Open vbatts opened 1 year ago
cc @opencontainers/runc-maintainers too
Image spec covers how to convert values over from config.User to runtime config.json. https://github.com/opencontainers/imagespec/blob/main/conversion.md#configuser
Runtime spec only specifies the processing of final values for uid/gid/groups as set in the config.json. https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-user and has a note:
Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. /etc/passwd parsing, NSS, etc)
What we have missing is the runtime override behavior that @thockin comments here cover: https://github.com/kubernetes/enhancements/pull/3620#discussion_r1096186213 https://github.com/kubernetes/enhancements/pull/3620#discussion_r1096579553
There isn't a clear place for it in OCI as we don't define an API/CLI for higher level runtimes in the runtime spec.
Possible choices:
There is a thread going on in k8s KEP regarding subtle and inconsistent behaviors between
runAsGroup
andsupplementalGroups
.@thockin summarizes here: https://github.com/kubernetes/enhancements/pull/3620#discussion_r1096186213
It sounds like runtime-spec and runc may currently be inconsistent/broken, but to "fix" it would be potentially a breaking change.
cc @opencontainers/runtime-spec-maintainers