Open OwenDelahoy opened 3 years ago
The workers always need privileged: true
because both the guardian and containerd runtime need to be root in order to create containers, even non-privileged ones. Currently there is no way around this.
In the future we're planning to create a k8s runtime which would not require privileged workers in your k8s clusters. https://github.com/concourse/rfcs/pull/81
Another possibility is running containerd in rootless mode. We haven't experimented with this though.
Concourse workers can not launch from eks in fargate due to
privileged: true
https://github.com/concourse/concourse-chart/blob/8fe5b300e63337d4d7e2aa662ff996db062c8dc4/templates/worker-statefulset.yaml#L64
The following error is returned from fargate when trying to launch the pod:
Warning FailedScheduling <unknown> fargate-scheduler Pod not supported on Fargate: invalid SecurityContext fields: Privileged
Does this always need to run with privileged: true? Or just by privileged tasks? https://concourse-ci.org/jobs.html#schema.step.task-step.privileged
There is a another discussion regarding this flag here: https://github.com/concourse/concourse-chart/issues/60#issue-554781647