search

opencontainers / runtime-spec

OCI Runtime Specification
http://www.opencontainers.org
Apache License 2.0
3.13k stars 535 forks source link

`runAsGroup` vs `supplementalGroups` #1180

Open vbatts opened 1 year ago

vbatts commented 1 year ago

There is a thread going on in k8s KEP regarding subtle and inconsistent behaviors between runAsGroup and supplementalGroups.

@thockin summarizes here: https://github.com/kubernetes/enhancements/pull/3620#discussion_r1096186213

It sounds like runtime-spec and runc may currently be inconsistent/broken, but to "fix" it would be potentially a breaking change.

cc @opencontainers/runtime-spec-maintainers

vbatts commented 1 year ago

cc @opencontainers/runc-maintainers too

thockin commented 1 year ago

Also https://github.com/kubernetes/enhancements/pull/3620

mrunalp commented 1 year ago

Image spec covers how to convert values over from config.User to runtime config.json. https://github.com/opencontainers/imagespec/blob/main/conversion.md#configuser

Runtime spec only specifies the processing of final values for uid/gid/groups as set in the config.json. https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-user and has a note:

Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. /etc/passwd parsing, NSS, etc)

What we have missing is the runtime override behavior that @thockin comments here cover: https://github.com/kubernetes/enhancements/pull/3620#discussion_r1096186213 https://github.com/kubernetes/enhancements/pull/3620#discussion_r1096579553

There isn't a clear place for it in OCI as we don't define an API/CLI for higher level runtimes in the runtime spec.

Possible choices:

  1. Expand the image spec conversion with runtime overrides.
  2. Add a new section to runtime spec that covers how overrides are dealt with loose enough language so higher level CLI/API flags are covered.
  3. Not have an opinion and let K8s/CRI define it.