Promote RunAsGroup to Beta

[krmayankk]

What this PR does / why we need it:
promote this feature to beta for 1.14 kubernetes/enhancements#213

• API is unchanged
• Leave all feature gate checks
• Enable it by default

The `RunAsGroup` feature has been promoted to beta and enabled by default. PodSpec and PodSecurityPolicy objects can be used to control the primary GID of containers on supported container runtimes.

/milestone v1.14

[krmayankk]

/assign @liggitt @tallclair

[krmayankk]

/kind feature

[krmayankk]

/sig auth

[krmayankk]

/test pull-kubernetes-bazel-test

[krmayankk]

/test pull-kubernetes-e2e-kops-aws

[liggitt]

• are there tests that should be promoted as part of this (so they run in non-alpha CI suites)?
• do we have information about which container runtimes support this (and at which versions)? that might be good to include in the release notes
• would also be good to go ahead and open a doc PR against the dev-1.14 website branch with doc updates for this and link it here

[krmayankk]

@liggitt

are there tests that should be promoted as part of this (so they run in non-alpha CI suites)?

These are the e2e tests for this https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L86 . I was told they always run for all CI suites. Trying to find the answer to this on testing

do we have information about which container runtimes support this (and at which versions)? that might be good to include in the release notes

Containerd and CRI-O support this there
Containerd: containerd/cri#710 (Available in v1.0.0-rc.1)
CRI-O: cri-o/cri-o#1601 (Available in v1.13.0)

would also be good to go ahead and open a doc PR against the dev-1.14 website branch with doc updates for this and link it here

kubernetes/website#12297

[liggitt]

/assign @tallclair
cc @kubernetes/sig-node-api-reviews for lgtm

These are the e2e tests for this https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L86 . I was told they always run for all CI suites. Trying to find the answer to this on testing

The [Feature:RunAsGroup] tag means they do not run in all CI tests, only when explicitly included. If this is being enabled by default, I think the feature tag should be removed from that test.

[krmayankk]

Adding @BenTheElder for any insights . I am looking for direction in this area . Should I remove the feature flag from the e2e ?

[BenTheElder]

just echoing what @liggitt said, in presubmit for example we exclude [Feature:.*] for feature gated things, if this is no longer feature gated then we should remove that tag from the test

[liggitt]

progress! that made those tests actually run, which is good. looks like the selinux one ([k8s.io] [sig-node] Security Context should support volume SELinux relabeling) does not work in the CI environment. edit: it sometimes works, but flakes regularly.

@kubernetes/sig-node-pr-reviews do we need to add a [Feature:SELinux] tag to that test specifically, since it doesn't work in all environments?

[krmayankk]

/test pull-kubernetes-e2e-gce

[krmayankk]

@liggitt that seemed like a flake, everything is passing now including the selinux one

[liggitt]

/test pull-kubernetes-e2e-gce

[BenTheElder]

note: the SELinux one only passed in the last run due to our retry attempts which allows flaky tests to run again >.> https://gubernator.k8s.io/build/kubernetes-jenkins/pr-logs/pull/73007/pull-kubernetes-e2e-gce/69984/#k8sio-sig-node-security-context-should-support-volume-selinux-relabeling-when-using-hostpid

[BenTheElder]

and there were two failures from this in: https://gubernator.k8s.io/build/kubernetes-jenkins/pr-logs/pull/73007/pull-kubernetes-e2e-gce/69727/

[liggitt]

/test pull-kubernetes-e2e-gce

[liggitt]

seems like we should tag the selinux test as [flaky] and open an issue for sig-node or sig-storage to resolve. this seems good to go otherwise

[krmayankk]

Added #74482
How do i mark it as flaky, just add the [flaky] tag in the same way we add the feature flag tag ? (my grep didnt return anything in k/k

[krmayankk]

How do i mark it as flaky, just add the [flaky] tag in the same way we add the feature flag tag ? (my grep didnt return anything in k/k

ignore this found an example , adding

[liggitt]

most of these seem specific to Linux... do we need to add [LinuxOnly] to these as some other tests do? xref #73922

cc @spiffxp

[liggitt]

per https://kubernetes.slack.com/archives/C09QZ4DQB/p1551136840248100, let's add [LinuxOnly] to the individual tests that make use of linux-only function in the security context (which I think is all of these individual tests):

https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#what-will-never-work:

• uid (runasuser)
• gid (fsgroup, runasgroup, supplementalgroup)
• selinux
• seccomp

[krmayankk]

added [LinuxOnly]

[liggitt]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: krmayankk, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/features/OWNERS [liggitt]
• test/e2e/node/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fejta-bot]

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.