-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add "MayRunAs" value among other GroupStrategies #65135
Conversation
/sig auth PTAL @kubernetes/sig-auth-api-reviews CC @simo5 |
|
||
var _ GroupStrategy = &mayRunAs{} | ||
|
||
// NewRunAsAny provides a new RunAsAny strategy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, update the comment.
// NewRunAsAny provides a new RunAsAny strategy. | ||
func NewMayRunAs(ranges []policy.IDRange, field string) (GroupStrategy, error) { | ||
if len(ranges) == 0 { | ||
return nil, fmt.Errorf("ranges must be supplied for MustRunAs") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/MustRunAs/MayRunAs/
pkg/apis/policy/types.go
Outdated
@@ -389,6 +392,9 @@ type SupplementalGroupsStrategyOptions struct { | |||
type SupplementalGroupsStrategyType string | |||
|
|||
const ( | |||
// SupplementalGroupsStrategyMayRunAs means that container does not need to run as a particular gid. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/to run as a particular gid/to run with particular gids/ ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was but a mere copy-paste but "with" sounds definitely better
pkg/apis/policy/types.go
Outdated
@@ -389,6 +392,9 @@ type SupplementalGroupsStrategyOptions struct { | |||
type SupplementalGroupsStrategyType string | |||
|
|||
const ( | |||
// SupplementalGroupsStrategyMayRunAs means that container does not need to run as a particular gid. | |||
// However, when it is applied, it has to fall in the defined range. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/when it is applied, it has to/when they are specified, they have to/ ?
@stlaz One more place to update: kubernetes/pkg/apis/policy/fuzzer/fuzzer.go Lines 49 to 58 in 3abba25
|
@kubernetes/sig-auth-api-reviews Do we need to update PSP in |
/assign @tallclair |
3d44643
to
5e430d8
Compare
Updated the patch to fix |
This change introduces backward incompatibility since the "MayRunAs" value to the groups is unknown to previous API versions. If we convert this to "MustRunAs" internally, we wouldn't be able to later get the information that it's actually "MayRunAs". |
@tallclair @php-coder i believe the MayRunAs would also be needed by RunAsGroup field. I will include that in the PSP changes for RunAsGroup in my next PR. |
PTAL @tallclair |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change introduces backward incompatibility since the "MayRunAs" value to the groups is unknown to previous API versions.
Backwards incompatibility means that a resource that was valid in a previous version is no longer valid (or behaves differently), which isn't the case here. What you're refering to is forwards compatibility, and that's not something Kubernetes provides, so this is a non-issue.
func (s *mayRunAs) Validate(_ *api.Pod, groups []int64) field.ErrorList { | ||
allErrs := field.ErrorList{} | ||
|
||
for _, group := range groups { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dedupe this code with mustRunAs.Validate
(extract a shared helper)
} | ||
} | ||
|
||
func TestMayRunAsGenerate(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method is constant, don't bother testing it here. Instead, add a couple cases under https://github.com/kubernetes/kubernetes/blob/master/pkg/security/podsecuritypolicy/provider_test.go to ensure that the nil return works as expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ping.
5e430d8
to
698d161
Compare
fb98885
to
5cb67ba
Compare
/retest |
The "fall in all groups" issue should now be resolved, a positive multi-ranges test was added on top of the mayrunas tests. |
5cb67ba
to
c946886
Compare
thanks. both tallclair and I are out of the office at the moment, but will pick this up when master reopens for 1.13. |
Thank you. I'm not sure exactly why the verify test does not pass since |
c946886
to
b738d40
Compare
/retest |
b738d40
to
4ae930c
Compare
@tallclair Test cases for multiple groups added. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple nits, but LGTM. Please squash.
) | ||
|
||
func ValidateGroupsInRanges(fldPath *field.Path, ranges []policy.IDRange, groups []int64) field.ErrorList { | ||
const errFmt = "group %d must be in the ranges: %v" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: inline
@@ -0,0 +1,47 @@ | |||
/* | |||
Copyright 2016 The Kubernetes Authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: 2018
Adds "MayRunAs" value among other group strategies. This strategy allows to define a certain range of GIDs for FSGroupStrategy and SupplementalGroupStrategy in a PSP. This new strategy works similarly to the "MustRunAs" one, except that when no GID is specified in a pod/container security context then no GID is generated for the respective containers. Resolves kubernetes#56173
4ae930c
to
a577b50
Compare
Comments addressed + squashed. |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, stlaz, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
hi folks, why not syncing these new internal definitions to the external repo? i'm afraid currently we can't specify the new strategy w/ client-go. also the "MayRunAs" will be an undefined value when deserialized into external types. ref: #69704 |
What this PR does / why we need it:
Adds "MayRunAs" value among other group strategies. This strategy
allows to define a certain range of GIDs for FSGroupStrategy and
SupplementalGroupStrategy in a PSP.
This new strategy works similarly to the "MustRunAs" one, except that
when no GID is specified in a pod/container security context then no
GID is generated for the respective containers.
Which issue(s) this PR fixes
Resolves #56173
Release note: