Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Promote RunAsGroup to Beta #73007

Merged
merged 1 commit into from Mar 1, 2019

Conversation

@krmayankk
Copy link
Contributor

krmayankk commented Jan 17, 2019

What this PR does / why we need it:
promote this feature to beta for 1.14 kubernetes/enhancements#213

  • API is unchanged
  • Leave all feature gate checks
  • Enable it by default
The `RunAsGroup` feature has been promoted to beta and enabled by default. PodSpec and PodSecurityPolicy objects can be used to control the primary GID of containers on supported container runtimes.

/milestone v1.14

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Jan 17, 2019

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Jan 17, 2019

/kind feature

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Jan 17, 2019

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth and removed needs-sig labels Jan 17, 2019

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Jan 17, 2019

/test pull-kubernetes-bazel-test

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Jan 17, 2019

/test pull-kubernetes-e2e-kops-aws

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Jan 17, 2019

  • are there tests that should be promoted as part of this (so they run in non-alpha CI suites)?
  • do we have information about which container runtimes support this (and at which versions)? that might be good to include in the release notes
  • would also be good to go ahead and open a doc PR against the dev-1.14 website branch with doc updates for this and link it here

@krmayankk krmayankk referenced this pull request Jan 17, 2019

Open

Provide RunAsGroup feature for Containers in a Pod #213

3 of 6 tasks complete

@krmayankk krmayankk force-pushed the krmayankk:runasgroup branch from d4eddce to 1185630 Jan 18, 2019

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Jan 18, 2019

@liggitt

are there tests that should be promoted as part of this (so they run in non-alpha CI suites)?

These are the e2e tests for this https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L86 . I was told they always run for all CI suites. Trying to find the answer to this on testing

do we have information about which container runtimes support this (and at which versions)? that might be good to include in the release notes

Containerd and CRI-O support this there
Containerd: containerd/cri#710 (Available in v1.0.0-rc.1)
CRI-O: kubernetes-sigs/cri-o#1601 (Available in v1.13.0)

would also be good to go ahead and open a doc PR against the dev-1.14 website branch with doc updates for this and link it here

kubernetes/website#12297

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Jan 22, 2019

/assign @tallclair
cc @kubernetes/sig-node-api-reviews for lgtm

These are the e2e tests for this https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L86 . I was told they always run for all CI suites. Trying to find the answer to this on testing

The [Feature:RunAsGroup] tag means they do not run in all CI tests, only when explicitly included. If this is being enabled by default, I think the feature tag should be removed from that test.

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Jan 24, 2019

Adding @BenTheElder for any insights . I am looking for direction in this area . Should I remove the feature flag from the e2e ?

@BenTheElder

This comment has been minimized.

Copy link
Member

BenTheElder commented Jan 24, 2019

just echoing what @liggitt said, in presubmit for example we exclude [Feature:.*] for feature gated things, if this is no longer feature gated then we should remove that tag from the test

@krmayankk krmayankk force-pushed the krmayankk:runasgroup branch from 465a358 to 9c300ff Feb 22, 2019

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 22, 2019

progress! that made those tests actually run, which is good. looks like the selinux one ([k8s.io] [sig-node] Security Context should support volume SELinux relabeling) does not work in the CI environment. edit: it sometimes works, but flakes regularly.

@kubernetes/sig-node-pr-reviews do we need to add a [Feature:SELinux] tag to that test specifically, since it doesn't work in all environments?

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Feb 23, 2019

/test pull-kubernetes-e2e-gce

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Feb 23, 2019

@liggitt that seemed like a flake, everything is passing now including the selinux one

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 24, 2019

/test pull-kubernetes-e2e-gce

@BenTheElder

This comment has been minimized.

Copy link
Member

BenTheElder commented Feb 24, 2019

@BenTheElder

This comment has been minimized.

Copy link
Member

BenTheElder commented Feb 24, 2019

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 24, 2019

/test pull-kubernetes-e2e-gce

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 24, 2019

seems like we should tag the selinux test as [flaky] and open an issue for sig-node or sig-storage to resolve. this seems good to go otherwise

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Feb 25, 2019

Added #74482
How do i mark it as flaky, just add the [flaky] tag in the same way we add the feature flag tag ? (my grep didnt return anything in k/k

@krmayankk

This comment has been minimized.

Copy link
Contributor Author

krmayankk commented Feb 25, 2019

How do i mark it as flaky, just add the [flaky] tag in the same way we add the feature flag tag ? (my grep didnt return anything in k/k

ignore this found an example , adding

@@ -60,7 +60,7 @@ func scTestPod(hostIPC bool, hostPID bool) *v1.Pod {
return pod
}

var _ = SIGDescribe("Security Context [Feature:SecurityContext]", func() {
var _ = SIGDescribe("Security Context", func() {
f := framework.NewDefaultFramework("security-context")

It("should support pod.Spec.SecurityContext.SupplementalGroups", func() {

This comment has been minimized.

@liggitt

liggitt Feb 25, 2019

Member

most of these seem specific to Linux... do we need to add [LinuxOnly] to these as some other tests do? xref #73922

cc @spiffxp

This comment has been minimized.

@liggitt

liggitt Feb 26, 2019

Member

per https://kubernetes.slack.com/archives/C09QZ4DQB/p1551136840248100, let's add [LinuxOnly] to the individual tests that make use of linux-only function in the security context (which I think is all of these individual tests):

https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#what-will-never-work:

  • uid (runasuser)
  • gid (fsgroup, runasgroup, supplementalgroup)
  • selinux
  • seccomp

This comment has been minimized.

@krmayankk

krmayankk Mar 1, 2019

Author Contributor

added [LinuxOnly]

@krmayankk krmayankk force-pushed the krmayankk:runasgroup branch from 75e312e to 1b12512 Mar 1, 2019

@k8s-ci-robot k8s-ci-robot added size/M and removed size/S labels Mar 1, 2019

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Mar 1, 2019

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label Mar 1, 2019

@liggitt liggitt removed the api-review label Mar 1, 2019

@liggitt liggitt removed this from Changes requested in API Reviews Mar 1, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Mar 1, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: krmayankk, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Mar 1, 2019

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Mar 1, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit 8c95a07 into kubernetes:master Mar 1, 2019

15 of 16 checks passed

pull-kubernetes-kubemark-e2e-gce-big Job triggered.
Details
cla/linuxfoundation krmayankk authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped.
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.