1

I am looking at this yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kube-dns-autoscaler
  namespace: kube-system
  labels:
    k8s-app: kube-dns-autoscaler
    kubernetes.io/cluster-service: "true"
spec:
  selector:
    matchLabels:
      k8s-app: kube-dns-autoscaler
  template:
    metadata:
      labels:
        k8s-app: kube-dns-autoscaler
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
        seccompProfile:
          type: RuntimeDefault
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      nodeSelector:
        kubernetes.io/os: linux
      containers:
      - name: autoscaler
        image: k8s.gcr.io/cpa/cluster-proportional-autoscaler:1.8.4
        resources:
            requests:
                cpu: "20m"
                memory: "10Mi"
        command:
          - /cluster-proportional-autoscaler
          - --namespace=kube-system
          - --configmap=kube-dns-autoscaler
          # Should keep target in sync with cluster/addons/dns/kube-dns.yaml.base
          - --target=<SCALE_TARGET>
          # When cluster is using large nodes(with more cores), "coresPerReplica" should dominate.
          # If using small nodes, "nodesPerReplica" should dominate.
          - --default-params={"linear":{"coresPerReplica":256,"nodesPerReplica":16,"preventSinglePointFailure":true,"includeUnschedulableNodes":true}}
          - --logtostderr=true
          - --v=2

Source: https://kubernetes.io/docs/tasks/administer-cluster/dns-horizontal-autoscaling/#enablng-dns-horizontal-autoscaling

Where can I find the documentation for these magic numbers?

        supplementalGroups: [ 65534 ]
        fsGroup: 65534
guettli
  • 3,113
  • 14
  • 59
  • 110
  • 1
    I found a very similar question about [fsGroup and supplementalGroups](https://stackoverflow.com/questions/69805813/fsgroup-vs-supplementalgroups) will it be useful to you? – Mikołaj Głodziak Mar 28 '22 at 15:31
  • @MikołajGłodziak this question/answer does not help me much. Sorry. – guettli Mar 28 '22 at 18:17

1 Answers1

2

Where can I find the documentation for these magic numbers?

It comes from Users, Groups, UIDs and GIDs on systemd Systems. Here you can work with different parameters and also ranges more info about systems UID/GID.

Special Linux UIDs In theory, the range of the C type uid_t is 32bit wide on Linux, i.e. 0…4294967295. However, four UIDs are special on Linux:

  1. 0 → The root super-user

  2. 65534 → The nobody UID, also called the “overflow” UID or similar. It’s where various subsystems map unmappable users to, for example file systems only supporting 16bit UIDs, NFS or user namespacing. (The latter can be changed with a sysctl during runtime, but that’s not supported on systemd. If you do change it you void your warranty.) Because Fedora is a bit confused the nobody user is called nfsnobody there (and they have a different nobody user at UID 99). I hope this will be corrected eventually though. (Also, some distributions call the nobody group nogroup. I wish they didn’t.)

  3. 4294967295, aka “32bit (uid_t) -1” → This UID is not a valid user ID, as setresuid(), chown() and friends treat -1 as a special request to not change the UID of the process/file. This UID is hence not available for assignment to users in the user database.

  4. 65535, aka “16bit (uid_t) -1” → Before Linux kernel 2.4 uid_t used to be 16bit, and programs compiled for that would hence assume that (uid_t) -1 is 65535. This UID is hence not usable either.

Well, we have parameters in Kubernetes and let's describe what it is:

SupplementalGroups - Controls which group IDs containers add.

  • MustRunAs - Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against all ranges.
  • MayRunAs - Requires at least one range to be specified. Allows supplementalGroups to be left unset without providing a default. Validates against all ranges if supplementalGroups is set.
  • RunAsAny - No default provided. Allows any supplementalGroups to be specified.

FSGroup - Controls the supplemental group applied to some volumes.

  • MustRunAs - Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against all ranges.
  • MayRunAs - Requires at least one range to be specified. Allows FSGroups to be left unset without providing a default. Validates against all ranges if FSGroups is set.
  • RunAsAny - No default provided. Allows any fsGroup ID to be specified.
Mykola
  • 21
  • 1