Kubernetes v1.33: Fine-grained SupplementalGroups Control Graduates to Beta

A naukri.com initiative

New

Kubernetes...

Kubernetes

133

The supplementalGroupsPolicy field, introduced as an alpha feature in Kubernetes v1.31, has graduated to beta in v1.33, enhancing control over supplemental groups in containers.
The feature enables more precise control over groups, improving security, especially when accessing volumes, and enhancing UID/GID transparency.
Beta release contains behavioral changes; refer to 'The Behavioral Changes Introduced In Beta' and 'Upgrade Considerations' sections for details.
By default, Kubernetes merges group information from the Pod with information defined in /etc/group in the container image.
Group membership defined in /etc/group in the container image is implicitly merged with the Pod's information, posing security risks.
The introduction of supplementalGroupsPolicy field in Pod's securityContext enables fine-grained control over group memberships in container processes.
The available policies are Merge and Strict, where Strict excludes group IDs not specified in fsGroup, supplementalGroups, or runAsGroup.
Strict policy ensures that only specified group IDs are attached as supplementary groups to container processes, preventing implicit group memberships.
CRI runtimes like containerd v2.0+ and CRI-O v1.31+ support the Strict policy; you can check for feature support in the Node's status.
In v1.33 beta, kubelet rejects pods on nodes without the feature support, signaling warning events; upgrade considerations are provided for cluster readiness.

Read Full Article

8 Likes

For uninterrupted reading, download the app