Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Specify the user and group to be executed for kwokctl exec #677

Merged
merged 1 commit into from
Jul 7, 2023

Conversation

lianghao208
Copy link
Member

@lianghao208 lianghao208 commented Jun 25, 2023

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

ref: #660

Which issue(s) this PR fixes:

Fixes #660

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Add securityContext for Exec API

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API labels Jun 25, 2023
@netlify
Copy link

netlify bot commented Jun 25, 2023

Deploy Preview for k8s-kwok canceled.

Name Link
🔨 Latest commit cf87f10
🔍 Latest deploy log https://app.netlify.com/sites/k8s-kwok/deploys/64a7e05c95004c000888c900

@k8s-ci-robot k8s-ci-robot requested a review from wzshiming June 25, 2023 11:38
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 25, 2023
@k8s-ci-robot k8s-ci-robot requested a review from yibozhuang June 25, 2023 11:38
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 25, 2023
@lianghao208 lianghao208 force-pushed the exec-isolating branch 4 times, most recently from d784d5c to e97540f Compare June 25, 2023 11:55
@k8s-ci-robot k8s-ci-robot added the kind/documentation Categorizes issue or PR as related to documentation. label Jun 25, 2023
Copy link
Member

@wzshiming wzshiming left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/kubernetes/kubernetes/blob/6cb0308dbf9790e47657a08bda7960600f7c43a3/pkg/apis/core/types.go#L3316-L3331

Let's not create users, but use existing ones

securityContext:
  runAsUser: <*int64>
  runAsGroup: <*int64>

pkg/utils/exec/cmd_other.go Outdated Show resolved Hide resolved
pkg/apis/v1alpha1/exec_types.go Outdated Show resolved Hide resolved
@lianghao208
Copy link
Member Author

lianghao208 commented Jun 26, 2023

Let's not create users, but use existing ones

@wzshiming If we specify user by securityContext.runAsUser(uid and gid only), we may not be able to specify username and group name, should we use uid and gid in User struct instead?

// User specifies the existing uid and gid to run exec command in container process.
type User struct {
	// RunAsUser is the existing uid to run exec command in container process.
	RunAsUser *int64
	// RunAsGroup is the existing gid to run exec command in container process.
	RunAsGroup *int64
}

@wzshiming
Copy link
Member

Let's not create users, but use existing ones

@wzshiming If we specify user by securityContext.runAsUser(uid and gid only), we may not be able to specify username and group name, should we use uid and gid in User struct instead?

// User specifies the existing uid and gid to run exec command in container process.
type User struct {
	// RunAsUser is the existing uid to run exec command in container process.
	RunAsUser *int64
	// RunAsGroup is the existing gid to run exec command in container process.
	RunAsGroup *int64
}

Yes, Creating users and groups can cause some damage and is very risky, so don't let kwok get involved.

@lianghao208 lianghao208 force-pushed the exec-isolating branch 3 times, most recently from 820f446 to 1b47b8b Compare June 26, 2023 12:08
@lianghao208
Copy link
Member Author

Yes, Creating users and groups can cause some damage and is very risky, so don't let kwok get involved.

@wzshiming in this case, do we need to implement pod securityContext.runAsUser functionality as well(pod is also virtual in kwok, securityContext.runAsUser in pod spec doesn't work as expected in kwok)?

@wzshiming
Copy link
Member

We define our own, which has only two fields.

type SecurityContext struct {
  RunAsUser *int64 `json:"runAsUser,omitempty"`
  RunAsGroup *int64 `json:"runAsGroup,omitempty"`
}

pkg/utils/exec/exec.go Outdated Show resolved Hide resolved
pkg/apis/v1alpha1/exec_types.go Outdated Show resolved Hide resolved
pkg/apis/v1alpha1/exec_types.go Outdated Show resolved Hide resolved
pkg/utils/exec/cmd_other.go Outdated Show resolved Hide resolved
pkg/utils/exec/cmd_windows.go Outdated Show resolved Hide resolved
@lianghao208 lianghao208 force-pushed the exec-isolating branch 7 times, most recently from 97c0afd to 7a178cf Compare June 27, 2023 07:24
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 6, 2023
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 6, 2023
@lianghao208 lianghao208 force-pushed the exec-isolating branch 4 times, most recently from 9f57d24 to c9b0e4e Compare July 7, 2023 02:00
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 7, 2023
pkg/utils/exec/cmd_other.go Outdated Show resolved Hide resolved
test/kwokctl/suite.sh Outdated Show resolved Hide resolved
test/kwokctl/kwokctl_exec_test.sh Outdated Show resolved Hide resolved
pkg/utils/exec/cmd_other.go Show resolved Hide resolved
test/kwokctl/suite.sh Outdated Show resolved Hide resolved
@lianghao208 lianghao208 force-pushed the exec-isolating branch 6 times, most recently from 45ea261 to d39747e Compare July 7, 2023 08:35
Copy link
Member

@wzshiming wzshiming left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 7, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lianghao208, wzshiming

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 7, 2023
@k8s-ci-robot k8s-ci-robot merged commit e1a183f into kubernetes-sigs:main Jul 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/documentation Categorizes issue or PR as related to documentation. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[kwok] Isolating the exec of kwokctl
3 participants