`runAsGroup` vs `supplementalGroups` #1180

vbatts · 2023-02-06T20:06:00Z

There is a thread going on in k8s KEP regarding subtle and inconsistent behaviors between runAsGroup and supplementalGroups.

It sounds like runtime-spec and runc may currently be inconsistent/broken, but to "fix" it would be potentially a breaking change.

cc @opencontainers/runtime-spec-maintainers

The text was updated successfully, but these errors were encountered:

vbatts · 2023-02-06T20:07:13Z

cc @opencontainers/runc-maintainers too

thockin · 2023-02-06T20:44:31Z

mrunalp · 2023-02-06T21:57:18Z

Image spec covers how to convert values over from config.User to runtime config.json.
https://github.com/opencontainers/imagespec/blob/main/conversion.md#configuser

Runtime spec only specifies the processing of final values for uid/gid/groups as set in the config.json.
https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-user
and has a note:

Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. /etc/passwd parsing, NSS, etc)

There isn't a clear place for it in OCI as we don't define an API/CLI for higher level runtimes in the runtime spec.

Possible choices:

Expand the image spec conversion with runtime overrides.
Add a new section to runtime spec that covers how overrides are dealt with loose enough language so higher level CLI/API flags are covered.
Not have an opinion and let K8s/CRI define it.

vbatts changed the title ~~runAsGroup vs supplementalGroups~~ runAsGroup vs supplementalGroups Feb 6, 2023

vbatts mentioned this issue Feb 6, 2023

KEP-3169: Fine-grained SupplementalGroups control kubernetes/enhancements#3620

Merged

Provide feedback