Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support User Namespaces in pods #127

Open
26 tasks done
derekwaynecarr opened this issue Oct 10, 2016 · 231 comments
Open
26 tasks done

Support User Namespaces in pods #127

derekwaynecarr opened this issue Oct 10, 2016 · 231 comments
Assignees
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/beta Denotes an issue tracking an enhancement targeted for Beta status
Milestone

Comments

@derekwaynecarr
Copy link
Member

derekwaynecarr commented Oct 10, 2016

Enhancement Description

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

@derekwaynecarr
Copy link
Member Author

This work is being done by @pweil- and is reviewed by @derekwaynecarr, it is sponsored by @kubernetes/sig-node

@idvoretskyi idvoretskyi modified the milestone: v1.5 Oct 11, 2016
@idvoretskyi idvoretskyi added the sig/node Categorizes an issue or PR as relevant to SIG Node. label Oct 12, 2016
@mdshuai
Copy link
Contributor

mdshuai commented Oct 26, 2016

@derekwaynecarr Could you help create a user story card for this feature?

@idvoretskyi
Copy link
Member

@derekwaynecarr can you confirm that this feature targets alpha for 1.5?

@pweil-
Copy link

pweil- commented Nov 16, 2016

@derekwaynecarr can you confirm that this feature targets alpha for 1.5?

Yes, this feature is experimental only so it would be considered alpha.

@idvoretskyi
Copy link
Member

@derekwaynecarr @pweil- can you confirm that this item targets beta in 1.6?

@adelton
Copy link

adelton commented Nov 14, 2017

@derekwaynecarr, the proposal kubernetes/kubernetes#34569 was closed by bot due to inactivity.

@pweil-, in kubernetes/kubernetes#34569 (comment) you've proposed the approach pweil-/kubernetes@16f29eb which changes the group of /var/lib/kubelet/pods to the remapped root group. Do I understand it correctly that this is currently not tracked in any pull request?

@adelton
Copy link

adelton commented Nov 14, 2017

@pweil-, I also wonder if similar to docker's /var/lib/docker/<uid>.<gid> approach when --userns-remap is used, it might make sense to use /var/lib/kubelet/pods-<uid>.<gid> and just chown/chgroup everything in those subdirectories to the remapped <uid>.<gid>. Why did you opt for just the chgrp and not the full chown?

@pweil-
Copy link

pweil- commented Nov 14, 2017

@adelton in the end, I think having this be transparent to Kubernetes is the right approach. Whether that be something like shiftfs or implementation in the CRI (moby/moby#28593). You are correct that my existing proposal is not currently tracked in an open PR anymore.

The reasoning behind using the chgrp was to follow our fsgroup strategy where we just ensure group access instead of uid access.

@adelton
Copy link

adelton commented Nov 14, 2017

Thanks @pweil-.

When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with userns-remap?

As for the fsgroup strategy, do you mean https://kubernetes.io/docs/concepts/policy/pod-security-policy/#fsgroup or some generic methodology within Kubernetes?

I have now filed kubernetes/kubernetes#55707 as an alternative approach where I make the remapped uid/gid an explicit option, and use those values to chown/chgrp the necessary directories.

@pweil-
Copy link

pweil- commented Nov 14, 2017

When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with userns-remap?

that would be ideal. Whether that is feasible (or more likely, feasible in an acceptable time frame) is another question 😄

As for the fsgroup strategy, do you mean https://kubernetes.io/docs/concepts/policy/pod-security-policy/#fsgroup or some generic methodology within Kubernetes?

Yes

I have now filed kubernetes/kubernetes#55707 as an alternative approach where I make the remapped uid/gid an explicit option, and use those values to chown/chgrp the necessary directories.

👍 subscribed

@adelton
Copy link

adelton commented Nov 14, 2017

When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with userns-remap?

that would be ideal. Whether that is feasible (or more likely, feasible in an acceptable time frame) is another question

Ideally, the pod would specify how many distinct uids/gids it would require / list of uids it wants to see inside of the containers, and docker or different container runtime would setup the user namespace accordingly. But unless docker also changes ownership of the volumes mounted to the containers, Kubernetes will have to do that as part of the setup.

@adelton
Copy link

adelton commented Dec 7, 2017

@pwel-, what is the best way to get some review and comments on kubernetes/kubernetes#55707, to get it closer to mergeable state?

@0xmichalis
Copy link

@pweil- ^

@pweil-
Copy link

pweil- commented Dec 7, 2017

@adelton I would try to engage the sig-node folks either at their Tuesday meeting or on slack: https://github.com/kubernetes/community/tree/master/sig-node

@adelton
Copy link

adelton commented Dec 18, 2017

@derekwaynecarr, could you please bring kubernetes/kubernetes#55707 to sig-node's radar?

@idvoretskyi
Copy link
Member

@pweil- @derekwaynecarr any progress on this feature is expected?

