device_ownership_from_security_context = true Is this supported ?

Mirantis / cri-dockerd

dockerd as a compliant Container Runtime Interface for Kubernetes

https://mirantis.github.io/cri-dockerd/

Apache License 2.0

1.13k stars 293 forks source link

device_ownership_from_security_context = true Is this supported ? #397

Open socceranoo opened 2 months ago

socceranoo commented 2 months ago

Expected Behavior

CRIO./containerd implements device_ownership_from_security_context = true where the device mounts follows the security context declared in the POD spec

Actual Behavior

Cri-dockerd / docker doesnt honor the pwermissions of devices to that of the user

Steps to Reproduce the Problem

1. 1. 1.

Specifications

Version: 0.3.0
Platform: RockyLinux
Subsystem: docker-26

afbjorklund commented 2 months ago

It seems like this kubernetes 1.22 feature was never ported over to the docker runtime:

https://github.com/kubernetes/kubernetes/issues/92211#issuecomment-790361622

As mentioned in the release blog (that only talks about cri-o and containerd, not docker):

https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/

afbjorklund commented 2 months ago

As far as I can tell, it is missing from the docker API parameters:

// DeviceMapping represents the device mapping between the host and the container.
type DeviceMapping struct {
        PathOnHost        string
        PathInContainer   string
        CgroupPermissions string
}

So there doesn't seem to be a way to change the Linux.Device