search

genuinetools / img

Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.
https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/
MIT License
3.89k stars 230 forks source link

[Question] Running on kubernetes without privileged (v0.5.7) #266

Closed netfalo closed 4 years ago

netfalo commented 4 years ago

Hi,

The README states that since v0.5.7 the security context is not needed:

Since img v0.5.7, you don't need to specify any securityContext for running img as a Kubernetes container.

I assume this means it doesn't have to be privileged to run.

But when I create the following Pod:

apiVersion: v1
kind: Pod
metadata:
  name: img
spec:
  containers:
  - name: img
    image: <private_registry>/img:v0.5.7
    args: ['pull', '-d', 'alpine:latest']
    tty: true
  imagePullSecrets:
    - name: <secretname>

It exists with the following error message:

nsenter: cannot change root filesystem propagation: Permission denied

Am I missing something? Ofc if I add the privilieged=true to the securityContext it works, but I would rather not do that.

Versions

img: version : v0.5.7
git hash : d14bb92b
go version : go1.11.13
go compiler : gc
platform : linux/amd64

kubernetes v1.15.4-k3s.1 containerd v1.2.8-k3s.1

issue-label-bot[bot] commented 4 years ago

Issue-Label Bot is automatically applying the label question to this issue, with a confidence of 0.95. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

AkihiroSuda commented 4 years ago

You need annotations: container.apparmor.security.beta.kubernetes.io/img: unconfined container.seccomp.security.alpha.kubernetes.io/img: unconfined