Skip to content

[WIP] OCPBUGS-64663 runAsUser/runAsGroup not behaving to the expected range values in user namespaces #2511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

[WIP] OCPBUGS-64663 runAsUser/runAsGroup not behaving to the expected range values in user namespaces #2511

wants to merge 4 commits into from

Conversation

@ropatil010
Copy link

@ropatil010 ropatil010 commented Nov 10, 2025
edited
Loading

Hi Team,

Can you PTAL for this PR.

Without this PR: There is no proper message to user why the deployment is not in ready state.
https://issues.redhat.com/browse/OCPBUGS-64663

Try to create deployment with value runAsGroup: 65536

oc get deploy -n testropatil
NAME READY UP-TO-DATE AVAILABLE AGE
deployment-invalid-group-test-65536 0/1 1 0 57m

Check output message:
oc get deploy/deployment-invalid-group-test-65536 -n testropatil -o yaml
hostUsers: false
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 1000
runAsGroup: 65536
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
terminationGracePeriodSeconds: 30
status:
conditions:

  • lastTransitionTime: "2025-11-05T05:50:19Z"
    lastUpdateTime: "2025-11-05T05:50:19Z"
    message: Deployment does not have minimum availability.
    reason: MinimumReplicasUnavailable
    status: "False"
    type: Available
  • lastTransitionTime: "2025-11-05T05:50:19Z"
    lastUpdateTime: "2025-11-05T05:50:19Z"
    message: ReplicaSet "deployment-invalid-group-test-65536-75474b4bdf" is progressing.
    reason: ReplicaSetUpdated
    status: "True"
    type: Progressing
    observedGeneration: 1
    replicas: 1
    unavailableReplicas: 1
    updatedReplicas: 1

With PR:
When try to create deployment with invalid max value: 65536 it wont creates the deployment and gives below info/message
oc create -f deployment-invalid-group-test-65536.yaml
Will get message info as:
The Deployment "deployment-invalid-group-test-65536" is invalid: spec.template.spec.securityContext.runAsGroup: Invalid value: 65536: must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)

/hold

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Nov 10, 2025
@openshift-ci openshift-ci bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Nov 10, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 10, 2025

@ropatil010: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot requested review from p0lyn0mial and tkashem November 10, 2025 07:31
@openshift-ci
Copy link

openshift-ci bot commented Nov 10, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ropatil010
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added backports/validated-commits Indicates that all commits come to merged upstream PRs. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Nov 10, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 10, 2025

@ropatil010: the contents of this pull request could be automatically validated.

The following commits are valid:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@ropatil010 ropatil010 changed the title [WIP] testing scc checks runAsGroup validation check Nov 10, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 10, 2025
@ropatil010
Copy link
Author

ropatil010 commented Nov 10, 2025

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 10, 2025
@ropatil010
Copy link
Author

ropatil010 commented Nov 10, 2025

This is just a partial fix for max range, we can add RFE for runAsGroup when we enter the value: 999(min value).

@openshift-ci-robot openshift-ci-robot added backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. and removed backports/validated-commits Indicates that all commits come to merged upstream PRs. labels Nov 10, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 10, 2025

@ropatil010: the contents of this pull request could not be automatically validated.

The following commits are valid:

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot openshift-ci-robot added backports/validated-commits Indicates that all commits come to merged upstream PRs. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Nov 10, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 10, 2025

@ropatil010: the contents of this pull request could be automatically validated.

The following commits are valid:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@ropatil010
Copy link
Author

ropatil010 commented Nov 10, 2025

/test-with openshift/apiserver-library-go#154

@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 11, 2025

@ropatil010: the contents of this pull request could be automatically validated.

The following commits are valid:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 11, 2025

@ropatil010: the contents of this pull request could be automatically validated.

