Skip to content
This repository has been archived by the owner on Mar 9, 2022. It is now read-only.

Add RunAsGroup support. #710

Merged
merged 1 commit into from
Mar 31, 2018

Conversation

Random-Liu
Copy link
Member

@Random-Liu Random-Liu commented Mar 30, 2018

Based on containerd/containerd#2257.

RunAsGroup is added in Kubernetes 1.10 kubernetes/kubernetes#52077. We should support it.

Please hold this PR until I add CRI validation test. kubernetes-sigs/cri-tools#280

Signed-off-by: Lantao Liu [email protected]

Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments and questions.

@@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
if username := securityContext.GetRunAsUsername(); username != "" {
specOpts = append(specOpts, oci.WithUsername(username))
}
if gid := securityContext.GetRunAsGroup(); gid != nil {
if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Above comment block should be modified to mention groupid

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uid and username variables should be promoted in scope so they can be used here in this if nil check

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do.

@@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
if username := securityContext.GetRunAsUsername(); username != "" {
specOpts = append(specOpts, oci.WithUsername(username))
}
if gid := securityContext.GetRunAsGroup(); gid != nil {
if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" {
return nil, errors.New("user group is specified without user")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe output uid and username here so we can see if one or both are nil...

Copy link
Member Author

@Random-Liu Random-Liu Mar 30, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My mistake, it should be &&.

if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" {
return nil, errors.New("user group is specified without user")
}
// TODO(random-liu): Add WithGroupID in containerd client.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and add WithUserID/WithUsername?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have those helpers.

@@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
if username := securityContext.GetRunAsUsername(); username != "" {
specOpts = append(specOpts, oci.WithUsername(username))
}
if gid := securityContext.GetRunAsGroup(); gid != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI... oci.WithUserID() and oci.WithUsername() are already looking up the gid and may already be setting it. Course a user can be in more than one group.. so I'm not sure how well the current assignment is working. Thoughts?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We set GID after WithUserID and WithUsername which overwrites the gid.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per discussion let's todo a helper that does uid,username, and gid at the same time..

@Random-Liu
Copy link
Member Author

@mikebrow Addressed comments.

Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM

@Random-Liu
Copy link
Member Author

@mikebrow Added a helper in containerd, which makes the code much cleaner.

I'll send a PR to containerd soon.

Signed-off-by: Lantao Liu <[email protected]>
@Random-Liu
Copy link
Member Author

@mikebrow Updated the PR to use the newly added containerd helper oci.WithUser.

Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM

@Random-Liu
Copy link
Member Author

I added the test kubernetes-sigs/cri-tools#282. This PR passed the test:

$ make test-cri FOCUS=RunAsGroup
/home/lantaol/workspace/bin/critest
Running Suite: CRI validation
=============================
Random Seed: 1522455630 - Will randomize all specs
Will run 70 specs

Running in parallel across 8 nodes

SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[BeforeEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:52
[It] runtime should return error if RunAsGroup is set without RunAsUser
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:376
STEP: create pod
STEP: create container with invalid RunAsGroup
STEP: create invalid RunAsGroup container
STEP: create a container with RunAsGroup without RunAsUser
STEP: Get image status for image: busybox:1.26
STEP: Create container.
E0331 00:20:31.185110   16991 remote_runtime.go:187] CreateContainer in sandbox "a6fab5752333e398cc3710f560f0dc5bfa90eec0d61a8f68156ee9c0b4544e3d" from runtime service failed: rpc error: code = Unknown desc = failed to generate user string: user group "1002" is specified without user
[AfterEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
[AfterEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:57
STEP: stop PodSandbox
STEP: delete PodSandbox


------------------------------
[BeforeEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:52
[It] runtime should support RunAsGroup
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:358
STEP: create pod
STEP: create a PodSandbox with log directory
STEP: create container for security context RunAsGroup
STEP: create RunAsGroup container
STEP: create a container with RunAsUser and RunAsGroup
STEP: Get image status for image: busybox:1.26
STEP: Create container.
Mar 31 00:20:32.237: INFO: Created container "8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df"

STEP: start container
STEP: Start container for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
Mar 31 00:20:32.352: INFO: Started container "8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df"

STEP: Get container status for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
STEP: Get container status for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
STEP: verify RunAsGroup for container
STEP: check container output
STEP: verify log contents
Mar 31 00:20:36.354: INFO: Open log file /tmp/podLogTest084028383/PodSandbox-with-log-directory-522fde28-3479-11e8-856a-42010af00002/container-with-RunAsGroup-test-52f0c7d1-3479-11e8-856a-42010af00002.log
Mar 31 00:20:36.354: INFO: Parse container log succeed
[AfterEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
[AfterEach] [k8s.io] Security Context
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:57
STEP: stop PodSandbox
STEP: delete PodSandbox


• [SLOW TEST:5.701 seconds]
[k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72
  bucket
  /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:288
    runtime should support RunAsGroup
    /home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:358
------------------------------

Ran 2 of 70 Specs in 5.720 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 68 Skipped 

Ginkgo ran 1 suite in 5.761128797s
Test Suite Passed
PASS
./hack/test-utils.sh: line 53: 16920 Terminated              keepalive "sudo ${ROOT}/_output/containerd ${CONTAINERD_FLAGS}" ${RESTART_WAIT_PERIOD} &> ${report_dir}/containerd.log

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants