Provide RunAsGroup feature for Containers in a Pod #213
Comments
|
Is the progress listed above accurate? |
|
I started working on this earlier but got distracted by other higher
priority issues . We need this feature hence I will prioritize this again .
Expect a PRoposal and a first PR in the next couple weeks
On Tue, May 2, 2017 at 8:46 AM Dennis Schridde ***@***.***> wrote:
Is the progress listed above accurate?
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#213 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AP4-NM7iZmBnKFNe_ywx_6BSd_Aecz_Vks5r10_BgaJpZM4MhoLz>
.
--
-Mayank
|
|
@krmayankk any progress to update? |
|
@pineking i have the proposal , and the code almost ready. Will send out the proposal by Friday while i try to figure the unit tests and api changes. |
|
@krmayankk is this still on your radar? |
|
@jduncan-rva yes the proposal is already out. I have some review comments which i will address. I should have a PR by next week. |
|
@krmayankk any updates? |
|
@kincl the proposal is already out and nearing lgtm. We are waiting one more reviewer to review. I was out last week on vacation. I should have the actual PR this week |
|
Here is the proposal under review kubernetes/community#756 |
Sounds like it falls into sig-auth area. |
|
For the history: here is an implementation of the proposal -- kubernetes/kubernetes#52077 |
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
k8s-ci-robot
added
the
lifecycle/stale
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
1 similar comment
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
/sig auth |
k8s-ci-robot
added
the
sig/auth
|
/sig node |
k8s-ci-robot
added
the
sig/node
|
@krmayankk If so, can you please ensure the feature is up-to-date with the appropriate:
cc @idvoretskyi |
annajung
added
the
tracked/yes
|
Hi @krmayankk, Since your Enhancement is scheduled to be in 1.21, please keep in mind the important upcoming dates:
As a reminder, please link all of your k/k PR(s) and k/website PR(s) to this issue so we can track them. Thanks! |
|
Hi @krmayankk , Enhancements team is currently tracking the following PRs
With the PRs merged, can we mark this enhancement complete for code freeze or do you have other PR(s) that are being worked on as part of the release? Thanks |
|
Hi @krmayankk , I see that the PRs linked to this ticket are merged. Could you mention if this KEP is done? If so, I can mark it done for the code freeze coming up on 3/9. Thanks |
|
(Adding this as a note sent to all) Hi @krmayankk , A friendly reminder that Code freeze is 3 days away, March 9th EOD PST Any enhancements that are NOT code complete by the freeze will be removed from the milestone and will require an exception to be added back. Please also keep in mind that if this enhancement requires new docs or modification to existing docs, you'll need to follow the steps in the Open a placeholder PR doc to open a PR against k/website repo by March 16th EOD PST Thanks! |
|
@arunmk yes i think this enhancement can be marked as done afaict. @tallclair @liggitt please confirm . |
|
I believe this documentation needs some update, @arunmk do documentations fixes also need to be completed by coed freeze date ? |
|
@krmayankk i believe 3/16 is the deadline to have a placeholder doc and it should also include such documentation. Let me check with the team and confirm. |
|
Hi @krmayankk it is confirmed that we do NOT need docs to be updated by the code freeze on 3/9. |
|
Hi @krmayankk 1.21 Enhancement Lead here. Can you update the Once that merges, we can close out this issue. |
JamesLaverack
added
tracked/no
|
@JamesLaverack can we now close this issue since its stable ? |
|
Hey @krmayankk. The last thing is what Anna mentions above — setting the |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
and others
Feature Description
As a Kubernetes User, i should be able to specify both user id and group id for the containers running inside a pod on a per Container basis, similar to how docker allows that using docker run options
-u, --user="" Username or UID (format: <name|uid>[:<group|gid>])format. Currently kubernetes only allows us to control the primary user id and allows us to add supplemental groups. There is no way to control the primary group id of the running container which is always 0(root).This feature would enable enterprises to run containers as non root(non zero uid and non zero gid) and hence improve the level of security for the running containers. More discussion and agreement was gathered in this issue 22179
Alpha release: v1.10
Beta release: v1.14
Stable release target v1.15
List of Work Items:-
Containerd and Cri-o Implementation PR's
Test Results for CRI-O PR with latest Kubernetes Master
https://k8s-testgrid.appspot.com/sig-node-cri-o#crio-e2e-fedora
Test Coverage for CRI-O and containerd tests running as part of critest
The text was updated successfully, but these errors were encountered: