This repository has been archived by the owner on Mar 9, 2022. It is now read-only.
Add RunAsGroup support. #710
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mikebrow
reviewed
Mar 30, 2018
pkg/server/container_create.go
Outdated
| @@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta | |||
| if username := securityContext.GetRunAsUsername(); username != "" { | |||
| specOpts = append(specOpts, oci.WithUsername(username)) | |||
| } | |||
| if gid := securityContext.GetRunAsGroup(); gid != nil { | |||
| if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" { | |||
There was a problem hiding this comment.
Above comment block should be modified to mention groupid
There was a problem hiding this comment.
uid and username variables should be promoted in scope so they can be used here in this if nil check
pkg/server/container_create.go
Outdated
| @@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta | |||
| if username := securityContext.GetRunAsUsername(); username != "" { | |||
| specOpts = append(specOpts, oci.WithUsername(username)) | |||
| } | |||
| if gid := securityContext.GetRunAsGroup(); gid != nil { | |||
| if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" { | |||
| return nil, errors.New("user group is specified without user") | |||
There was a problem hiding this comment.
maybe output uid and username here so we can see if one or both are nil...
There was a problem hiding this comment.
My mistake, it should be &&.
pkg/server/container_create.go
Outdated
| if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" { | ||
| return nil, errors.New("user group is specified without user") | ||
| } | ||
| // TODO(random-liu): Add WithGroupID in containerd client. |
There was a problem hiding this comment.
and add WithUserID/WithUsername?
There was a problem hiding this comment.
We already have those helpers.
pkg/server/container_create.go
Outdated
| @@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta | |||
| if username := securityContext.GetRunAsUsername(); username != "" { | |||
| specOpts = append(specOpts, oci.WithUsername(username)) | |||
| } | |||
| if gid := securityContext.GetRunAsGroup(); gid != nil { | |||
There was a problem hiding this comment.
FYI... oci.WithUserID() and oci.WithUsername() are already looking up the gid and may already be setting it. Course a user can be in more than one group.. so I'm not sure how well the current assignment is working. Thoughts?
There was a problem hiding this comment.
We set GID after WithUserID and WithUsername which overwrites the gid.
There was a problem hiding this comment.
per discussion let's todo a helper that does uid,username, and gid at the same time..
Random-Liu
force-pushed
the
support-run-as-group
branch
from
ae0ed2f
to
8482a98
Compare
|
@mikebrow Addressed comments. |
Random-Liu
force-pushed
the
support-run-as-group
branch
from
8482a98
to
0ab24f2
Compare
|
@mikebrow Added a helper in containerd, which makes the code much cleaner. I'll send a PR to containerd soon. |
Random-Liu
force-pushed
the
support-run-as-group
branch
from
0ab24f2
to
b50b5ca
Compare
Signed-off-by: Lantao Liu <lantaol@google.com>
Random-Liu
force-pushed
the
support-run-as-group
branch
from
b50b5ca
to
ed20174
Compare
|
@mikebrow Updated the PR to use the newly added containerd helper |
|
I added the test kubernetes-sigs/cri-tools#282. This PR passed the test: $ make test-cri FOCUS=RunAsGroup
/home/lantaol/workspace/bin/critest
Running Suite: CRI validation
=============================
Random Seed: 1522455630 - Will randomize all specs
Will run 70 specs
Running in parallel across 8 nodes
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:52
[It] runtime should return error if RunAsGroup is set without RunAsUser
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:376
STEP: create pod
STEP: create container with invalid RunAsGroup
STEP: create invalid RunAsGroup container
STEP: create a container with RunAsGroup without RunAsUser
STEP: Get image status for image: busybox:1.26
STEP: Create container.
E0331 00:20:31.185110 16991 remote_runtime.go:187] CreateContainer in sandbox "a6fab5752333e398cc3710f560f0dc5bfa90eec0d61a8f68156ee9c0b4544e3d" from runtime service failed: rpc error: code = Unknown desc = failed to generate user string: user group "1002" is specified without user
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:57
STEP: stop PodSandbox
STEP: delete PodSandbox
•
------------------------------
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:52
[It] runtime should support RunAsGroup
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:358
STEP: create pod
STEP: create a PodSandbox with log directory
STEP: create container for security context RunAsGroup
STEP: create RunAsGroup container
STEP: create a container with RunAsUser and RunAsGroup
STEP: Get image status for image: busybox:1.26
STEP: Create container.
Mar 31 00:20:32.237: INFO: Created container "8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df"
STEP: start container
STEP: Start container for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
Mar 31 00:20:32.352: INFO: Started container "8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df"
STEP: Get container status for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
STEP: Get container status for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
STEP: verify RunAsGroup for container
STEP: check container output
STEP: verify log contents
Mar 31 00:20:36.354: INFO: Open log file /tmp/podLogTest084028383/PodSandbox-with-log-directory-522fde28-3479-11e8-856a-42010af00002/container-with-RunAsGroup-test-52f0c7d1-3479-11e8-856a-42010af00002.log
Mar 31 00:20:36.354: INFO: Parse container log succeed
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:57
STEP: stop PodSandbox
STEP: delete PodSandbox
• [SLOW TEST:5.701 seconds]
[k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72
bucket
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:288
runtime should support RunAsGroup
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:358
------------------------------
Ran 2 of 70 Specs in 5.720 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 68 Skipped
Ginkgo ran 1 suite in 5.761128797s
Test Suite Passed
PASS
./hack/test-utils.sh: line 53: 16920 Terminated keepalive "sudo ${ROOT}/_output/containerd ${CONTAINERD_FLAGS}" ${RESTART_WAIT_PERIOD} &> ${report_dir}/containerd.log |
5 tasks
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on containerd/containerd#2257.
RunAsGroupis added in Kubernetes 1.10 kubernetes/kubernetes#52077. We should support it.Please hold this PR until I add CRI validation test. kubernetes-sigs/cri-tools#280
Signed-off-by: Lantao Liu lantaol@google.com