@Checksumz
Copy link

@Checksumz thanks! I'm interested in writing a blog post for the 1.30 release. Let me confirm during next week if I'll do it. I want to check some stuff with other project releases.

@drewhagen yes, there are doc changes on this release. I've just opened a placeholder PR: kubernetes/website#45178. Thanks for the remainder!

thanks for your response @rata

@tjons
Copy link
Contributor

tjons commented Feb 25, 2024

Hey again @derekwaynecarr 👋 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Wednesday 6th March 2024 .

Here's where this enhancement currently stands:

  • All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it looks like the following PR is open and needs to be merged before code freeze:

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP.
As always, we are here to help if any questions come up. Thanks!

@tjons tjons moved this from Tracked for Enhancements Freeze to At Risk for Code Freeze in 1.30 Enhancements Tracking Feb 25, 2024
@Checksumz
Copy link

@Checksumz thanks! I'm interested in writing a blog post for the 1.30 release. Let me confirm during next week if I'll do it. I want to check some stuff with other project releases.

@drewhagen yes, there are doc changes on this release. I've just opened a placeholder PR: kubernetes/website#45178. Thanks for the remainder!

@rata Thank you for your interest in the 1.30 Feature Blog please can you open a placeholder PR by February 26th ?

@rata
Copy link
Member

rata commented Feb 26, 2024

@Checksumz Here it is (against dev-1.30): kubernetes/website#45354

Thanks!

@tjons
Copy link
Contributor

tjons commented Mar 6, 2024

Hello @derekwaynecarr 👋, Enhancements team here.

With all the implementation(code related) PRs merged as per the issue description:

This enhancement is now marked as tracked for code freeze for the 1.30 Code Freeze!

@tjons tjons moved this from At Risk for Code Freeze to Tracked for Code Freeze in 1.30 Enhancements Tracking Mar 6, 2024
@drewhagen drewhagen moved this from Tracked for Code Freeze to Tracked for Doc Freeze in 1.30 Enhancements Tracking Apr 1, 2024
@sreeram-venkitesh
Copy link
Member

Hello 👋, 1.31 Enhancements Lead here.

If you wish to progress this enhancement in v1.31, please have the SIG lead opt-in your enhancement by adding the lead-opted-in label and set the milestone to v1.31 before the Production Readiness Review Freeze.

/remove-label lead-opted-in

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 12, 2024
@remram44
Copy link

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 12, 2024
@kannon92
Copy link
Contributor

What are the plans for 1.32?

@rata
Copy link
Member

rata commented Aug 26, 2024

No plans for 1.32 so far, just trying to get final releases of runc and so to use this. We will be back afterwards :)

@utam0k
Copy link
Member

utam0k commented Nov 23, 2024

No plans for 1.32 so far, just trying to get final releases of runc and so to use this. We will be back afterwards :)

@rata runc and containerd released the version having support for UN and id mapped mount. And, I realized that NFS haven't support NFS id-mapped mount yet. Should we take care of it in the documentation?

@rata
Copy link
Member

rata commented Nov 26, 2024

@utam0k We should link to the mount_setattr manpage, that list the supported fs and the kernel that added support for it. I send a patch to update it a few months ago, I think it is still up to date. The manpages was not updating the website often, but now it is. Wanna do a doc patch to link to this page https://man7.org/linux/man-pages/man2/mount_setattr.2.html ?

@utam0k
Copy link
Member

utam0k commented Nov 28, 2024

@rata I've updated my commend because I made a mistake.
#127 (comment)

Wanna do a doc patch to link to this page man7.org/linux/man-pages/man2/mount_setattr.2.html ?

hmm... It's one of the good ideas, but out-of-tree fs, e.g., zfs doesn't list on the man page.
How about adding a note about this concern and encouraging users to refer to the man page?

@utam0k
Copy link
Member

utam0k commented Nov 28, 2024

No plans for 1.32 so far, just trying to get final releases of runc and so to use this. We will be back afterwards :)

@rata Are you aiming for stable at 1.33? Please let me know if there is anything I can do to help.

@utam0k
Copy link
Member

utam0k commented Nov 28, 2024

I don't have a good solution, but I'll write down one concern. I think there will be a security problem if a filesystem that doesn't support id-mapped mounts ignores the option and mounts it. NFS doesn't support id-mapped mounts, but it returns an error properly, so the Pod will fail to start. It is not known whether it is worth warning about in the user documentation.
https://elixir.bootlin.com/linux/v6.12/source/fs/nfsd/export.c#L398-L450

However, I am a beginner in the filesystem, so please let me know if there are any mistakes.

@AkihiroSuda
Copy link
Member

Can we allow customizing the hard-coded 65536 limit?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/beta Denotes an issue tracking an enhancement targeted for Beta status
Projects
Status: Tracked
Status: Tracked
Status: Tracked for Code Freeze
Status: Tracked for Doc Freeze
Status: Not for release
Development

No branches or pull requests