This repository was archived by the owner on Mar 9, 2022. It is now read-only.
Merged
Conversation
mikebrow
reviewed
Mar 30, 2018
pkg/server/container_create.go
Outdated
| specOpts = append(specOpts, oci.WithUsername(username)) | ||
| } | ||
| if gid := securityContext.GetRunAsGroup(); gid != nil { | ||
| if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" { |
Member
There was a problem hiding this comment.
Above comment block should be modified to mention groupid
Member
There was a problem hiding this comment.
uid and username variables should be promoted in scope so they can be used here in this if nil check
pkg/server/container_create.go
Outdated
| } | ||
| if gid := securityContext.GetRunAsGroup(); gid != nil { | ||
| if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" { | ||
| return nil, errors.New("user group is specified without user") |
Member
There was a problem hiding this comment.
maybe output uid and username here so we can see if one or both are nil...
Member
Author
There was a problem hiding this comment.
My mistake, it should be &&.
pkg/server/container_create.go
Outdated
| if securityContext.GetRunAsUser() == nil || securityContext.GetRunAsUsername() == "" { | ||
| return nil, errors.New("user group is specified without user") | ||
| } | ||
| // TODO(random-liu): Add WithGroupID in containerd client. |
Member
There was a problem hiding this comment.
and add WithUserID/WithUsername?
Member
Author
There was a problem hiding this comment.
We already have those helpers.
pkg/server/container_create.go
Outdated
| if username := securityContext.GetRunAsUsername(); username != "" { | ||
| specOpts = append(specOpts, oci.WithUsername(username)) | ||
| } | ||
| if gid := securityContext.GetRunAsGroup(); gid != nil { |
Member
There was a problem hiding this comment.
FYI... oci.WithUserID() and oci.WithUsername() are already looking up the gid and may already be setting it. Course a user can be in more than one group.. so I'm not sure how well the current assignment is working. Thoughts?
Member
Author
There was a problem hiding this comment.
We set GID after WithUserID and WithUsername which overwrites the gid.
Member
There was a problem hiding this comment.
per discussion let's todo a helper that does uid,username, and gid at the same time..
ae0ed2f to
8482a98
Compare
Member
Author
|
@mikebrow Addressed comments. |
8482a98 to
0ab24f2
Compare
Member
Author
|
@mikebrow Added a helper in containerd, which makes the code much cleaner. I'll send a PR to containerd soon. |
0ab24f2 to
b50b5ca
Compare
Signed-off-by: Lantao Liu <lantaol@google.com>
b50b5ca to
ed20174
Compare
Member
Author
|
@mikebrow Updated the PR to use the newly added containerd helper |
Member
Author
|
I added the test kubernetes-sigs/cri-tools#282. This PR passed the test: $ make test-cri FOCUS=RunAsGroup
/home/lantaol/workspace/bin/critest
Running Suite: CRI validation
=============================
Random Seed: 1522455630 - Will randomize all specs
Will run 70 specs
Running in parallel across 8 nodes
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:52
[It] runtime should return error if RunAsGroup is set without RunAsUser
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:376
STEP: create pod
STEP: create container with invalid RunAsGroup
STEP: create invalid RunAsGroup container
STEP: create a container with RunAsGroup without RunAsUser
STEP: Get image status for image: busybox:1.26
STEP: Create container.
E0331 00:20:31.185110 16991 remote_runtime.go:187] CreateContainer in sandbox "a6fab5752333e398cc3710f560f0dc5bfa90eec0d61a8f68156ee9c0b4544e3d" from runtime service failed: rpc error: code = Unknown desc = failed to generate user string: user group "1002" is specified without user
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:57
STEP: stop PodSandbox
STEP: delete PodSandbox
•
------------------------------
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:50
[BeforeEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:52
[It] runtime should support RunAsGroup
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:358
STEP: create pod
STEP: create a PodSandbox with log directory
STEP: create container for security context RunAsGroup
STEP: create RunAsGroup container
STEP: create a container with RunAsUser and RunAsGroup
STEP: Get image status for image: busybox:1.26
STEP: Create container.
Mar 31 00:20:32.237: INFO: Created container "8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df"
STEP: start container
STEP: Start container for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
Mar 31 00:20:32.352: INFO: Started container "8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df"
STEP: Get container status for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
STEP: Get container status for containerID: 8e303ff0a02c4243a6f0a8597f2454555e97cba1f65311567eb662c1daecc4df
STEP: verify RunAsGroup for container
STEP: check container output
STEP: verify log contents
Mar 31 00:20:36.354: INFO: Open log file /tmp/podLogTest084028383/PodSandbox-with-log-directory-522fde28-3479-11e8-856a-42010af00002/container-with-RunAsGroup-test-52f0c7d1-3479-11e8-856a-42010af00002.log
Mar 31 00:20:36.354: INFO: Parse container log succeed
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:51
[AfterEach] [k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:57
STEP: stop PodSandbox
STEP: delete PodSandbox
• [SLOW TEST:5.701 seconds]
[k8s.io] Security Context
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72
bucket
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:288
runtime should support RunAsGroup
/home/lantaol/workspace/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:358
------------------------------
Ran 2 of 70 Specs in 5.720 seconds
SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 68 Skipped
Ginkgo ran 1 suite in 5.761128797s
Test Suite Passed
PASS
./hack/test-utils.sh: line 53: 16920 Terminated keepalive "sudo ${ROOT}/_output/containerd ${CONTAINERD_FLAGS}" ${RESTART_WAIT_PERIOD} &> ${report_dir}/containerd.log |
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Based on containerd/containerd#2257.
RunAsGroupis added in Kubernetes 1.10 kubernetes/kubernetes#52077. We should support it.Please hold this PR until I add CRI validation test. kubernetes-sigs/cri-tools#280
Signed-off-by: Lantao Liu lantaol@google.com