Change Details

Containers need a PAM config that contacts the labs LDAP for user / group information. This is required because: 1. Our cluster enforces that tools must run as a specific UID that's associated with their LDAP account. This is both to protect against issues when tools run as root inside containers, and to make NFS permissions work ok. 2. There is no user entry for this UID / GID inside the container (/etc/passwd, /etc/group, etc). This will cause programs that attempt to get the name of current user (Which is a lot of them) to crash Figure out what is the appropriate PAM configuration to use inside containers, as well as how to best refresh and redeploy them. Options include: 1. Bake them into the container. This is simplest, but then rebuild and redeploy can take a while when needed 2. Write the config out with puppet in the k8s worker nodes, mount it readonly by default with an admission controller 3. Something else. (1) might be the simplest / right thing to do, but it'll make our containers useless outside of labs environment. (2) is a bit ugly but very effective, and decouples container building from our environment specific stuff. (3) could be ConfigMap or similar alternative, but I am not too sure those will work in a reasonably foolproof manner.

Containers need a NSS config that contacts the labs LDAP for user / group information. This is required because: 1. Our cluster enforces that tools must run as a specific UID that's associated with their LDAP account. This is both to protect against issues when tools run as root inside containers, and to make NFS permissions work ok. 2. There is no user entry for this UID / GID inside the container (/etc/passwd, /etc/group, etc). This will cause programs that attempt to get the name of current user (Which is a lot of them) to crash Figure out what is the appropriate NSS configuration to use inside containers, as well as how to best refresh and redeploy them. Options include: 1. Bake them into the container. This is simplest, but then rebuild and redeploy can take a while when needed 2. Write the config out with puppet in the k8s worker nodes, mount it readonly by default with an admission controller 3. Something else. (1) might be the simplest / right thing to do, but it'll make our containers useless outside of labs environment. (2) is a bit ugly but very effective, and decouples container building from our environment specific stuff. (3) could be ConfigMap or similar alternative, but I am not too sure those will work in a reasonably foolproof manner.

Containers need a PAMNSS config that contacts the labs LDAP for user / group information. This is required because: 1. Our cluster enforces that tools must run as a specific UID that's associated with their LDAP account. This is both to protect against issues when tools run as root inside containers, and to make NFS permissions work ok. 2. There is no user entry for this UID / GID inside the container (/etc/passwd, /etc/group, etc). This will cause programs that attempt to get the name of current user (Which is a lot of them) to crash Figure out what is the appropriate PAMNSS configuration to use inside containers, as well as how to best refresh and redeploy them. Options include: 1. Bake them into the container. This is simplest, but then rebuild and redeploy can take a while when needed 2. Write the config out with puppet in the k8s worker nodes, mount it readonly by default with an admission controller 3. Something else. (1) might be the simplest / right thing to do, but it'll make our containers useless outside of labs environment. (2) is a bit ugly but very effective, and decouples container building from our environment specific stuff. (3) could be ConfigMap or similar alternative, but I am not too sure those will work in a reasonably foolproof manner.