Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fsGroup permissions are not applied when using the gitRepo plugin #482

Closed
andrewgdavis opened this issue Aug 12, 2016 · 4 comments
Closed

fsGroup permissions are not applied when using the gitRepo plugin #482

andrewgdavis opened this issue Aug 12, 2016 · 4 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@andrewgdavis
Copy link

Minimal test case:

bad-perm.yaml:

kind: Pod
apiVersion: v1
metadata:
  name: bad-perm
  labels:
    app: bad-perm
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 1000
  containers:
  - name: run
    image: busybox
    imagePullPolicy: "IfNotPresent"
    command: [ "sh", "-c", "cat /etc/passwd && ls -la / && whoami" ]
    volumeMounts:
    - name: repo
      mountPath: /repo
    - name: test
      mountPath: /empty
  volumes:
    - name: test
      emptyDir: {}
    - name: repo
      gitRepo:
        repository: "https://github.com/kubernetes/minikube.git"

output:

kubectl logs -f bad-perm
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:99:99:nobody:/home:/bin/false
total 44
drwxr-xr-x   21 root     root          4096 Aug 12 20:43 .
drwxr-xr-x   21 root     root          4096 Aug 12 20:43 ..
-rwxr-xr-x    1 root     root             0 Aug 12 20:43 .dockerenv
drwxr-xr-x    2 root     root         12288 Jun 23 20:13 bin
drwxr-xr-x    5 root     root           380 Aug 12 20:43 dev
drwxrwsrwx    2 root     1000            40 Aug 12 20:41 empty <---- Good perms on EmpyDir
drwxr-xr-x    2 root     root          4096 Aug 12 20:43 etc
drwxr-xr-x    2 nobody   nogroup       4096 Jun 23 20:13 home
dr-xr-xr-x  168 root     root             0 Aug 12 20:43 proc
drwxrwxrwx    3 root     root            60 Aug 12 20:41 repo <---- Not applied :(
drwxr-xr-x    2 root     root          4096 Jun 23 20:13 root
dr-xr-xr-x   13 root     root             0 Aug 12 20:40 sys
drwxrwxrwt    2 root     root          4096 Jun 23 20:13 tmp
drwxr-xr-x    3 root     root          4096 Jun 23 20:13 usr
drwxr-xr-x    5 root     root          4096 Aug 12 20:43 var
whoami: unknown uid 1000

system details:
minikube version: v0.7.1
Darwin Kernel Version 15.3.0

This PR was merged, so the functionality is there:
https://github.com/kubernetes/kubernetes/pull/22995/files
@dlorenc
Copy link
Contributor

dlorenc commented Aug 16, 2016

Hmm, I see the same thing in GKE (v1.3.4):

$ ls -la
total 52
drwxr-xr-x 21 root root 4096 Aug 16 23:05 .
drwxr-xr-x 21 root root 4096 Aug 16 23:05 ..
-rwxr-xr-x 1 root root 0 Aug 16 23:05 .dockerenv
-rwxr-xr-x 1 root root 0 Aug 16 23:05 .dockerinit
drwxr-xr-x 2 root root 12288 Jun 23 20:13 bin
drwxr-xr-x 5 root root 380 Aug 16 23:05 dev
drwxrwsrwx 2 root 1000 4096 Aug 16 23:05 empty
drwxr-xr-x 2 root root 4096 Aug 16 23:05 etc
drwxr-xr-x 2 nobody nogroup 4096 Jun 23 20:13 home
dr-xr-xr-x 99 root root 0 Aug 16 23:05 proc
drwxrwxrwx 3 root root 4096 Aug 16 23:05 repo
drwxr-xr-x 2 root root 4096 Jun 23 20:13 root
dr-xr-xr-x 13 root root 0 Aug 16 23:05 sys
drwxrwxrwt 2 root root 4096 Jun 23 20:13 tmp
drwxr-xr-x 3 root root 4096 Jun 23 20:13 usr
drwxr-xr-x 5 root root 4096 Aug 16 23:05 var

Do you get the correct output somewhere else?

@andrewgdavis
Copy link
Author

I performed the minimal test case above with minikube using both vbox and xhyve.

I suppose it might still be an open issue. This is the document that i think folks are driving towards, but--- the current state of affairs is nebulous.

https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/volumes.md

In the first round of work, only hostPath and emptyDir and its derivations will be tested with ownership management support:

Plugin Name SupportsOwnershipManagement
hostPath    false
emptyDir    true
gitRepo true
secret  true
downwardAPI true
gcePersistentDisk   false
awsElasticBlockStore    false
nfs false
iscsi   false
glusterfs   false
persistentVolumeClaim   depends on underlying volume and PV mode
rbd false
cinder  false
cephfs  false

Not sure if SupportsOwnershipManagement encompasses SecuirtyContext: runAsUser, or fsGroup, or both.

I was trying to dig into the code base to see how things work, and found it interesting that the implementation was pretty much the same between emptyDir and gitRepo, but the behavior was different.

@dlorenc
Copy link
Contributor

dlorenc commented Aug 18, 2016

Would you mind opening this as an issue against kubernetes/kubernetes? I haven't been able to get this working in a production GKE cluster either, so it's unlikely to be an issue with Minikube specifically.

@dlorenc dlorenc added the kind/bug Categorizes issue or PR as related to a bug. label Aug 18, 2016
@andrewgdavis
Copy link
Author

kubernetes/kubernetes#2630 looks to be relevant.

For me it isn't a big issue; i just used an InitContainer to perform a git clone.

@andrewgdavis andrewgdavis mentioned this issue Aug 18, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dlorenc @andrewgdavis