Bug 1271948

Summary: [platformmanagement_public_495]The pod's Sgid was always 0
Product: OKD Reporter: zhou ying <yinzhou>
Component: SecurityAssignee: Paul Weil <pweil>
Status: CLOSED NOTABUG QA Contact: Xiaoli Tian <xtian>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.xCC: aos-bugs, jialiu, lmeyer, mmccomas, yinzhou
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-16 09:42:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description zhou ying 2015-10-15 06:57:13 UTC 
Description of problem:
The pod's Sgid was always 0, not corresponding to the project supplemental-groups range

Version-Release number of selected component (if applicable):
oc v1.0.6-622-g47d1103
kubernetes v1.1.0-alpha.1-653-g86b4e77
AMI:qe_devenv-rhel7_2467

How reproducible:
always

Steps to Reproduce:
1. Create a new project, check the project info:
oc new-project zhouy
Now using project "zhouy" on server "https://localhost:8443".
[root@ip-172-18-4-110 amd64]# oc get project zhouy -o json
{
    "kind": "Project",
    "apiVersion": "v1",
    "metadata": {
        "name": "zhouy",
        "selfLink": "/oapi/v1/projects/zhouy",
        "uid": "2cf2573d-7302-11e5-bf1c-0e6de9bf13fb",
        "resourceVersion": "254",
        "creationTimestamp": "2015-10-15T06:01:28Z",
        "annotations": {
            "openshift.io/description": "",
            "openshift.io/display-name": "",
            "openshift.io/sa.scc.mcs": "s0:c6,c0",
            "openshift.io/sa.scc.supplemental-groups": "1000030000/10000",
            "openshift.io/sa.scc.uid-range": "1000030000/10000"
        }
    },
    "spec": {
        "finalizers": [
            "openshift.io/origin",
            "kubernetes"
        ]
    },
    "status": {
        "phase": "Active"
    }
}
2. Create pod does not specify the supplemental-groups;
3. Create pod with specify the supplemental-group id is :1000030999
4. Check the pod info

Actual results:
After step2\3 all the pod Sgid were always 0:
oc exec -p  hello-pod id
uid=1000030000 gid=0(root) groups=0(root)

Expected results:
If not specify the supplemental-group, the default Sgid should be the min value of "openshift.io/sa.scc.supplemental-groups";
If specify the supplemental-group and in the range of "openshift.io/sa.scc.supplemental-groups", the Sgid should be the specified num.


Additional info:
{
  "kind": "Pod",
  "apiVersion":"v1",
  "metadata": {
        "name": "hello-pod",
        "labels": {
                "name": "hello-pod"
        }
  },
  "spec": {
      "containers": [{
        "name": "hello-pod",
        "image": "bmeng/hello-openshift",
        "ports": [
          {
            "containerPort": 80
          }
        ],
        "securityCountext":{
           "supplementalGroups":[
                1000030999
           ]
        }
      }]
  }
}
Comment 1 Paul Weil 2015-10-15 13:27:18 UTC 
I assume you were testing this with my branch that does the defaulting and assignment.  

Can you do a couple of things:

1.  docker inspect <pod> and look for the add groups field and ensure it was passed along?
2.  if the pod description is from oc get pod <name> post creation it looks like the admission is working correctly.
3.  can you ensure you are testing with docker 1.8+ with the supplemental group patches (Sami - email below or Paul Morie can help with that)?  If you are using an earlier version your docker will either ignore the add groups OR fail trying to look up /etc/groups
Comment 3 zhou ying 2015-10-16 09:42:45 UTC 
The docker version is :1.7.1, should not a bug.