Description of problem: Fork this bug from upstream: https://github.com/kubernetes/kubernetes/issues/16352 When create pod with invalid Supplemental Groups and FSGroup, should tip invalid value and create pod failed. Version-Release number of selected component (if applicable): openshift v1.0.7-287-g60781e3-dirty kubernetes v1.2.0-alpha.1-1107-g4c8e6f4 etcd 2.1.2 How reproducible: Always Steps to Reproduce: 1.Create pod with invalid Supplemental Groups and fsGroup [root@ip-172-18-1-44 kubernetes]# cat pod.yaml apiVersion: v1 kind: Pod metadata: name: nfs-server labels: role: nfs-server spec: containers: - name: nfs-server image: jsafrane/nfs-data ports: - name: nfs containerPort: 2049 securityContext: privileged: false securityContext: supplementalGroups: - -123 fsGroup: 2147483648 [root@ip-172-18-1-44 kubernetes]# oc create -f pod.yaml pod "nfs-server" created 2.Check the pod [root@ip-172-18-1-44 kubernetes]# oc get pod NAME READY STATUS RESTARTS AGE nfs-server 0/1 ContainerCannotRun 0 5s [root@ip-172-18-1-44 kubernetes]# oc describe pod/nfs-server Name: nfs-server Namespace: default Image(s): jsafrane/nfs-data Node: 127.0.0.1/127.0.0.1 Start Time: Tue, 27 Oct 2015 08:38:15 +0000 Labels: role=nfs-server Status: Running Reason: Message: IP: 172.17.0.95 Replication Controllers: <none> Containers: nfs-server: Container ID: docker://bcf6257270654a05aa6598330451919a63bb325ce95a531bb0ddadc0f9633ee2 Image: jsafrane/nfs-data Image ID: docker://c33ae16781aa35f163327995f83790c60f78d0cca9e1d73d766ac5300ea30a32 QoS Tier: memory: BestEffort cpu: BestEffort State: Terminated Reason: ContainerCannotRun Message: [8] System error: Uids and gids must be in range 0-2147483647 Exit Code: -1 Started: Tue, 27 Oct 2015 08:38:15 +0000 Finished: Tue, 27 Oct 2015 08:38:15 +0000 Ready: False Restart Count: 0 Environment Variables: Conditions: Type Status Ready False Volumes: default-token-df70w: Type: Secret (a secret that should populate this volume) SecretName: default-token-df70w Events: FirstSeen LastSeen Count From SubobjectPath Reason Message ───────── ──────── ───── ──── ───────────── ────── ─────── 23s 23s 1 {scheduler } Scheduled Successfully assigned nfs-server to 127.0.0.1 23s 23s 1 {kubelet 127.0.0.1} implicitly required container POD Pulled Container image "beta.gcr.io/google_containers/pause:2.0" already present on machine 23s 23s 1 {kubelet 127.0.0.1} implicitly required container POD Created Created with docker id 93e8ffb337c9 23s 23s 1 {kubelet 127.0.0.1} implicitly required container POD Started Started with docker id 93e8ffb337c9 23s 23s 1 {kubelet 127.0.0.1} spec.containers{nfs-server} Created Created with docker id bcf625727065 23s 23s 1 {kubelet 127.0.0.1} spec.containers{nfs-server} Failed Failed to start with docker id bcf625727065 with error: API error (500): Cannot start container bcf6257270654a05aa6598330451919a63bb325ce95a531bb0ddadc0f9633ee2: [8] System error: Uids and gids must be in range 0-2147483647 23s 13s 2 {kubelet 127.0.0.1} spec.containers{nfs-server} Pulled Container image "jsafrane/nfs-data" already present on machine Actual results: 1.Create pod no tip invalid value. 2.The pod has some error "Uids and gids must be in range 0-2147483647" Expected results: 1.When create pod should tip invalid value. Additional info:
This is an upstream issue being addressed in https://github.com/kubernetes/kubernetes/pull/16354.
This does need to be fixed; I reached out to the author of the upstream PR. Will make my own PR for this if I don't get a response soon.
Not a 3.1.1 blocker
This bug should be fixed, Andy could you set this bug on_qa ?
Verify on openshift v3.1.1.906 [root@dhcp-128-7 origin]# oc create -f pod.yaml The Pod "nfs-server" is invalid. * spec.securityContext.fsGroup: Invalid value: 2147483648: must be between 0 and 2147483647, inclusive * spec.securityContext.supplementalGroups[0]: Invalid value: -123: must be between 0 and 2147483647, inclusive