Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kube Gen run as user/group issues #11944

Merged
merged 1 commit into from
Oct 13, 2021
Merged

Kube Gen run as user/group issues #11944

merged 1 commit into from
Oct 13, 2021

Conversation

cdoern
Copy link
Contributor

@cdoern cdoern commented Oct 12, 2021

Removed the inclusion of RunAsUser or RunAsGroup unless a container is run with the --user flag. When building from an image
the user will be pulled from there anyway

resolves #11914

Signed-off-by: cdoern cdoern@redhat.com

rhatdan
rhatdan reviewed Oct 12, 2021
View reviewed changes
pkg/domain/infra/abi/generate.go Outdated Show resolved Hide resolved
test/e2e/generate_kube_test.go Outdated Show resolved Hide resolved
test/e2e/generate_kube_test.go
@@ -942,7 +942,7 @@ USER test1`
pod := new(v1.Pod)
err = yaml.Unmarshal(kube.Out.Contents(), pod)
Expect(err).To(BeNil())
Expect(*pod.Spec.Containers[0].SecurityContext.RunAsUser).To(Equal(int64(10001)))
Expect(pod.Spec.Containers[0].SecurityContext.RunAsUser).To(BeNil())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a check to make sure runasuser still works?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, there is an explicit --user test

Luap99
Luap99 requested changes Oct 12, 2021
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the new option is not needed for this

libpod/options.go Outdated
Comment on lines 672 to 682
// WithDefinedUser informs us whether or not we have explicitly defined a user or if podman is using the default user
func WithDefinedUser() CtrCreateOption {
return func(ctr *Container) error {
if ctr.valid {
return define.ErrCtrFinalized
}

ctr.config.DefinedUser = true
return nil
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need a extra option for this? IMO all you need to do is:
if container.user != image.user then add user to yaml

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would cause this change to affect podman build, right? when generating the kube we don't have access to the image file just the container we are extracting info from see libpod/kube.go L855

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have a look at https://github.com/containers/podman/pull/11704/files

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok cool, that should have the same affect I think, I will try your approach.

Containerfile Outdated Show resolved Hide resolved
@cdoern
Kube Gen run as user/group issues
4631f5b 
Removed the inclusion of RunAsUser or RunAsGroup unless a container is run with the --user flag. When building from an image
the user will be pulled from there anyway

resolves containers#11914

Signed-off-by: cdoern <cdoern@redhat.com>
@rhatdan
Copy link
Member

rhatdan commented Oct 13, 2021

LGTM

@mheon
Copy link
Member

mheon commented Oct 13, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 13, 2021
Luap99
Luap99 approved these changes Oct 13, 2021
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Nice and simple :)

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 13, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cdoern, Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 13, 2021
@openshift-merge-robot openshift-merge-robot merged commit 9f1452c into containers:main Oct 13, 2021
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rhatdan rhatdan rhatdan left review comments

@Luap99 Luap99 Luap99 approved these changes

Assignees

@mheon mheon

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

podman generate kube emits reduntant runAsGroup/runAsUser entries
5 participants
@cdoern @rhatdan @mheon @Luap99 @openshift-merge-robot