Join Log in
Score:1
guettli avatar Server

Meaning of: supplementalGroups: [ 65534 ]?

cn flag
guettli

I am looking at this yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kube-dns-autoscaler
  namespace: kube-system
  labels:
    k8s-app: kube-dns-autoscaler
    kubernetes.io/cluster-service: "true"
spec:
  selector:
    matchLabels:
      k8s-app: kube-dns-autoscaler
  template:
    metadata:
      labels:
        k8s-app: kube-dns-autoscaler
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
        seccompProfile:
          type: RuntimeDefault
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      nodeSelector:
        kubernetes.io/os: linux
      containers:
      - name: autoscaler
        image: k8s.gcr.io/cpa/cluster-proportional-autoscaler:1.8.4
        resources:
            requests:
                cpu: "20m"
                memory: "10Mi"
        command:
          - /cluster-proportional-autoscaler
          - --namespace=kube-system
          - --configmap=kube-dns-autoscaler
          # Should keep target in sync with cluster/addons/dns/kube-dns.yaml.base
          - --target=<SCALE_TARGET>
          # When cluster is using large nodes(with more cores), "coresPerReplica" should dominate.
          # If using small nodes, "nodesPerReplica" should dominate.
          - --default-params={"linear":{"coresPerReplica":256,"nodesPerReplica":16,"preventSinglePointFailure":true,"includeUnschedulableNodes":true}}
          - --logtostderr=true
          - --v=2

Source: https://kubernetes.io/docs/tasks/administer-cluster/dns-horizontal-autoscaling/#enablng-dns-horizontal-autoscaling

Where can I find the documentation for these magic numbers?

        supplementalGroups: [ 65534 ]
        fsGroup: 65534
84
0 + 0
Mikołaj Głodziak avatar
id flag
Mikołaj Głodziak
I found a very similar question about [fsGroup and supplementalGroups](https://stackoverflow.com/questions/69805813/fsgroup-vs-supplementalgroups) will it be useful to you?
1
Reply
guettli avatar
cn flag
guettli
@MikołajGłodziak this question/answer does not help me much. Sorry.
0
Reply
Score:2
avatar Server
ng flag
Mykola

Where can I find the documentation for these magic numbers?

It comes from Users, Groups, UIDs and GIDs on systemd Systems. Here you can work with different parameters and also ranges more info about systems UID/GID.

Special Linux UIDs In theory, the range of the C type uid_t is 32bit wide on Linux, i.e. 0…4294967295. However, four UIDs are special on Linux:

  1. 0 → The root super-user

  2. 65534 → The nobody UID, also called the “overflow” UID or similar. It’s where various subsystems map unmappable users to, for example file systems only supporting 16bit UIDs, NFS or user namespacing. (The latter can be changed with a sysctl during runtime, but that’s not supported on systemd. If you do change it you void your warranty.) Because Fedora is a bit confused the nobody user is called nfsnobody there (and they have a different nobody user at UID 99). I hope this will be corrected eventually though. (Also, some distributions call the nobody group nogroup. I wish they didn’t.)

  3. 4294967295, aka “32bit (uid_t) -1” → This UID is not a valid user ID, as setresuid(), chown() and friends treat -1 as a special request to not change the UID of the process/file. This UID is hence not available for assignment to users in the user database.

  4. 65535, aka “16bit (uid_t) -1” → Before Linux kernel 2.4 uid_t used to be 16bit, and programs compiled for that would hence assume that (uid_t) -1 is 65535. This UID is hence not usable either.

Well, we have parameters in Kubernetes and let's describe what it is:

SupplementalGroups - Controls which group IDs containers add.

  • MustRunAs - Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against all ranges.
  • MayRunAs - Requires at least one range to be specified. Allows supplementalGroups to be left unset without providing a default. Validates against all ranges if supplementalGroups is set.
  • RunAsAny - No default provided. Allows any supplementalGroups to be specified.

FSGroup - Controls the supplemental group applied to some volumes.

  • MustRunAs - Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against all ranges.
  • MayRunAs - Requires at least one range to be specified. Allows FSGroups to be left unset without providing a default. Validates against all ranges if FSGroups is set.
  • RunAsAny - No default provided. Allows any fsGroup ID to be specified.
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.