scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-02 11:18:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

KEP-3619: Fine-grained SupplementalGroups control (#117842)

Browse Source 
* Add `Linux{Sandbox,Container}SecurityContext.SupplementalGroupsPolicy` and `ContainerStatus.user` in cri-api

* Add `PodSecurityContext.SupplementalGroupsPolicy`, `ContainerStatus.User` and its featuregate

* Implement DropDisabledPodFields for PodSecurityContext.SupplementalGroupsPolicy and ContainerStatus.User fields

* Implement kubelet so to wire between SecurityContext.SupplementalGroupsPolicy/ContainerStatus.User and cri-api in kubelet

* Clarify `SupplementalGroupsPolicy` is an OS depdendent field.

* Make `ContainerStatus.User` is initially attached user identity to the first process in the ContainerStatus

It is because, the process identity can be dynamic if the initially attached identity
has enough privilege calling setuid/setgid/setgroups syscalls in Linux.

* Rewording suggestion applied

* Add TODO comment for updating SupplementalGroupsPolicy default value in v1.34

* Added validations for SupplementalGroupsPolicy and ContainerUser

* No need featuregate check in validation when adding new field with no default value

* fix typo: identitiy -> identity
This commit is contained in:
Shingo Omura
2024-05-30 07:40:29 +09:00
committed by GitHub
parent ee2c1ffa80
commit 552fd7e850
98 changed files with 4782 additions and 1801 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/kubelet/container/runtime.go
View File

@@ -369,6 +369,29 @@ type Status struct {
Message string
// CPU and memory resources for this container
Resources *ContainerResources
// User identity information of the first process of this container
User *ContainerUser
}
// ContainerUser represents user identity information
type ContainerUser struct {
// Linux holds user identity information of the first process of the containers in Linux.
// Note that this field cannot be set when spec.os.name is windows.
Linux *LinuxContainerUser
// Windows holds user identity information of the first process of the containers in Windows
// This is just reserved for future use.
// Windows *WindowsContainerUser
}
// LinuxContainerUser represents user identity information in Linux containers
type LinuxContainerUser struct {
// UID is the primary uid of the first process in the container
UID int64
// GID is the primary gid of the first process in the container
GID int64
// SupplementalGroups are the supplemental groups attached to the first process in the container
SupplementalGroups []int64
}
// FindContainerStatusByName returns container status in the pod status with the given name.