search

hetznercloud / csi-driver

Kubernetes Container Storage Interface driver for Hetzner Cloud Volumes
MIT License
635 stars 103 forks source link

clarify nomad requirements? #568

Closed KiaraGrouwstra closed 8 months ago

KiaraGrouwstra commented 8 months ago

TL;DR

hi there, in the readme documenting usage with Nomad, i found:

The cluster nodes need to have the docker driver installed & configured with allow_privileged = true.

i was wondering about this:

  1. what makes the allow_privileged = true required? i'm not sure what this is like for the k8s side, but i would wonder from a security perspective if granting such privileges might facilitate privilege escalation as well.
  2. why is the docker driver needed? does this mean this plugin could not be used with Nomad drivers different from that?

Expected behavior

no specific restrictions on Nomad drivers used

apricote commented 8 months ago

Hey @KiaraGrouwstra,

not a Nomad expert, but I can try to answer your questions.

Why privileged?

To function, the csi-driver has to format & mount the volumes. This requires accessing the devices, which the Docker daemon only allows for privileged containers.

https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

Why docker?

The csi-driver is published as container images, you need a container runtime to run it. docker is natively supported in Nomad, but podman (official) or containerd (community) should also work fine. It would also possible to build a binary of the csi-driver and use exec if one really wants to do this.

We do not care what driver your other tasks use. This is only about running the csi-driver itself. We can mount volume to tasks from any driver (except remote).

KiaraGrouwstra commented 8 months ago

@apricote thanks for explaining!