Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-3619: Fine-grained SupplementalGroups control #1438

Merged
merged 5 commits into from
Jul 23, 2024
Merged

KEP-3619: Fine-grained SupplementalGroups control #1438

merged 5 commits into from
Jul 23, 2024
+887 −538

Conversation

everpeace
Copy link
Contributor

@everpeace everpeace commented May 30, 2024
edited
Loading

For:

Depends on:

What type of PR is this?

/kind feature

What this PR does / why we need it:

Implements validation tests for KEP-3619: Fine-grained SupplementalGroups control:

, which skips itself when the container runtime does not support SupplementalGroupsPolicy detected via StatusResponse.features.supplemental_groups_policy.

The current SupplementalGroupsPolicy test status:

CRI OS Version Test Stautus
containerd Linux master PASSED
containerd Linux 1.6 SKIPPED
containerd Linux 1.7 SKIPPED
containerd Windows * SKIPPED
CRI-O Linux master PASSED
CRI-O Windows * SKIPPED

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Support Fine-grained SupplementalGroups control (KEP-3619)

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 30, 2024
@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label May 30, 2024
@everpeace everpeace force-pushed the kep-3619-SupplementalGroupsPolicy branch 2 times, most recently from 5aac837 to 11b8584 Compare May 30, 2024 14:59
@everpeace everpeace changed the title KEP-3619: Fine-grained SupplementalGroups control (SupplementalGroupsPolicy) KEP-3619: Fine-grained SupplementalGroups control May 30, 2024
This was referenced May 30, 2024
Open
Merged
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 1, 2024
@everpeace everpeace force-pushed the kep-3619-SupplementalGroupsPolicy branch from 11b8584 to 5994ce7 Compare June 3, 2024 09:24
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 3, 2024
@everpeace everpeace mentioned this pull request Jun 3, 2024
Closed
This was referenced Jun 12, 2024
Merged
Merged
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 13, 2024
@everpeace everpeace force-pushed the kep-3619-SupplementalGroupsPolicy branch from 5994ce7 to 67169ed Compare June 14, 2024 00:37
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 14, 2024
@everpeace everpeace changed the title KEP-3619: Fine-grained SupplementalGroups control [WIP] KEP-3619: Fine-grained SupplementalGroups control Jun 26, 2024
@everpeace everpeace marked this pull request as ready for review June 26, 2024 20:43
@k8s-ci-robot k8s-ci-robot requested review from feiskyer and mrunalp June 26, 2024 20:43
@everpeace everpeace marked this pull request as draft June 26, 2024 20:45
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 27, 2024
@everpeace everpeace force-pushed the kep-3619-SupplementalGroupsPolicy branch from 67169ed to f55a3d5 Compare July 4, 2024 05:47
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 4, 2024
@everpeace everpeace mentioned this pull request Jul 4, 2024
Merged
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 4, 2024
@everpeace everpeace changed the title [WIP] KEP-3619: Fine-grained SupplementalGroups control KEP-3619: Fine-grained SupplementalGroups control Jul 23, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 23, 2024
@everpeace everpeace force-pushed the kep-3619-SupplementalGroupsPolicy branch from 68415b7 to 64a7db2 Compare July 23, 2024 12:09
everpeace
everpeace commented Jul 23, 2024
View reviewed changes
Copy link
Contributor Author

@everpeace everpeace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kwilczynski @mrunalp Could you kindly review this PR?? 🙇 Thanks, in advance.

kwilczynski
kwilczynski reviewed Jul 23, 2024
View reviewed changes
pkg/validate/security_context_linux.go Outdated
"Linux": PointTo(MatchFields(IgnoreExtras, Fields{
"Uid": Equal(imagePredefinedGroupUID),
"Gid": Equal(imagePredefinedGroupUID),
// we can not assume the order of gids
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would sorting the list make it a little more deterministic?

Copy link
Contributor Author

@everpeace everpeace Jul 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, fixed in 695b675. Sorting removes gstruct usage, too👍.

kwilczynski
kwilczynski reviewed Jul 23, 2024
View reviewed changes
pkg/validate/security_context_linux.go Outdated
Comment on lines 619 to 620
// SupplementalGroupsPolicy_Merge is default(0)
// SupplementalGroupsPolicy: runtimeapi.SupplementalGroupsPolicy_Merge,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to keep this comment here?

Copy link
Contributor Author

@everpeace everpeace Jul 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not really. fixed in c45cf82

@everpeace everpeace force-pushed the kep-3619-SupplementalGroupsPolicy branch from c9678f4 to 695b675 Compare July 23, 2024 13:02
everpeace
everpeace commented Jul 23, 2024
View reviewed changes
Copy link
Contributor Author

@everpeace everpeace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kwilczynski I addressed your comments. PTAL.

saschagrunert
saschagrunert approved these changes Jul 23, 2024
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

/hold
for @kwilczynski final thoughts.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 23, 2024
@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 23, 2024
kwilczynski
kwilczynski reviewed Jul 23, 2024
View reviewed changes
pkg/validate/security_context_linux.go
verifyLogContents(podConfig, logPath, expectedOutput, stdoutType)

By("verify groups for 'exec'-ed process of container")
command := []string{"id", "-G"}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would the GroupIds() from os/user work here in lieu of fork-out to the id command? Nothing against doing this, just curious...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I know GroupIds() always parse /etc/groups. So, I think GroupIds() wouldn't work.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. Thank you!

kwilczynski
kwilczynski reviewed Jul 23, 2024
View reviewed changes
pkg/validate/security_context_linux.go Outdated
containerConfig := &runtimeapi.ContainerConfig{
Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
Image: &runtimeapi.ImageSpec{Image: testImagePreDefinedGroup},
Command: []string{"sh", "-c", "id -G; while :; do sleep 1; done"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this work in place of the loop?

Suggested change
Command: []string{"sh", "-c", "id -G; while :; do sleep 1; done"},
Command: []string{"sh", "-c", "id -G; sleep infinity"},

Copy link
Member

@kwilczynski kwilczynski Jul 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realise this is a code that existed prior... hence I apologise for asking about it. However, perhaps we can make things bit better. 😄

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

never mind. fixed in c9e3de6

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 23, 2024
@kwilczynski
Copy link
Member

/approve
/lgtm

@kwilczynski
Copy link
Member

/unhold

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Jul 23, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everpeace, kwilczynski, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit ee58080 into kubernetes-sigs:master Jul 23, 2024
23 checks passed
@everpeace everpeace deleted the kep-3619-SupplementalGroupsPolicy branch July 24, 2024 00:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kwilczynski kwilczynski kwilczynski left review comments

@saschagrunert saschagrunert saschagrunert approved these changes

@klueska klueska Awaiting requested review from klueska

@Random-Liu Random-Liu Awaiting requested review from Random-Liu

@feiskyer feiskyer Awaiting requested review from feiskyer

@mrunalp mrunalp Awaiting requested review from mrunalp

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

Assignees

@kwilczynski kwilczynski

@saschagrunert saschagrunert

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@everpeace @kwilczynski @k8s-ci-robot @saschagrunert