New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run pause image as non-root user and group #97963
Conversation
/sig release |
a53ceb8
to
614b796
Compare
@saschagrunert: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
614b796
to
0e65918
Compare
/test pull-kubernetes-e2e-gce-ubuntu-containerd |
@BenTheElder @cblecker @fejta is this something we can do? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be great to see this one on 1.21
. 🙏
/lgtm
would kind of like someone from node to LGTM / check in on this, as the primary users of pause |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
with the assumption this isn't landing in 1.21
/retest
/sig security
/cc @pacoxu |
@ehashman I think I agree but to help us understand why this isn't worth filing an exception for, what concerns do you have with this landing in v1.21 |
I don't have any specific concerns, I was just quoting the discussion above with @saschagrunert :) |
I don't think so, since the related issue seems to be feature related, whereas this is more an increasing default security enhancement. @ehashman @spiffxp I think we could raise an exception for this PR. Pinging @kubernetes/sig-release-leads @kubernetes/release-engineering to apply the milestone (or not). |
looks ok to me to raise an exception for this change. +1 from my side |
like #98205, we may update runtimes and k/k later. BTW, update change log https://github.com/kubernetes/kubernetes/blob/master/build/pause/CHANGELOG.md would be better. |
Sure, I can follow up on that. 👍 |
everybody agrees that we need to get this for 1.21 so adding the milestone /milestone v1.21 |
/hold for any other comments, feel free to cancel that |
/hold cancel |
/test pull-kubernetes-integration |
What type of PR is this?
/kind feature
What this PR does / why we need it:
We now build the pause image to use a pseudo user and group 65535:65535.
This increases the security aspect of the container image, if a
vulnerability would directly affect the pause container.
Which issue(s) this PR fixes:
Fixes #95038
Special notes for your reviewer:
/hold
I'm not sure what the CI thinks about this change, nor if it has other implications.
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: