runAsGroup vs supplementalGroups

[vbatts]

There is a thread going on in k8s KEP regarding subtle and inconsistent behaviors between runAsGroup and supplementalGroups.

@thockin summarizes here: kubernetes/enhancements#3620 (comment)

It sounds like runtime-spec and runc may currently be inconsistent/broken, but to "fix" it would be potentially a breaking change.

cc @opencontainers/runtime-spec-maintainers

[vbatts]

cc @opencontainers/runc-maintainers too

[thockin]

Also kubernetes/enhancements#3620

[mrunalp]

Image spec covers how to convert values over from config.User to runtime config.json.
https://github.com/opencontainers/imagespec/blob/main/conversion.md#configuser

Runtime spec only specifies the processing of final values for uid/gid/groups as set in the config.json.
https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-user
and has a note:

Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. /etc/passwd parsing, NSS, etc)

What we have missing is the runtime override behavior that @thockin comments here cover:
kubernetes/enhancements#3620 (comment)
kubernetes/enhancements#3620 (comment)

There isn't a clear place for it in OCI as we don't define an API/CLI for higher level runtimes in the runtime spec.

Possible choices:

1. Expand the image spec conversion with runtime overrides.
2. Add a new section to runtime spec that covers how overrides are dealt with loose enough language so higher level CLI/API flags are covered.
3. Not have an opinion and let K8s/CRI define it.