add ContainerStatus.User proposal for users/admins to know actual ide…

…ntities attached to the container processes
kubernetes · Feb 8, 2023 · 8b3e39b · 8b3e39b
1 parent db3bcd3
commit 8b3e39b
Showing 1 changed file with 100 additions and 0 deletions.
diff --git a/keps/sig-node/3619-supplemental-groups-policy/README.md b/keps/sig-node/3619-supplemental-groups-policy/README.md
@@ -23,17 +23,21 @@ Stuff that is being argued.
 - [Proposal](#proposal)
   - [Kubernetes API](#kubernetes-api)
     - [SupplementalGroupsPolicy in PodSecurityContext](#supplementalgroupspolicy-in-podsecuritycontext)
+    - [User in ContainerStatus](#user-in-containerstatus)
   - [CRI](#cri)
     - [SupplementalGroupsPolicy in SecurityContext](#supplementalgroupspolicy-in-securitycontext)
+    - [user in ContainerStatus](#user-in-containerstatus-1)
   - [User Stories](#user-stories)
     - [Story 1: Deploy a Security Policy to enforce <code>SupplementalGroupsPolicy</code> field](#story-1-deploy-a-security-policy-to-enforce--field)
   - [Notes/Constraints/Caveats (Optional)](#notesconstraintscaveats-optional)
   - [Risks and Mitigations](#risks-and-mitigations)
 - [Design Details](#design-details)
   - [Kubernetes API](#kubernetes-api-1)
     - [SupplementalGroupsPolicy in PodSecurityContext](#supplementalgroupspolicy-in-podsecuritycontext-1)
+    - [User in ContainerStatus](#user-in-containerstatus-2)
   - [CRI](#cri-1)
     - [SupplementalGroupsPolicy in SecurityContext](#supplementalgroupspolicy-in-securitycontext-1)
+    - [user in ContainerStatus](#user-in-containerstatus-3)
   - [Test Plan](#test-plan)
       - [Prerequisite testing updates](#prerequisite-testing-updates)
       - [Unit tests](#unit-tests)
@@ -215,12 +219,40 @@ Allowed values are:
 
 Note that both policies diverge from the semantics of [`config.User` OCI image configuration](https://github.com/opencontainers/image-spec/blob/3a7f492d3f1bcada656a7d8c08f3f9bbd05e7406/config.md#:~:text=User%20string%2C%20OPTIONAL). The purpose is to follow "principle of least surprise" as described in the previous section.
 
+#### User in ContainerStatus
+
+To provide users/administrators to know which identities are actually attached to the container process, it proposes to introduce new `User` field in `ContainerStatus`. `User` is an object which consists of `Uid`, `Gid`, `SupplementalGroups` fields for linux containers. This will help users to identify unexpected identities. This field is derived by CRI response (See [user in ContainerStatus](#user-in-containerstatus-1) section).
+
 ### CRI
 
 #### SupplementalGroupsPolicy in SecurityContext
 
 Symmetrical changes are needed. See [Design Details](#design-details) section.
 
+#### user in ContainerStatus
+
+To propagate identities of the container process to `ContainerStatus` in Kubernetes API, CRI changes would be needed. This proposes to define `ContainerUser` data type and add `user` field to `ContainerStatus` that is used in the response of `ContainerStatus` method. `ContainerUser` consists of `Uid`, `Gid` and `SupplementalGroups` fields.
+
+```protobuf
+// service RuntimeService {
+//   rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {}
+//  ...
+// }
+// message ContainerStatusResponse {
+//  ContainerStatus status = 1;
+//  ...
+// }
+
+message ContainerStatus {
+  ...
+  // user information of the container process
+  ContainerUser user = ?;
+}
+
+message ContainerUser {
+  // details in "Design Details" section
+}
+```
 
 ### User Stories
 
@@ -334,6 +366,41 @@ const (
 )
 ```
 
+#### User in ContainerStatus
+
+```golang
+type ContainerStatus struct {
+...
+	// User indicates identities of the container process
+	User ContainerUser
+}
+```
+
+```golang
+type ContainerUser struct {
+	// Linux holds identity information of the process of the containers in Linux.
+	// Note that this field cannot be set when spec.os.name is windows.
+	Linux *LinuxContainerUser
+
+	// Windows holds identity information of the process of the containers in Windows
+	// This is just reserved for future use.
+	// Windows *WindowsContainerUser
+}
+
+type LinuxContainerUser struct {
+	// Uid is the primary uid of the container process
+	Uid int64
+	// Gid is the primary gid of the container process
+	Gid int64
+	// SupplementalGroups are the supplemental groups attached to the container process
+	SupplementalGroups []int64
+}
+
+// This is just reserved for future use.
+// type WindowsContainerUser struct {
+// 	T.B.D.
+// }
+```
 
 ### CRI
 
@@ -360,6 +427,39 @@ message LinuxSandboxSecurityContext {
 }
 ```
 
+#### user in ContainerStatus
+
+```protobuf
+
+message ContainerStatus {
+    ...
+    // User holds user information of the container process
+    ContainerUser user = ??;
+}
+
+message ContainerUser {
+    // User information of Linux containers.
+    LinuxContainerUser linux = 1;
+    // User information of Windows containers.
+    // This is just reserved for future use.
+    // WindowsContainerUser windows = 2;
+}
+
+
+message LinuxContainerUser {
+    // uid is the primary uid of the container process
+    Int64Value uid = 1;
+    // gid is the primary gid of the container process
+    Int64Value gid = 2;
+    // supplemental_groups are the supplemental groups attached to the container process
+    repeated int64 supplemental_groups = 3;
+}
+
+// message WindowsContainerUser {
+//     T.B.D.
+// }
+```
+
 ### Test Plan
 
 <!--