Kubernetes v1.33: Fine-grained... Note

Kubernetes v1.33: Fine-grained SupplementalGroups Control Graduates to Beta

Kubernetes has introduced a new feature called supplementalGroupsPolicy, which allows for more precise control over supplemental groups in containers, enhancing security posture and transparency of UID/GID details. This feature has graduated from alpha to beta in Kubernetes v1.33. The feature enables the implementation of more precise control over supplemental groups in containers, particularly in accessing volumes. By default, Kubernetes merges group information from the Pod with information defined in /etc/group in the container image, which can lead to security risks. The supplementalGroupsPolicy field in the Pod's security context allows for control over how Kubernetes calculates supplementary groups for container processes within a Pod. The Strict policy ignores group memberships defined in /etc/group for the container's primary user, ensuring that only specified group IDs are attached as supplementary groups to the container processes. This feature also exposes the process identity attached to the first container process of the container via the .status.containerStatuses[].user.linux field. The supplementalGroupsPolicy only affects the initial process identity, and a container with sufficient privileges can change its process identity. The Strict policy requires a CRI runtime that support this feature, such as containerd v2.0 or later, and CRI-O v1.31 or later.