Opt out of chowning and chmoding from kubectl cp. #69573
Conversation
k8s-ci-robot
added
release-note
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
k8s-ci-robot
added
the
needs-sig
k8s-ci-robot
added
needs-ok-to-test
k8s-ci-robot
added
cncf-cla: yes
|
/sig cli |
There was a problem hiding this comment.
Can you please add a unit test in https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cp/cp_test.go ?
pkg/kubectl/cmd/cp/cp.go
Outdated
| @@ -98,6 +99,7 @@ func NewCmdCp(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.C | |||
| }, | |||
| } | |||
| cmd.Flags().StringVarP(&o.Container, "container", "c", o.Container, "Container name. If omitted, the first container in the pod will be chosen") | |||
| cmd.Flags().BoolVarP(&o.NoPreserve, "no-preserve", "x", false, "The copied file/directory's ownership and permissions will not be preserved in the container") | |||
There was a problem hiding this comment.
Short flags are very sparse, don't use random values. Just don't specify, it's fine not to have it.
|
/kind feature |
k8s-ci-robot
added
kind/feature
I spent sometime looking at the tests especially around here: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cp/cp_test.go#L576-L644 And I can't seem to find a way to actually exercise the behavior introduced by this PR, I'll am open to ideas, if you have thoughts on how I can actually exercise this feature in the unit test. Thanks! |
Verify input parameters of the |
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
k8s-ci-robot
added
size/L
|
@soltysh please re-review and let me know if the tests matches what you had in mind. Thanks! |
|
/test pull-kubernetes-verify |
| File: "foo", | ||
| } | ||
| opts.Complete(tf, cmd) | ||
| t.Run(name, func(t *testing.T) { |
There was a problem hiding this comment.
Generally this should be the entire test case, so move this to the top of the for loop.
There was a problem hiding this comment.
I move the things above this out of the for loop since they don't need to be in the loop.
pkg/kubectl/cmd/cp/cp_test.go
Outdated
| options := &kexec.ExecOptions{} | ||
| opts.NoPreserve = test.nopreserve | ||
| err = opts.copyToPod(src, dest, options) | ||
| for i, cmd := range test.expectedCmd { |
There was a problem hiding this comment.
Use reflect.DeepEqual instead it read better.
`kubectl cp` relies on tar to extract the copied file/directory in the container, tar by default attempts to chown/chmod the extracted file after extraction if the user is the "superuser"(root) ``` --same-owner try extracting files with the same ownership as exists in the archive (default for superuser) -p, --preserve-permissions, --same-permissions extract information about file permissions (default for superuser) ``` This fails in environment where the container runs as root but is not granted the OWNER or CHOWN capability. Before this patch below was the behavior of `kubectl cp` ``` kubectl cp README.md foo-67b6fcbd4c-qjlt6:/tmp tar: README.md: Cannot change ownership to uid 1000, gid 1000: Operation not permitted tar: Exiting with failure status due to previous errors command terminated with exit code 2 kubectl exec -it foo-67b6fcbd4c-qjlt6 -- ls -l /tmp/README.md -rw------- 1 1000 1000 3179 Oct 7 22:00 /tmp/README.md ``` After this patch ``` kubectl cp -x a foo-67b6fcbd4c-qjlt6:/ kubectl exec -it foo-67b6fcbd4c-qjlt6 -- ls -l /tmp/README.md -rw-r--r-- 1 root root 3179 Oct 7 22:00 /tmp/README.md ```
| options := &kexec.ExecOptions{} | ||
| opts.NoPreserve = test.nopreserve | ||
| err = opts.copyToPod(src, dest, options) | ||
| if !(reflect.DeepEqual(test.expectedCmd, options.Command)) { |
There was a problem hiding this comment.
Nit for future: the bracket are not necessary it's ok to write:
if !reflect.DeepEqual(test.expectedCmd, options.Command)
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bjhaid, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Hi, |
What this PR does / why we need it:
kubectl cprelies on tar to extract the copied file/directory in thecontainer, tar by default attempts to chown/chmod the extracted file
after extraction if the user is the "superuser"(root)
This fails in environment where the container runs as root but is not
granted the OWNER or CHOWN capability.
Before this patch below was the behavior of
kubectl cpAfter this patch
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #69572
Special notes for your reviewer:
I chose the short flag
-xrandomly, I don't know if there's an existing convention around selecting flags, also I don't have any tests for this, but if there's some e2e test that needs to be updated I'll appreciate pointersRelease note: