp.go
Outdated
@@ -98,6 +99,7 @@ func NewCmdCp(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.C | |||
}, | |||
} | |||
cmd.Flags().StringVarP(&o.Container, "container", "c", o.Container, "Container name. If omitted, the first container in the pod will be chosen") | |||
cmd.Flags().BoolVarP(&o.NoPreserve, "no-preserve", "x", false, "The copied file/directory's ownership and permissions will not be preserved in the container") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Short flags are very sparse, don't use random values. Just don't specify, it's fine not to have it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed thanks!
/kind feature |
I spent sometime looking at the tests especially around here: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cp/cp_test.go#L576-L644 And I can't seem to find a way to actually exercise the behavior introduced by this PR, I'll am open to ideas, if you have thoughts on how I can actually exercise this feature in the unit test. Thanks! |
Verify input parameters of the |
/ok-to-test |
@soltysh please re-review and let me know if the tests matches what you had in mind. Thanks! |
/test pull-kubernetes-verify |
File: "foo", | ||
} | ||
opts.Complete(tf, cmd) | ||
t.Run(name, func(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally this should be the entire test case, so move this to the top of the for loop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I move the things above this out of the for loop since they don't need to be in the loop.
pkg/kubectl/cmd/cp/cp_test.go
Outdated
options := &kexec.ExecOptions{} | ||
opts.NoPreserve = test.nopreserve | ||
err = opts.copyToPod(src, dest, options) | ||
for i, cmd := range test.expectedCmd { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use reflect.DeepEqual
instead it read better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addressed thanks!
`kubectl cp` relies on tar to extract the copied file/directory in the container, tar by default attempts to chown/chmod the extracted file after extraction if the user is the "superuser"(root) ``` --same-owner try extracting files with the same ownership as exists in the archive (default for superuser) -p, --preserve-permissions, --same-permissions extract information about file permissions (default for superuser) ``` This fails in environment where the container runs as root but is not granted the OWNER or CHOWN capability. Before this patch below was the behavior of `kubectl cp` ``` kubectl cp README.md foo-67b6fcbd4c-qjlt6:/tmp tar: README.md: Cannot change ownership to uid 1000, gid 1000: Operation not permitted tar: Exiting with failure status due to previous errors command terminated with exit code 2 kubectl exec -it foo-67b6fcbd4c-qjlt6 -- ls -l /tmp/README.md -rw------- 1 1000 1000 3179 Oct 7 22:00 /tmp/README.md ``` After this patch ``` kubectl cp -x a foo-67b6fcbd4c-qjlt6:/ kubectl exec -it foo-67b6fcbd4c-qjlt6 -- ls -l /tmp/README.md -rw-r--r-- 1 root root 3179 Oct 7 22:00 /tmp/README.md ```
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
options := &kexec.ExecOptions{} | ||
opts.NoPreserve = test.nopreserve | ||
err = opts.copyToPod(src, dest, options) | ||
if !(reflect.DeepEqual(test.expectedCmd, options.Command)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit for future: the bracket are not necessary it's ok to write:
if !reflect.DeepEqual(test.expectedCmd, options.Command)
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bjhaid, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi, |
What this PR does / why we need it:
kubectl cp
relies on tar to extract the copied file/directory in thecontainer, tar by default attempts to chown/chmod the extracted file
after extraction if the user is the "superuser"(root)
This fails in environment where the container runs as root but is not
granted the OWNER or CHOWN capability.
Before this patch below was the behavior of
kubectl cp
After this patch
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #69572
Special notes for your reviewer:
I chose the short flag
-x
randomly, I don't know if there's an existing convention around selecting flags, also I don't have any tests for this, but if there's some e2e test that needs to be updated I'll appreciate pointersRelease note: