Run control-plane as non-root in kubeadm.

[vinayakankugoyal]

Enhancement Description

• One-line enhancement description (can be used as a release note): Run control-plane as non-root in kubeadm.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2568-kubeadm-non-root-control-plane/
• Discussion Link:
• Primary contact (assignee): @vinayakankugoyal
• Responsible SIGs: sig-cluster-lifecycle, sig-security
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.22
  • Beta release target (x.y): 1.24
  • Stable release target (x.y): 1.25
• Alpha
  • KEP (k/enhancements) update PR(s):
    • KEP-2568: Run control-plane as non-root in kubeadm. #2569
    • [KEP-2568] Production Readiness Review. #2620
    • Mark KEP-2568 as implementable. #2654
    • Update the KEP to call out why we don't plan to create groups for sha… #2739
  • Code (k/k) update PR(s):
    • runtime/default Seccomp Profile in kubeadm control-plane components. kubernetes#100234
    • Add a feature-gate to kubeadm to enable/disable rootless control-plane. kubernetes#102158
    • Add user and group name constants for kubeadm rootless control-plane. kubernetes#102494
    • kubeadm: add utilities to manage users and groups kubernetes#102463
    • Add utils to set file/directory owners and permissions. kubernetes#102604
    • Update CreateInitStaticPodManifestFiles, CreateStaticPodFiles and CreateLocalEtcdStaticPodManifestFile to take into account if the command was run as dry-run. kubernetes#102722
    • Update kubeadm control-plane to run as non-root. kubernetes#102759
    • Update etcd in kubeadm to run as non-root. kubernetes#102862
    • kubeadm: fix wrong check for keys/certs during "download-certs" kubernetes#103313
    • Fix incorrect user and group for kube-scheduler when it is running as non-root. kubernetes#103380
  • Docs (k/website) update PR(s): documentation updates are not required for kubeadm alpha features.

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

k/kubeadm tracking issue:
kubernetes/kubeadm#1367
kubernetes/kubeadm#2473

[pacoxu]

/sig cluster-lifecycle

[vinayakankugoyal]

/milestone 1.22

[k8s-ci-robot]

@vinayakankugoyal: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone 1.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pacoxu]

Feel free to ping me if any help is needed on this feature.
(develop/reviewing/testing)

[BenTheElder]

/milestone v1.22

[jrsapi]

Greetings @vinayakankugoyal!
1.22 Enhancement shadow checking in. After reviewing the KEP and PRR this has been marked as "Tracked" for 1.22. A reminder that the enhancement freeze starts Thursday, 5/13 at 23:59:59 PST.

Thanks!

[vinayakankugoyal]

Thanks @jrsapi. Is there any other action we need to take before 05/13?

[jrsapi]

No other action is needed. The KEP will be reviewed after the freeze by the release lead.

Thanks!

[ritpanjw]

Hello @vinayakankugoyal 👋 , 1.22 Docs Shadow here.

This enhancement is marked as Needs Docs for 1.22 release.
Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT.
Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thank you!

[vinayakankugoyal]

/assign @vinayakankugoyal

[neolit123]

note for the release team, this feature has just graduated to Alpha from our perspective:

• code changes were made
• e2e tests were added
• docs are not needed for the alpha

thanks to @vinayakankugoyal

punch card of the PRs is here:
kubernetes/kubeadm#2473

[neolit123]

Do we list kubeadm feature gates in https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ ?

no, that page is only for core k8s FGs.

If not, where do we document those?

alpha kubeadm features behind a FGs are commonly not ducumented at k8s.io.
users can see it in a release note and can try it.
once a feature moves to beta. we document it as part of existing pages like "kubeadm init", "kubeadm join", etc.

[BenTheElder]

no, that page is only for core k8s FGs.

aside: I actually feel like this might need calling out there, most binaries in the Kubernetes release have a unified set of featuregates and kubeadm's being distinct is perhaps not the most obvious.

[dims]

@neolit123 @BenTheElder just one more reason kubeadm should be out-of-tree ...

[jrsapi]

Greetings @vinayakankugoyal,
This is a reminder that code freeze is coming up this Thursday, July 8th. All PR's need to be code complete and merged by the freeze. Can you update this issue if all PR's have been merged?
Also, this Friday, July 9th is the Docs placeholder PR deadline. Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo.

[neolit123]

@jrsapi
we consider this feature graduated to alpha.

documentation updates are not needed, e2e tests are running here:
https://k8s-testgrid.appspot.com/sig-cluster-lifecycle-kubeadm#kubeadm-kinder-rootless-latest

kubernetes/website#28788
is out of band for 1.22.

[PI-Victor]

@jrsapi
we consider this feature graduated to alpha.

documentation updates are not needed, e2e tests are running here:
https://k8s-testgrid.appspot.com/sig-cluster-lifecycle-kubeadm#kubeadm-kinder-rootless-latest

kubernetes/website#28788
is out of band for 1.22.

based on this comment, i will remove the 'Needs Docs' from this enhancements, thanks!

[neolit123]

we discussed in the kubeadm office hours for Sep 1st 2021 that we might want to delay the graduation to Beta to 1.24 to give the users one more release to find potential problems. none thus far.

i have updated the OP with BETA targeting 1.24.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[BenTheElder]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[BenTheElder]

we discussed in the kubeadm office hours for Sep 1st 2021 that we might want to delay the graduation to Beta to 1.24 to give the users one more release to find potential problems. none thus far.

with 1.24 pending tomorrow, is this still the current state?

[neolit123]

a good summary is here:
kubernetes/kubeadm#2473 (comment)

we are considering user namespaces vs managed non-root users (this)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[LyKos4]

Is this expected to be completed? For which pods it is expected to change the user to non root?

[neolit123]

Is this expected to be completed? For which pods it is expected to change the user to non root?

kubernetes/kubeadm#2473 (comment)