hh
commented
5 months ago Getting a bit further, now it's permissions... but still not a clear path. Was hoping fsGroup and fsGroupChangePolicy would help:
apiVersion: v1
kind: Pod
metadata:
name: d
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
# fsGroupChangePolicy: "OnRootMismatch"
fsGroupChangePolicy: "Always"
containers:
- name: no-priv
image: quay.io/podman/stable
args:
- sleep
- "1000000"
securityContext:
runAsUser: 1000
runAsGroup: 1000
resources:
limits:
github.com/fuse: 1
volumeMounts:
- mountPath: /home/podman/.local/share/containers
name: podman-local
volumes:
- name: podman-local
hostPath:
path: /var/local/podmanpodman run ubi8 echo hello
Error: creating runtime static files directory "/home/podman/.local/share/containers/storage/libpod": mkdir /home/podman/.local/share/containers/storage: permission denied
Exploring Rootless Podman w/o the privileged flag: https://www.redhat.com/sysadmin/podman-inside-kubernetes
Which will require we use a fuse-device-plugin similar to this one:
https://github.com/kuberenetes-learning-group/fuse-device-plugin/tree/master (is two years old...)
The fus-device-plugin deployed, and then I tried running it without a shared volume mount, but seems to need host path, which needs to be limited via some type of policy.
This is basically the following:
rootless-no-priv.yaml
Here is an old way with PodSecurityPolicy: https://dev.to/mxglt/kubernetes-give-rights-for-hostpath-volumes-to-services-121f However PSP seems to have been deprecated / removed by 1.25: https://kubernetes.io/docs/concepts/security/pod-security-policy/
There is a migration path: https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ And it seems
allowedHostPathswill need to be covered by an admission web hook: https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/#eliminate-non-standard-optionsMay need to loop back around.