Feature: support uidmap with `podman play kube`

[akvadrako]

/kind feature

I would like to use pod.yaml as a rootless alternative to docker-compose. In a pod I'm working on, some containers expect to run as root and some expect to run as a non-root user. I would like all of them to map to my current user in the host's namespace.

For this I need some way to pass the uidmap option using a pod.yaml file. Something like:

spec:
  containers:
  - name: as1000
    securityContext:
      UIDMap: 300:0:1
      GIDMap: 300:0:1

Related: moby/moby#28593 kubernetes/enhancements#127 #6123

[rhatdan]

Is this syntax valid for Kubernetes?

[rhatdan]

@haircommander @giuseppe WDYT?

[haircommander]

hey @Akasurde upstream still seems to be figuring out how the support for usernamespaces will land. right now, it's added as an annotation, and only processed by the cri implementation. I would rather not handle this until there is clarity with the upstream on what the approach will be

[Akasurde]

@haircommander I think you meant @akvadrako

[haircommander]

oops, sorry for the noise, yes I did mean @akvadrako

[haircommander]

@akvadrako does the https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#securitycontext-v1-core runAsUser field fit your needs? I'm not sure we support it right now, but if you need a container to run as a certain user on the host, I do not think you need usernamespaces for that

[akvadrako]

runAsUser is supported, but it's not enough. For example, given this pod:

apiVersion: v1
kind: Pod
metadata: { name: demo }
spec:
  containers:
  - name: as1000
    image: docker.io/alpine
    command: [ "sh", "-c", "touch /tmp/abc-1000" ]
    securityContext:
      runAsUser: 1000
    volumeMounts:
    - { mountPath: /tmp, name: tmp }
  - name: asroot
    image: docker.io/alpine
    command: [ "sh", "-c", "touch /tmp/abc-root" ]
    securityContext:
      runAsUser: 0
    volumeMounts:
    - { mountPath: /tmp, name: tmp }
  volumes:
  - name: tmp
    hostPath: { path: /tmp }

one finds that:

• /tmp/abc-root is owned by my current user
• /tmp/abc-1000 is owned by 100999 (due to my /etc/subuid file)

but I want that both files are owned by my current user.

[dtitov]

If I understand this request correctly, it's about the possibility to achieve Podman's --userns=keep-id with podman play kube, which is currently not supported by this command (AFAIK). If it's the case, then +1 to the issue, it would be a very useful feature, IMHO.

[akvadrako]

According to the keep-id docs, that's not quite enough. It says it's only maps the current UID to the same UID in the container. But my containers are running with (A) uid=0 and (B) uid=123 (for example), while my UID is 1000. What I want is for A, 0 is mapped to 1000, while for B, 123 is mapped to 1000.

[dtitov]

Ah, I see, so you need a more comprehensive kind of mapping...

Well, for my personal use-case it's good enough to just get --userns=keep-id implemented in podman play kube context. Not use if I need to create a separate request for this, so I'm looking forward to the feedback from devs.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

I like the idea of podman play kube --userns=keep-id