search

rootless-containers / usernetes

Kubernetes without the root privileges
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
Apache License 2.0
865 stars 58 forks source link

Devices support #242

Open mythi opened 3 years ago

mythi commented 3 years ago

@AkihiroSuda I have a question about the KEP. It says:

Device controller cannot be supported as well, but it is not a huge deal, because non-root users don't have permission to access insecure devices anyway.

What is the problem with the device controller? I've been working on getting non-root containers + devices to work in the "non-rootless "mode and would like to understand what is needed for the rootless mode.

I understand the UID/GID for permissions but it's not clear why the eBPF device controller cannot be supported (is it more than capabilities, e.g. CAP_BPF?)

I think it is a valid use-case to get access to devices, e.g., GPUs, as non-root user.

AkihiroSuda commented 3 years ago

I understand the UID/GID for permissions but it's not clear why the eBPF device controller cannot be supported (is it more than capabilities, e.g. CAP_BPF?)

Yes, restricting devices require CAP_BPF.

Anyway, GPUs could be supported as long as the GPU device is chowned/chmodded

mythi commented 3 years ago

@AkihiroSuda thanks for the prompt reply

Yes, restricting devices require CAP_BPF.

Is it possible to get rootless runc working with this?

Anyway, GPUs could be supported as long as the GPU device is chowned/chmodded

is it enough that the "rootless UID" belongs to that device group or the container process needs to have it part of the additionalGids too?