mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 22:46:12 +00:00

Production-Grade Container Scheduling and Management

Go to file

Kubernetes Submit Queue f634f7dae4 Merge pull request #65926 from Random-Liu/fix-run-as-group Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Fix RunAsGroup. For https://github.com/kubernetes/features/issues/213 See https://github.com/containerd/cri/issues/836 In https://github.com/containerd/cri/issues/836, people thought that this is a containerd issue. However, it turns out that this feature doesn't work at all. @krmayankk Without the fix: ``` • Failure [10.125 seconds] [k8s.io] [sig-node] Security Context [Feature:SecurityContext] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679 should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup] [It] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112 Expected error: <*errors.errorString \| 0xc42185bcd0>: { s: "expected \"gid=2002\" in container output: Expected\n <string>: uid=1002 gid=1002\n \nto contain substring\n <string>: gid=2002", } expected "gid=2002" in container output: Expected <string>: uid=1002 gid=1002 to contain substring <string>: gid=2002 not to have occurred /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/util.go:2325 ``` With the fix: ``` SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS ------------------------------ [k8s.io] [sig-node] Security Context [Feature:SecurityContext] should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112 [BeforeEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:141 STEP: Creating a kubernetes client Jul 6 15:38:43.994: INFO: >>> kubeConfig: /var/run/kubernetes/admin.kubeconfig STEP: Building a namespace api object, basename security-context Jul 6 15:38:44.024: INFO: No PodSecurityPolicies found; assuming PodSecurityPolicy is disabled. STEP: Waiting for a default service account to be provisioned in namespace [It] should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112 STEP: Creating a pod to test pod.Spec.SecurityContext.RunAsUser Jul 6 15:38:44.027: INFO: Waiting up to 5m0s for pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064" in namespace "e2e-tests-security-context-hwm7l" to be "success or failure" Jul 6 15:38:44.029: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 1.17106ms Jul 6 15:38:46.031: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 2.003308423s Jul 6 15:38:48.033: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Succeeded", Reason="", readiness=false. Elapsed: 4.005287901s STEP: Saw pod success Jul 6 15:38:48.033: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064" satisfied condition "success or failure" Jul 6 15:38:48.034: INFO: Trying to get logs from node 127.0.0.1 pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 container test-container: <nil> STEP: delete the pod Jul 6 15:38:48.047: INFO: Waiting for pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 to disappear Jul 6 15:38:48.049: INFO: Pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 no longer exists [AfterEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:142 Jul 6 15:38:48.049: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready STEP: Destroying namespace "e2e-tests-security-context-hwm7l" for this suite. Jul 6 15:38:54.057: INFO: Waiting up to 30s for server preferred namespaced resources to be successfully discovered Jul 6 15:38:54.084: INFO: namespace: e2e-tests-security-context-hwm7l, resource: bindings, ignored listing per whitelist Jul 6 15:38:54.107: INFO: namespace e2e-tests-security-context-hwm7l deletion completed in 6.056285097s • [SLOW TEST:10.113 seconds] [k8s.io] [sig-node] Security Context [Feature:SecurityContext] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679 should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112 ------------------------------ SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS ------------------------------ [k8s.io] [sig-node] Security Context [Feature:SecurityContext] should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84 [BeforeEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:141 STEP: Creating a kubernetes client Jul 6 15:38:54.108: INFO: >>> kubeConfig: /var/run/kubernetes/admin.kubeconfig STEP: Building a namespace api object, basename security-context STEP: Waiting for a default service account to be provisioned in namespace [It] should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84 STEP: Creating a pod to test pod.Spec.SecurityContext.RunAsUser Jul 6 15:38:54.137: INFO: Waiting up to 5m0s for pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064" in namespace "e2e-tests-security-context-hs2vr" to be "success or failure" Jul 6 15:38:54.138: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 1.374422ms Jul 6 15:38:56.140: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 2.003249942s Jul 6 15:38:58.142: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Succeeded", Reason="", readiness=false. Elapsed: 4.005110799s STEP: Saw pod success Jul 6 15:38:58.142: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064" satisfied condition "success