The following commits are valid:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@ropatil010
Copy link
Author

ropatil010 commented Nov 11, 2025

/retitle OCPBUGS-64663 runAsUser/runAsGroup not behaving to the expected range values in user namespaces

@openshift-ci openshift-ci bot changed the title runAsGroup validation check OCPBUGS-64663 runAsUser/runAsGroup not behaving to the expected range values in user namespaces Nov 11, 2025
@ropatil010
Copy link
Author

ropatil010 commented Nov 11, 2025

Execution result:

When try to create deployment with invalid user/group(after 64534+) id, it gives error that it must be in the ranges: [1000, 65534]
Deployment.apps "deployment-invalid-group-test-65535" is invalid: spec.template.spec.securityContext.runAsGroup: Invalid value: 65535: must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)
Deployment.apps "deployment-invalid-user-test-65535" is invalid: spec.template.spec.securityContext.runAsUser: Invalid value: 65535: must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)

@ropatil010
Copy link
Author

ropatil010 commented Nov 11, 2025

Just for reference: https://issues.redhat.com/browse/CNTRLPLANE-1909

@openshift-ci-robot openshift-ci-robot added backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. and removed backports/validated-commits Indicates that all commits come to merged upstream PRs. labels Nov 12, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 12, 2025

@ropatil010: the contents of this pull request could not be automatically validated.

The following commits are valid:

The following commits could not be validated and must be approved by a top-level approver:

  • b3245b3|testing: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@ropatil010
Copy link
Author

ropatil010 commented Nov 12, 2025

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 12, 2025
@ropatil010 ropatil010 changed the title OCPBUGS-64663 runAsUser/runAsGroup not behaving to the expected range values in user namespaces [WIP] OCPBUGS-64663 runAsUser/runAsGroup not behaving to the expected range values in user namespaces Nov 12, 2025
@openshift-ci openshift-ci bot added vendor-update Touching vendor dir or related files do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Nov 12, 2025
@openshift-ci-robot openshift-ci-robot added backports/validated-commits Indicates that all commits come to merged upstream PRs. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Nov 13, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 13, 2025

@ropatil010: the contents of this pull request could be automatically validated.

The following commits are valid:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot openshift-ci-robot added backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. and removed backports/validated-commits Indicates that all commits come to merged upstream PRs. labels Nov 13, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 13, 2025

@ropatil010: the contents of this pull request could not be automatically validated.

The following commits are valid:

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 13, 2025

@ropatil010: the contents of this pull request could not be automatically validated.

The following commits are valid:

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci
Copy link

openshift-ci bot commented Nov 13, 2025

@ropatil010: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-techpreview-serial-1of2 8b27caf link false /test e2e-aws-ovn-techpreview-serial-1of2
ci/prow/e2e-aws-crun-wasm 8b27caf link true /test e2e-aws-crun-wasm
ci/prow/verify-commits 8b27caf link true /test verify-commits
ci/prow/e2e-metal-ipi-ovn-ipv6 8b27caf link true /test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-gcp 8b27caf link true /test e2e-gcp
ci/prow/e2e-aws-ovn-runc 8b27caf link true /test e2e-aws-ovn-runc
ci/prow/e2e-aws-ovn-fips 8b27caf link true /test e2e-aws-ovn-fips
ci/prow/e2e-aws-ovn-techpreview-serial-2of2 8b27caf link false /test e2e-aws-ovn-techpreview-serial-2of2
ci/prow/e2e-aws-ovn-serial-1of2 8b27caf link true /test e2e-aws-ovn-serial-1of2
ci/prow/k8s-e2e-gcp-serial 8b27caf link true /test k8s-e2e-gcp-serial
ci/prow/verify 8b27caf link true /test verify
ci/prow/k8s-e2e-gcp-ovn 8b27caf link true /test k8s-e2e-gcp-ovn
ci/prow/e2e-aws-ovn-techpreview 8b27caf link false /test e2e-aws-ovn-techpreview
ci/prow/e2e-aws-ovn-cgroupsv2 8b27caf link true /test e2e-aws-ovn-cgroupsv2
ci/prow/e2e-aws-ovn-serial-2of2 8b27caf link true /test e2e-aws-ovn-serial-2of2
ci/prow/k8s-e2e-conformance-aws 8b27caf link true /test k8s-e2e-conformance-aws
ci/prow/e2e-aws-ovn-hypershift 8b27caf link true /test e2e-aws-ovn-hypershift
ci/prow/unit 8b27caf link true /test unit
ci/prow/e2e-aws-ovn-crun 8b27caf link true /test e2e-aws-ovn-crun

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

@tkashem tkashem Awaiting requested review from tkashem

Assignees

No one assigned

Labels

backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. vendor-update Touching vendor dir or related files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ropatil010 @openshift-ci-robot