Description of problem: We want to allow containers access to existing shared filesystems already present in our environment such as NFS. In order to do that we need to control the UID and all GIDs that the container process runs as so that a container process only has access to files on the shared filesystem that a user would have access to outside of the container. Kubernetes has support for running the container as a specific UID with RunAsUser and it can specify GIDs with supplementalGroups. However the primary GID of the container is always root (0) which is not desirable for a shared filesystem. Upstream has done some work in this area and a proposal for RunAsGroup has been accepted and progress is moving but slowly.[1] In Kubernetes 1.10 the API spec changes have been completed and the container runtime shims support RunAsGroup but it is gated as an alpha feature[2]. However all of the work in upstream is going toward the work for PSP which as I understand it is not yet feature-compatible with OpenShift's SCC work. Can we decide on a strategy here for supporting RunAsGroup in OpenShift? We have a number of moving parts and there is still open discussion of whether this feature can be marked beta in 1.12 so we may still be a ways out but it would be nice to get an idea of when this could be implemented in OpenShift as well. [1] https://github.com/kubernetes/community/pull/756 [2] https://github.com/kubernetes/kubernetes/pull/52077
Mrunal are you working on this or do you want to designate Urvashi?
This is available in CRI-O 1.13. However the second part would be enabling the feature gate in kubelet for this.
Need wait rhcos with cri-o 1.13 package to verify. Currently latest cri-o version is 1.12.6-1.
Checked with 4.1.0-0.nightly-2019-05-05-070156 with 1.13.9-1.rhaos4.1.gitd70609a.el8 and RunAsGroup work well # echo 'apiVersion: v1 kind: Pod metadata: generateName: sc- spec: containers: - name: csc image: openshift/hello-openshift securityContext: {runAsGroup: 4321} - name: psc image: nginx securityContext: {runAsGroup: 1234} '| oc create -f - sh-4.4# runc list |grep -E "4d5eb61a1a28a|d8283a874eb51" 4d5eb61a1a28a55ecd4c3c941d2aad6504da2b1cb3740db6d4e54ed59908e40a 53428 running /run/containers/storage/overlay-containers/4d5eb61a1a28a55ecd4c3c941d2aad6504da2b1cb3740db6d4e54ed59908e40a/userdata 2019-05-07T09:28:32.43542341Z root d8283a874eb516438ea9b5cd919ccb5f5c4b5d7d30d49f1e1bd97af66d70b95c 53344 running /run/containers/storage/overlay-containers/d8283a874eb516438ea9b5cd919ccb5f5c4b5d7d30d49f1e1bd97af66d70b95c/userdata 2019-05-07T09:28:29.136396508Z root sh-4.4# cat /run/containers/storage/overlay-containers/4d5eb61a1a28a55ecd4c3c941d2aad6504da2b1cb3740db6d4e54ed59908e40a/userdata/config.json |head { "ociVersion": "1.0.0", "process": { "user": { "uid": 0, "gid": 1234 }, "args": [ "nginx", "-g", sh-4.4# cat /run/containers/storage/overlay-containers/d8283a874eb516438ea9b5cd919ccb5f5c4b5d7d30d49f1e1bd97af66d70b95c/userdata/config.json | json_ json_reformat json_verify sh-4.4# cat /run/containers/storage/overlay-containers/d8283a874eb516438ea9b5cd919ccb5f5c4b5d7d30d49f1e1bd97af66d70b95c/userdata/config.json | head { "ociVersion": "1.0.0", "process": { "user": { "uid": 1001, "gid": 4321 }, "args": [ "/hello-openshift" ],
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days