Closed KiaraGrouwstra closed 8 months ago
Hey @KiaraGrouwstra,
not a Nomad expert, but I can try to answer your questions.
To function, the csi-driver
has to format & mount the volumes. This requires accessing the devices, which the Docker daemon only allows for privileged containers.
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
docker
?The csi-driver is published as container images, you need a container runtime to run it. docker
is natively supported in Nomad, but podman
(official) or containerd
(community) should also work fine. It would also possible to build a binary of the csi-driver and use exec
if one really wants to do this.
We do not care what driver your other tasks use. This is only about running the csi-driver itself. We can mount volume to tasks from any driver (except remote).
@apricote thanks for explaining!
TL;DR
hi there, in the readme documenting usage with Nomad, i found:
i was wondering about this:
allow_privileged = true
required? i'm not sure what this is like for the k8s side, but i would wonder from a security perspective if granting such privileges might facilitate privilege escalation as well.docker
driver needed? does this mean this plugin could not be used with Nomad drivers different from that?Expected behavior
no specific restrictions on Nomad drivers used