Closed dgerd closed 5 years ago
/assign @dgerd
We do not seem to set a platform-specific default as called out in the runtime contract. We instead seem to implement the Kubernetes behavior which to "Default to user specified in image metadata if unspecified."
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#container-v1-core
We also currently accept negative runAs user values as well as values greater than an int32 which are invalid. Need to add validation to the webhook and a test.
Need to answer:
/milestone Serving 0.6 We'll have the basic test in 0.5, but the open questions above will likely overshoot.
How should platform providers and operators ban certain UIDs?
I don't think this is necessary to implement now. We should wait until we get requests from providers/operators.
How should we validate UID until we can perform kubernetes dryruns?
The Kubernetes validation logic for user was added in the webhook along with the fieldmask. We are unblocked here to add a conformance test for invalid user ids preventing container startup.
Should we allow a platform default or update language?
In what area(s)?
/area API /area test-and-release
Describe the feature
This issue is to add a conformance test that validates the MUST, SHOULD, and SHALL statements of the user section ( https://github.com/knative/serving/blob/master/docs/runtime-contract.md#user ) in the runtime contract.
The test should validate that: