Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podman generate kube emits reduntant runAsGroup/runAsUser entries #11914

Closed
dilyanpalauzov opened this issue Oct 11, 2021 · 3 comments · Fixed by #11944
Closed

podman generate kube emits reduntant runAsGroup/runAsUser entries #11914

dilyanpalauzov opened this issue Oct 11, 2021 · 3 comments · Fixed by #11944
Assignees
@cdoern
Labels
In Progress This issue is actively being worked by the assignee, please do not work on this at this time. kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@dilyanpalauzov
Copy link
Contributor

I build my image with USER 2000:2000 and this information is contained in the oci-image. podman generate kube CONTAINERNAME prints:

apiVersion: v1
kind: Pod
spec:
  containers:
    securityContext:
      …
      runAsGroup: 2000
      runAsUser: 2000

SInce the group and user UID are inherited from the container description, podman generate kube shall not print them, as long as the caller of podman has not passed --ueser parameter. Kubernetes will anyway apply 2000:2000 when executing the container.

$ podman version
Version:      3.4.0
API Version:  3.4.0
Go Version:   go1.16.8
Built:        Thu Sep 30 21:40:21 2021
OS/Arch:      linux/amd64
@cdoern cdoern self-assigned this Oct 11, 2021
@cdoern cdoern added the In Progress This issue is actively being worked by the assignee, please do not work on this at this time. label Oct 11, 2021
@cdoern
Copy link
Contributor

cdoern commented Oct 11, 2021

@baude this seems pretty easy to change. I found the point in the code where the switch would be made and have figured out a way to see whether or not the container has --user enabled. Does this look like something we should switch?

@umohnani8
Copy link
Member

@cdoern yes, let's switch it. If the information is in the image, then we don't need to explicitly add it to the kube yaml.

@umohnani8 umohnani8 added the kind/bug Categorizes issue or PR as related to a bug. label Oct 11, 2021
@cdoern cdoern mentioned this issue Oct 12, 2021
Merged
cdoern added a commit to cdoern/podman that referenced this issue Oct 12, 2021
@cdoern
Kube Gen run as user/group issues
4631f5b 
Removed the inclusion of RunAsUser or RunAsGroup unless a container is run with the --user flag. When building from an image
the user will be pulled from there anyway

resolves containers#11914

Signed-off-by: cdoern <[email protected]>
@rhatdan
Copy link
Member

rhatdan commented Oct 12, 2021

Also if the image changes, we would need to change yaml file.

mheon pushed a commit to mheon/libpod that referenced this issue Oct 19, 2021
@cdoern @mheon
Kube Gen run as user/group issues
16fb416 
Removed the inclusion of RunAsUser or RunAsGroup unless a container is run with the --user flag. When building from an image
the user will be pulled from there anyway

resolves containers#11914

Signed-off-by: cdoern <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cdoern cdoern

Labels
In Progress This issue is actively being worked by the assignee, please do not work on this at this time. kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Kube Gen run as user/group issues cdoern/podman
4 participants
@rhatdan @dilyanpalauzov @cdoern @umohnani8