Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run pause image as non-root user and group #97963

Merged
merged 1 commit into from Mar 16, 2021

Conversation

saschagrunert
Copy link
Member

@saschagrunert saschagrunert commented Jan 12, 2021

What type of PR is this?

/kind feature

What this PR does / why we need it:
We now build the pause image to use a pseudo user and group 65535:65535.
This increases the security aspect of the container image, if a
vulnerability would directly affect the pause container.

Which issue(s) this PR fixes:

Fixes #95038

Special notes for your reviewer:
/hold

I'm not sure what the CI thinks about this change, nor if it has other implications.

Does this PR introduce a user-facing change?:

Update pause container to run as pseudo user and group `65535:65535`. This implies the release of version 3.5 of the container images.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

None

@k8s-ci-robot k8s-ci-robot added release-note do-not-merge/work-in-progress do-not-merge/hold kind/feature size/XS cncf-cla: yes do-not-merge/needs-sig needs-triage needs-priority labels Jan 12, 2021
@k8s-ci-robot k8s-ci-robot requested review from justaugustus and listx Jan 12, 2021
@saschagrunert
Copy link
Member Author

@saschagrunert saschagrunert commented Jan 12, 2021

/sig release
/priority important-soon

@k8s-ci-robot k8s-ci-robot added sig/release priority/important-soon and removed do-not-merge/needs-sig needs-priority labels Jan 12, 2021
@saschagrunert saschagrunert changed the title WIP: Run pause image as non-root user and group Run pause image as non-root user and group Jan 12, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress label Jan 12, 2021
@kubeedge-bot
Copy link

@kubeedge-bot kubeedge-bot commented Jan 14, 2021

@saschagrunert: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-rebase label Jan 14, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-rebase label Jan 14, 2021
@saschagrunert
Copy link
Member Author

@saschagrunert saschagrunert commented Jan 14, 2021

/test pull-kubernetes-e2e-gce-ubuntu-containerd

@saschagrunert
Copy link
Member Author

@saschagrunert saschagrunert commented Feb 4, 2021

@BenTheElder @cblecker @fejta is this something we can do?

pjbgf
pjbgf approved these changes Feb 4, 2021
Copy link
Member

@pjbgf pjbgf left a comment

It would be great to see this one on 1.21. 🙏

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Feb 4, 2021
@justaugustus justaugustus added this to In Progress (Issues & PRs) in Release Engineering via automation Feb 7, 2021
@saschagrunert
Copy link
Member Author

@saschagrunert saschagrunert commented Mar 11, 2021

cc @mrunalp @ehashman for an LGTM (or not)

@saschagrunert
Copy link
Member Author

@saschagrunert saschagrunert commented Mar 11, 2021

/retest

Copy link
Member

@ehashman ehashman left a comment

/lgtm

with the assumption this isn't landing in 1.21

/retest
/sig security

@k8s-ci-robot k8s-ci-robot added the sig/security label Mar 12, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm label Mar 12, 2021
@ehashman ehashman moved this from Triage to Done in SIG Node PR Triage Mar 12, 2021
@ehashman
Copy link
Member

@ehashman ehashman commented Mar 12, 2021

/cc @pacoxu

@k8s-ci-robot k8s-ci-robot requested a review from pacoxu Mar 12, 2021
@spiffxp
Copy link
Member

@spiffxp spiffxp commented Mar 13, 2021

/lgtm

with the assumption this isn't landing in 1.21

/retest

/sig security

@ehashman I think I agree but to help us understand why this isn't worth filing an exception for, what concerns do you have with this landing in v1.21

@ehashman
Copy link
Member

@ehashman ehashman commented Mar 13, 2021

@ehashman I think I agree but to help us understand why this isn't worth filing an exception for, what concerns do you have with this landing in v1.21

I don't have any specific concerns, I was just quoting the discussion above with @saschagrunert :)

@pacoxu
Copy link
Member

@pacoxu pacoxu commented Mar 13, 2021

There is a related issue with windows. #92963

Windows pods need to support RunAsUserName like Linux pods, not just work containers, not pause containers #92963

Does this will support windows non-root as well?

@saschagrunert
Copy link
Member Author

@saschagrunert saschagrunert commented Mar 15, 2021

Does this will support windows non-root as well?

I don't think so, since the related issue seems to be feature related, whereas this is more an increasing default security enhancement.


@ehashman @spiffxp I think we could raise an exception for this PR.

Pinging @kubernetes/sig-release-leads @kubernetes/release-engineering to apply the milestone (or not).

@cpanato
Copy link
Member

@cpanato cpanato commented Mar 15, 2021

looks ok to me to raise an exception for this change.

+1 from my side

@pacoxu
Copy link
Member

@pacoxu pacoxu commented Mar 16, 2021

like #98205, we may update runtimes and k/k later.

BTW, update change log https://github.com/kubernetes/kubernetes/blob/master/build/pause/CHANGELOG.md would be better.

@saschagrunert
Copy link
Member Author

@saschagrunert saschagrunert commented Mar 16, 2021

like #98205, we may update runtimes and k/k later.

BTW, update change log https://github.com/kubernetes/kubernetes/blob/master/build/pause/CHANGELOG.md would be better.

Sure, I can follow up on that. 👍

@cpanato
Copy link
Member

@cpanato cpanato commented Mar 16, 2021

everybody agrees that we need to get this for 1.21 so adding the milestone

/milestone v1.21

@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Mar 16, 2021
@cpanato
Copy link
Member

@cpanato cpanato commented Mar 16, 2021

/hold for any other comments, feel free to cancel that

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold label Mar 16, 2021
@saschagrunert
Copy link
Member Author

@saschagrunert saschagrunert commented Mar 16, 2021

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold label Mar 16, 2021
@saschagrunert
Copy link
Member Author

@saschagrunert saschagrunert commented Mar 16, 2021

/test pull-kubernetes-integration

@k8s-ci-robot k8s-ci-robot merged commit 2a26f27 into kubernetes:master Mar 16, 2021
13 of 14 checks passed
Release Engineering automation moved this from Blocked, or Author Inactivity in +30 Days (Mostly PRs) to Done (1.21) Mar 16, 2021
@saschagrunert saschagrunert deleted the pause-non-root branch Mar 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved area/kubeadm area/kubectl area/kubelet area/provider/gcp area/release-eng area/test cncf-cla: yes kind/feature lgtm priority/important-soon release-note sig/cli sig/cloud-provider sig/cluster-lifecycle sig/node sig/release sig/security sig/testing size/XS triage/accepted
Development

Successfully merging this pull request may close these issues.

10 participants