Switch to use runAsUser and runAsGroup (#26)

CHANGELOG.md

@@ -7,6 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.0] - 2022-10-12
+
+### BREAKING CHANGES
+
+- Will no longer set `fsGroup` to the current host GID by default.
+- Will now set `runAsUser` to the current host UID and `runAsGroup` to the current host GID instead.
+- Added new `--run-as-current-user` and `--run-as-current-group` options to disable this new behavior.
+
+Should be fine for most cases, but note that depending on what is in the image - it might break stuff sometimes.
+Some images might rely on the user home directory. This new behavior is changing the user `id`, so the home directory bundled with the image no longer accessible.
+In other cases, some software might not like that the current `id` set to the user that doesn't exists in the system. I.e.:
+
+```bash
+runtainer -q alpine whoami
+whoami: unknown uid 1000
+```
+
+### Also in this release
+
+- Updated all dependencies
+
 ## [0.1.6] - 2022-04-30
 
 ### Changed

README.md

@@ -16,6 +16,7 @@ Run anything as a container (in local Kubernetes cluster).
     - [Usage](#usage)
       - [Basic container run](#basic-container-run)
       - [Exec into container and stay there](#exec-into-container-and-stay-there)
+      - [Run As](#run-as)
       - [Extra volumes and port forwarding](#extra-volumes-and-port-forwarding)
       - [Extra ENV variables](#extra-env-variables)
       - [Injecting secrets](#injecting-secrets)
@@ -84,7 +85,7 @@ As the mount point `/mnt/wsl` is getting nuked every reboot - adding that to `/e
 #### Linux
 
 - Docker CE: :grey_question:
-- K3s: :grey_question:
+- K3s: :white_check_mark:
 - K3d: :grey_question:
 - Rancher Desktop (K3s): :grey_question:
 - Rancher Desktop (K3d): :grey_question:
@@ -164,6 +165,19 @@ runtainer maven:3.6.3-jdk-14 mvn -- -version
 runtainer alpine sh
 ```
 
+#### Run As
+
+By default, RT will use `runAsUser` and `runAsGroup` for security context of the pod to make it UID and GID of the local host user. This might not always work and it depends on the image and what you are trying to do with it.
+
+Some images and software in them might rely on the user home directory. As RT will essentially change the `id` of the user - the home directory bundled with the image will no longer be accessible.
+
+In other cases, some software might not like that the current `id` is set to the user that doesn't exists in the system. For example a simple `whoami` will not work:
+
+```bash
+runtainer -q alpine whoami
+whoami: unknown uid 1000
+```
+
 #### Extra volumes and port forwarding
 
 This one is especially fun as basically this Jenkins Master in the container will have aws/k8s/etc access right from your laptop. How cool is that, huh?

backends/k8s/k8s.go

@@ -82,8 +82,15 @@ func Run(containerCmd, containerArgs []string) {
 		}
 	}
 
-	if h.GID > 0 {
-		podSpec.Spec.SecurityContext.SupplementalGroups = []int64{h.GID}
+	if viper.GetBool("run-as-current-user") {
+		podSpec.Spec.SecurityContext.RunAsUser = &h.UID
+	}
+
+	podSpec.Spec.SecurityContext.SupplementalGroups = []int64{h.GID}
+
+	if viper.GetBool("run-as-current-user") && viper.GetBool("run-as-current-group") {
+		podSpec.Spec.SecurityContext.RunAsGroup = &h.GID
+	} else if h.GID > 0 {
 		podSpec.Spec.SecurityContext.FSGroup = &h.GID
 	}
 

cmd/root.go

@@ -143,6 +143,16 @@ func init() {
 		llog.Panic(err)
 	}
 
+	rootCmd.PersistentFlags().BoolP("run-as-current-user", "U", true, "Will set runAsUser to the current host UID.")
+	if err := viper.BindPFlag("run-as-current-user", rootCmd.PersistentFlags().Lookup("run-as-current-user")); err != nil {
+		llog.Panic(err)
+	}
+
+	rootCmd.PersistentFlags().BoolP("run-as-current-group", "G", true, "Will set runAsGroup to the current host GID. Ignored if -U=false. If disabled - will set fsGroup to the current host GID instead.")
+	if err := viper.BindPFlag("run-as-current-group", rootCmd.PersistentFlags().Lookup("run-as-current-group")); err != nil {
+		llog.Panic(err)
+	}
+
 	rootCmd.PersistentFlags().Bool("dry-run", false, "Dry Run mode will not execute the container, only print to StdOut a pod spec it would have run.")
 	if err := viper.BindPFlag("dry-run", rootCmd.PersistentFlags().Lookup("dry-run")); err != nil {
 		llog.Panic(err)

go.mod

@@ -5,52 +5,49 @@ go 1.18
 require (
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6
-	github.com/spf13/afero v1.8.2
-	github.com/spf13/cobra v1.4.0
-	github.com/spf13/viper v1.11.0
-	golang.org/x/exp v0.0.0-20220428152302-39d4317da171
-	golang.org/x/term v0.0.0-20220411215600-e5f449aeb171
-	helm.sh/helm/v3 v3.8.2
-	k8s.io/api v0.23.6
-	k8s.io/apimachinery v0.23.6
-	k8s.io/cli-runtime v0.23.6
-	k8s.io/client-go v0.23.6
-	k8s.io/kubectl v0.23.6
+	github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae
+	github.com/spf13/afero v1.9.2
+	github.com/spf13/cobra v1.6.0
+	github.com/spf13/viper v1.13.0
+	golang.org/x/exp v0.0.0-20221012211006-4de253d81b95
+	golang.org/x/term v0.0.0-20220919170432-7a66f970e087
+	helm.sh/helm/v3 v3.9.2
+	k8s.io/api v0.25.0-alpha.2
+	k8s.io/apimachinery v0.25.0-alpha.2
+	k8s.io/cli-runtime v0.25.0-alpha.2
+	k8s.io/client-go v0.25.0-alpha.2
+	k8s.io/kubectl v0.25.0-alpha.2
 )
 
-// Seems like upstream lock is broken, causing version mismatch with k8s.io/kube-openapi and others
-replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65
-
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
-	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
+	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/camelcase v1.0.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fvbommel/sortorder v1.0.2 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/swag v0.21.1 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/btree v1.0.1 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
@@ -61,38 +58,39 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/spf13/cast v1.4.1 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.7.1 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/stretchr/testify v1.8.0 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/xlab/treeprint v1.1.0 // indirect
-	go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd // indirect
-	golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 // indirect
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
-	golang.org/x/sys v0.0.0-20220429233432-b5fbb4746d32 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
+	go.starlark.net v0.0.0-20221010140840-6bf6f0955179 // indirect
+	golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458 // indirect
+	golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 // indirect
+	golang.org/x/sys v0.0.0-20221010170243-090e33056c14 // indirect
+	golang.org/x/text v0.3.8 // indirect
+	golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.66.4 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
-	k8s.io/component-base v0.23.6 // indirect
-	k8s.io/klog/v2 v2.60.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
-	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
-	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/component-base v0.25.0-alpha.2 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220603121420-31174f50af60 // indirect
+	k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85 // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/kustomize/api v0.11.4 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )