Created
October 2, 2020 12:53
-
-
Save mauriciovasquezbernal/2e7f7cd0ac4690f973d54e2be22577d1 to your computer and use it in GitHub Desktop.
User namespaces in Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pod without userNamespaceMode, defaults to Host | |
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: defaut-mode | |
| spec: | |
| containers: | |
| - name: container1 | |
| image: busybox | |
| command: ["sh"] | |
| args: ["-c", "sleep infinity"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pod sharing the host user namespace | |
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: host-mode | |
| spec: | |
| userNamespaceMode: Host | |
| containers: | |
| - name: container1 | |
| image: busybox | |
| command: ["sh"] | |
| args: ["-c", "sleep infinity"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pod using Cluster mode | |
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: cluster-mode | |
| spec: | |
| userNamespaceMode: Cluster | |
| containers: | |
| - name: container1 | |
| image: busybox | |
| command: ["sh"] | |
| args: ["-c", "sleep infinity"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: myconfigmap | |
| namespace: default | |
| data: | |
| content: '"This is a ConfigMap"' | |
| --- | |
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: cluster-configmap | |
| spec: | |
| userNamespaceMode: Cluster | |
| containers: | |
| - name: container1 | |
| image: busybox | |
| command: ["sh"] | |
| args: ["-c", "sleep infinity"] | |
| volumeMounts: | |
| - name: config-volume | |
| mountPath: /etc/configmap/content | |
| volumes: | |
| - name: config-volume | |
| configMap: | |
| name: myconfigmap | |
| defaultMode: 0400 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: volumes1 | |
| namespace: default | |
| spec: | |
| userNamespaceMode: Cluster | |
| containers: | |
| - name: container1 | |
| image: busybox | |
| command: ["sh"] | |
| args: ["-c", "sleep infinity"] | |
| volumeMounts: | |
| - mountPath: /etc/hostpath | |
| name: hostpath-volume | |
| volumes: | |
| - name: hostpath-volume | |
| hostPath: | |
| path: /tmp/demo | |
| type: Directory | |
| --- | |
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: volumes2 | |
| namespace: default | |
| spec: | |
| userNamespaceMode: Cluster | |
| containers: | |
| - name: container1 | |
| image: busybox | |
| command: ["sh"] | |
| args: ["-c", "sleep infinity"] | |
| volumeMounts: | |
| - mountPath: /etc/hostpath | |
| name: hostpath-volume | |
| volumes: | |
| - name: hostpath-volume | |
| hostPath: | |
| path: /tmp/demo | |
| type: Directory |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: fsgroup | |
| namespace: default | |
| spec: | |
| userNamespaceMode: Cluster | |
| securityContext: | |
| fsGroup: 5000 | |
| containers: | |
| - name: container1 | |
| image: busybox | |
| command: ["sh"] | |
| args: ["-c", "sleep infinity"] | |
| volumeMounts: | |
| - mountPath: /etc/hostpath | |
| name: hostpath-volume | |
| volumes: | |
| - name: hostpath-volume | |
| hostPath: | |
| path: /tmp/demo2 | |
| type: Directory |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This demo shows a poc of the proposal for supporting user namespaces in k8s. | |
| # This proposal adds a new userNamespaceMode field to the Pod Spec that supports | |
| # two modes: Host and Cluster. | |
| # Host is for sharing the host user namespace | |
| # Cluster uses the same mapping for all the pods in this mode. | |
| # These mappings are configured in the kubelet configuration file | |
| cat /home/mvb/kubeletconfig.yaml | |
| # let's get started | |
| # deploy a pod without set the userNamespaceMode field | |
| cat 001-default.yaml | |
| kubectl apply -f 001-default.yaml | |
| kubectl exec -it defaut-mode -- /bin/sh -c 'cat /proc/self/uid_map' | |
| kubectl exec -it defaut-mode -- /bin/sh -c 'cat /proc/self/gid_map' | |
| # let's deploy a pod setting the field to Host | |
| cat 002-host.yaml | |
| kubectl apply -f 002-host.yaml | |
| kubectl exec -it host-mode -- /bin/sh -c 'cat /proc/self/uid_map' | |
| kubectl exec -it host-mode -- /bin/sh -c 'cat /proc/self/gid_map' | |
| # let's deploy a pod setting the field to Cluster | |
| cat 003-cluster.yaml | |
| kubectl apply -f 003-cluster.yaml | |
| kubectl exec -it cluster-mode -- /bin/sh -c 'cat /proc/self/uid_map' | |
| kubectl exec -it cluster-mode -- /bin/sh -c 'cat /proc/self/gid_map' | |
| # let's deploy a pod with Cluster mode and with configMap volume | |
| cat 004-cluster-configmap.yaml | |
| kubectl apply -f 004-cluster-configmap.yaml | |
| configmap/myconfigmap created | |
| pod/cluster-configmap created | |
| kubectl exec -it cluster-configmap -- /bin/sh -c 'ls -lna /etc/configmap/content/..data/content' | |
| kubectl exec -it cluster-configmap -- /bin/sh -c 'cat /etc/configmap/content/..data/content' | |
| # let's deploy a couple of pods sharing a hostPath volume and let's see how them can share files without any access issue | |
| mkdir /tmp/demo | |
| sudo chown 100000:100000 /tmp/demo/ | |
| cat 005-volumes.yaml | |
| kubectl exec -it volumes1 -- /bin/sh -c 'echo "hi" > /etc/hostpath/mauricio.txt' | |
| kubectl exec -it volumes2 -- /bin/sh -c 'cat /etc/hostpath/mauricio.txt' | |
| ls -lna /tmp/demo | |
| # finally, let's deploy a pod with an fsgroup set and see how it's respected | |
| # there is a prepopulated volume with a file inside /tmp/demo2 | |
| mkdir /tmp/demo2 | |
| sudo chown 100000:100000 /tmp/demo2 | |
| sudo echo "hi from host" > /tmp/demo2/mauricio.txt | |
| sudo chown 0:5000 /tmp/demo2/mauricio.txt | |
| ls -lna /tmp/demo2/ | |
| cat /tmp/demo2/mauricio.txt | |
| sudo cat /tmp/demo2/mauricio.txt | |
| cat 006-fsgroup.yaml | |
| kubectl exec -it fsgroup -- /bin/sh -c 'cat /proc/self/gid_map' | |
| kubectl exec -it fsgroup -- /bin/sh -c 'cat /etc/hostpath/mauricio.txt' | |
| # that's all. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment