Bug 1625353

Summary: Support for RunAsGroup as a pod security context
Product: OpenShift Container Platform Reporter: Jason Kincl <kincljc>
Component: ContainersAssignee: Urvashi Mohnani <umohnani>
Status: CLOSED ERRATA QA Contact: weiwei jiang <wjiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, dwalsh, jokerman, mmccomas, mpatel, sponnaga
Target Milestone: ---Flags: wjiang: needinfo? (mpatel)
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:40:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jason Kincl 2018-09-04 17:15:03 UTC 
Description of problem:

We want to allow containers access to existing shared filesystems already present in our environment such as NFS. In order to do that we need to control the UID and all GIDs that the container process runs as so that a container process only has access to files on the shared filesystem that a user would have access to outside of the container.

Kubernetes has support for running the container as a specific UID with RunAsUser and it can specify GIDs with supplementalGroups. However the primary GID of the container is always root (0) which is not desirable for a shared filesystem.

Upstream has done some work in this area and a proposal for RunAsGroup has been accepted and progress is moving but slowly.[1]

In Kubernetes 1.10 the API spec changes have been completed and the container runtime shims support RunAsGroup but it is gated as an alpha feature[2]. However all of the work in upstream is going toward the work for PSP which as I understand it is not yet feature-compatible with OpenShift's SCC work.

Can we decide on a strategy here for supporting RunAsGroup in OpenShift? We have a number of moving parts and there is still open discussion of whether this feature can be marked beta in 1.12 so we may still be a ways out but it would be nice to get an idea of when this could be implemented in OpenShift as well.

[1] https://github.com/kubernetes/community/pull/756
[2] https://github.com/kubernetes/kubernetes/pull/52077
Comment 2 Daniel Walsh 2019-03-08 20:28:47 UTC 
Mrunal are you working on this or do you want to designate Urvashi?
Comment 3 Mrunal Patel 2019-03-08 23:22:38 UTC 
This is available in CRI-O 1.13. However the second part would be enabling the feature gate in kubelet for this.
Comment 5 weiwei jiang 2019-03-14 09:03:05 UTC 
Need wait rhcos with cri-o 1.13 package to verify. Currently latest cri-o version is 1.12.6-1.
Comment 9 weiwei jiang 2019-05-07 09:38:28 UTC 
Checked with 4.1.0-0.nightly-2019-05-05-070156 with 1.13.9-1.rhaos4.1.gitd70609a.el8 and RunAsGroup work well

# echo 'apiVersion: v1
kind: Pod
metadata:
    generateName: sc-
spec:
    containers:
        -
            name: csc
            image: openshift/hello-openshift
            securityContext: {runAsGroup: 4321}
        -
            name: psc
            image: nginx
    securityContext: {runAsGroup: 1234} '| oc create -f -


sh-4.4# runc list |grep -E "4d5eb61a1a28a|d8283a874eb51"
4d5eb61a1a28a55ecd4c3c941d2aad6504da2b1cb3740db6d4e54ed59908e40a   53428       running     /run/containers/storage/overlay-containers/4d5eb61a1a28a55ecd4c3c941d2aad6504da2b1cb3740db6d4e54ed59908e40a/userdata   2019-05-07T09:28:32.43542341Z    root
d8283a874eb516438ea9b5cd919ccb5f5c4b5d7d30d49f1e1bd97af66d70b95c   53344       running     /run/containers/storage/overlay-containers/d8283a874eb516438ea9b5cd919ccb5f5c4b5d7d30d49f1e1bd97af66d70b95c/userdata   2019-05-07T09:28:29.136396508Z   root
sh-4.4# cat /run/containers/storage/overlay-containers/4d5eb61a1a28a55ecd4c3c941d2aad6504da2b1cb3740db6d4e54ed59908e40a/userdata/config.json |head
{
        "ociVersion": "1.0.0",
        "process": {
                "user": {
                        "uid": 0,
                        "gid": 1234
                },
                "args": [
                        "nginx",
                        "-g",
sh-4.4# cat /run/containers/storage/overlay-containers/d8283a874eb516438ea9b5cd919ccb5f5c4b5d7d30d49f1e1bd97af66d70b95c/userdata/config.json | json_
json_reformat  json_verify    
sh-4.4# cat /run/containers/storage/overlay-containers/d8283a874eb516438ea9b5cd919ccb5f5c4b5d7d30d49f1e1bd97af66d70b95c/userdata/config.json | head 
{
        "ociVersion": "1.0.0",
        "process": {
                "user": {
                        "uid": 1001,
                        "gid": 4321
                },
                "args": [
                        "/hello-openshift"
                ],
Comment 11 errata-xmlrpc 2019-06-04 10:40:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758