or failure" Jul 6 15:38:58.143: INFO: Trying to get logs from node 127.0.0.1 pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 container test-container: <nil> STEP: delete the pod Jul 6 15:38:58.149: INFO: Waiting for pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 to disappear Jul 6 15:38:58.152: INFO: Pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 no longer exists [AfterEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:142 Jul 6 15:38:58.152: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready STEP: Destroying namespace "e2e-tests-security-context-hs2vr" for this suite. Jul 6 15:39:04.157: INFO: Waiting up to 30s for server preferred namespaced resources to be successfully discovered Jul 6 15:39:04.175: INFO: namespace: e2e-tests-security-context-hs2vr, resource: bindings, ignored listing per whitelist Jul 6 15:39:04.193: INFO: namespace e2e-tests-security-context-hs2vr deletion completed in 6.039953722s • [SLOW TEST:10.085 seconds] [k8s.io] [sig-node] Security Context [Feature:SecurityContext] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679 should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup] /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84 ------------------------------ SSSSJul 6 15:39:04.193: INFO: Running AfterSuite actions on all node Jul 6 15:39:04.193: INFO: Running AfterSuite actions on node 1 Ran 2 of 1007 Specs in 50.246 seconds SUCCESS! -- 2 Passed \| 0 Failed \| 0 Pending \| 1005 Skipped PASS Ginkgo ran 1 suite in 50.482926642s Test Suite Passed 2018/07/06 15:39:04 process.go:155: Step './hack/ginkgo-e2e.sh -host=https://localhost:6443 --ginkgo.focus=RunAsGroup' finished in 50.523613088s 2018/07/06 15:39:04 e2e.go:83: Done ``` We should cherry-pick this to 1.10 and 1.11. /cc @kubernetes/sig-node-bugs ```release-note Fix `RunAsGroup` which doesn't work since 1.10. ```		2018-07-06 22:45:12 -07:00
.github
api	Fix comments about default mount propagation	2018-06-28 17:04:41 -04:00
build	Merge pull request #65726 from ixdy/golang-1.10.3	2018-07-03 16:35:14 -07:00
cluster	Merge pull request #65252 from jingax10/script_cleanup_branch	2018-07-06 21:26:02 -07:00
cmd	Merge pull request #65856 from deads2k/controller-01-ignored	2018-07-06 12:25:09 -07:00
docs	Fix comments about default mount propagation	2018-06-28 17:04:41 -04:00
Godeps	Merge pull request #64511 from quobyte/api_update	2018-07-05 12:53:05 -07:00
hack	Merge pull request #65865 from deads2k/cli-01-testcmd	2018-07-05 13:01:10 -07:00
logo
pkg	Fix RunAsGroup.	2018-07-06 15:42:26 -07:00
plugin	update priority admission for interoperability	2018-07-03 10:43:35 -04:00
staging	Merge pull request #65710 from sttts/sttts-unified-apiserver-testserver	2018-07-05 11:39:03 -07:00
test	Make proxier params configurable in kubemark	2018-07-06 16:07:15 +02:00
third_party
translations
vendor	Merge pull request #64511 from quobyte/api_update	2018-07-05 12:53:05 -07:00
.bazelrc
.generated_files
.gitattributes
.gitignore
.kazelcfg.json
BUILD.bazel
CHANGELOG-1.2.md
CHANGELOG-1.3.md
CHANGELOG-1.4.md
CHANGELOG-1.5.md
CHANGELOG-1.6.md
CHANGELOG-1.7.md
CHANGELOG-1.8.md
CHANGELOG-1.9.md	Update CHANGELOG-1.9.md for v1.9.9.	2018-06-29 05:49:31 +00:00
CHANGELOG-1.10.md
CHANGELOG-1.11.md	Fix K8s-Storage-Plugins repo	2018-06-28 10:36:05 +00:00
CHANGELOG.md	Insert human curated 1.11 release notes and set current version	2018-06-27 19:19:19 -04:00
code-of-conduct.md
CONTRIBUTING.md
labels.yaml
LICENSE
Makefile
Makefile.generated_files
OWNERS
OWNERS_ALIASES
README.md
SECURITY_CONTACTS
SUPPORT.md
WORKSPACE

README.md

Kubernetes

Kubernetes is an open source system for managing containerized applications across multiple hosts; providing basic mechanisms for deployment, maintenance, and scaling of applications.

Kubernetes builds upon a decade and a half of experience at Google running production workloads at scale using a system called Borg, combined with best-of-breed ideas and practices from the community.

Kubernetes is hosted by the Cloud Native Computing Foundation (CNCF). If you are a company that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details about who's involved and how Kubernetes plays a role, read the CNCF announcement.

To start using Kubernetes

See our documentation on kubernetes.io.

Try our interactive tutorial.

Take a free course on Scalable Microservices with Kubernetes.

To start developing Kubernetes

The community repository hosts all information about building Kubernetes from source, how to contribute code and documentation, who to contact about what, etc.

If you want to build Kubernetes right away there are two options:

You have a working Go environment.

$ go get -d k8s.io/kubernetes
$ cd $GOPATH/src/k8s.io/kubernetes
$ make

You have a working Docker environment.

$ git clone https://github.com/kubernetes/kubernetes
$ cd kubernetes
$ make quick-release

For the full story, head over to the developer's documentation.

Support

If you need support, start with the troubleshooting guide, and work your way through the process that we've outlined.

That said, if you have questions, reach out to us one way or another.