-
Notifications
You must be signed in to change notification settings - Fork 348
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comments and questions.
pkg/server/container_create.go
Outdated
@@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta | |||
if username := securityContext.GetRunAsUsername(); username != "" { | |||
specOpts = append(specOpts, oci.WithUsername(username)) | |||
} | |||
if gid := securityContext.GetRunAsGroup(); gid != nil { | |||
if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Above comment block should be modified to mention groupid
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uid and username variables should be promoted in scope so they can be used here in this if nil check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do.
pkg/server/container_create.go
Outdated
@@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta | |||
if username := securityContext.GetRunAsUsername(); username != "" { | |||
specOpts = append(specOpts, oci.WithUsername(username)) | |||
} | |||
if gid := securityContext.GetRunAsGroup(); gid != nil { | |||
if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" { | |||
return nil, errors.New("user group is specified without user") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe output uid and username here so we can see if one or both are nil...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My mistake, it should be &&
.
pkg/server/container_create.go
Outdated
if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" { | ||
return nil, errors.New("user group is specified without user") | ||
} | ||
// TODO(random-liu): Add WithGroupID in containerd client. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and add WithUserID/WithUsername?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already have those helpers.
pkg/server/container_create.go
Outdated
@@ -225,6 +226,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta | |||
if username := securityContext.GetRunAsUsername(); username != "" { | |||
specOpts = append(specOpts, oci.WithUsername(username)) | |||
} | |||
if gid := securityContext.GetRunAsGroup(); gid != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI... oci.WithUserID() and oci.WithUsername() are already looking up the gid and may already be setting it. Course a user can be in more than one group.. so I'm not sure how well the current assignment is working. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We set GID after WithUserID
and WithUsername
which overwrites the gid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
per discussion let's todo a helper that does uid,username, and gid at the same time..
ae0ed2f
to
8482a98
Compare
@mikebrow Addressed comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/LGTM
8482a98
to
0ab24f2
Compare
@mikebrow Added a helper in containerd, which makes the code much cleaner. I'll send a PR to containerd soon. |
0ab24f2
to
b50b5ca
Compare
Signed-off-by: Lantao Liu <[email protected]>
b50b5ca
to
ed20174
Compare
@mikebrow Updated the PR to use the newly added containerd helper |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/LGTM
I added the test kubernetes-sigs/cri-tools#282. This PR passed the test: $ make test-cri FOCUS=RunAsGroup
/home/lantaol/workspace/bin/critest
Running Suite: CRI validation
=============================
Random Seed: 1522455630 - Will randomize all specs
Will run 70 specs
Running in parallel across 8 nodes
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:52
[It] runtime should return error if RunAsGroup is set without RunAsUser
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:376
STEP: create pod
STEP: create container with invalid RunAsGroup
STEP: create invalid RunAsGroup container
STEP: create a container with RunAsGroup without RunAsUser
STEP: Get image status for image: busybox:1.26
STEP: Create container.
E0331 00:20:31.185110 16991 remote_runtime.go:187] CreateContainer in sandbox "a6fab5752333e398cc3710f560f0dc5bfa90eec0d61a8f68156ee9c0b4544e3d" from runtime service failed: rpc error: code = Unknown desc = failed to generate user string: user group "1002" is specified without user
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:57
STEP: stop PodSandbox
STEP: delete PodSandbox
•
------------------------------
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:52
[It] runtime should support RunAsGroup
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:358
STEP: create pod
STEP: create a PodSandbox with log directory
STEP: create container for security context RunAsGroup
STEP: create RunAsGroup container
STEP: create a container with RunAsUser and RunAsGroup
STEP: Get image status for image: busybox:1.26
STEP: Create container.
Mar 31 00:20:32.237: INFO: Created container "8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df"
STEP: start container
STEP: Start container for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
Mar 31 00:20:32.352: INFO: Started container "8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df"
STEP: Get container status for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
STEP: Get container status for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
STEP: verify RunAsGroup for container
STEP: check container output
STEP: verify log contents
Mar 31 00:20:36.354: INFO: Open log file /tmp/podLogTest084028383/PodSandbox-with-log-directory-522fde28-3479-11e8-856a-42010af00002/container-with-RunAsGroup-test-52f0c7d1-3479-11e8-856a-42010af00002.log
Mar 31 00:20:36.354: INFO: Parse container log succeed
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:57
STEP: stop PodSandbox
STEP: delete PodSandbox
• [SLOW TEST:5.701 seconds]
[k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72
bucket
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:288
runtime should support RunAsGroup
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:358
------------------------------
Ran 2 of 70 Specs in 5.720 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 68 Skipped
Ginkgo ran 1 suite in 5.761128797s
Test Suite Passed
PASS
./hack/test-utils.sh: line 53: 16920 Terminated keepalive "sudo ${ROOT}/_output/containerd ${CONTAINERD_FLAGS}" ${RESTART_WAIT_PERIOD} &> ${report_dir}/containerd.log |
Based on containerd/containerd#2257.
RunAsGroup
is added in Kubernetes 1.10 kubernetes/kubernetes#52077. We should support it.Please hold this PR until I add CRI validation test. kubernetes-sigs/cri-tools#280
Signed-off-by: Lantao Liu [email protected]