Kubernetes:是否可以将主机的整个根文件系统挂载到容器中并执行其命令?
Kubernetes: Is it Possible to mount the host's entire root filesystem into container and execute its commands?
我有一个 Kubernetes 集群,需要在集群的每个节点中安装 WireGuard 内核模块作为类似 Daemonset 的作业,因为我必须处理的内核版本是 5.16 之前的版本。
我的问题是:是否可以将整个主机根文件系统替换并挂载到容器中(如果可能,那么容器镜像并不重要,让我们选择 ubuntu)并使用主机从容器安装 WireGuard 内核模块(或通常安装任何东西)的命令?
虽然这样做很危险,而且您真的必须知道自己在做什么,但是使用特权容器是可能的,详情请参阅here您需要在清单中添加以下内容:
securityContext:
privileged: true
Example 表示普通 docker
既然可以为 wireguard 使用 docker 映像,为什么还要挂载根文件系统。
或根据wireguard dockerfile构建您自己的图像。
还有一个项目kubewg可以帮助您管理 Wireguard。
kubewg is a Kubernetes controller that allows you to configure and manage [Wireguard] VPN configuration using a Kubernetes API server.
It introduces the following [CustomResourceDefinition] resources:
- Network: Represents a Wireguard VPN network.
- Peer: Represents a single Peer in a a Network. Each peer will be allocated an address in the network's subnet.
- RouteBinding: Represents additional route configuration that should be used by all members of the VPN network.
和Wormhole 用于 kubernetes 的基于 Wireguard 的覆盖网络 CNI 插件。
Wormhole is a simple CNI plugin designed to create an encrypted overlay network for kubernetes clusters.
WireGuard is a fascinating Fast, Modern, Secure VPN tunnel, that has been gaining significant praise from security experts, and is currently proposed for inclusion within the linux kernel.
Wormhole uses WireGuard to create a simple and secure high performance encrypted overlay network for kubernetes clusters, that is easy to manage and troubleshoot.
Wormhole does not implement network policy, instead we recommend to use calico or kube-router as network policy controllers.
我有一个 Kubernetes 集群,需要在集群的每个节点中安装 WireGuard 内核模块作为类似 Daemonset 的作业,因为我必须处理的内核版本是 5.16 之前的版本。
我的问题是:是否可以将整个主机根文件系统替换并挂载到容器中(如果可能,那么容器镜像并不重要,让我们选择 ubuntu)并使用主机从容器安装 WireGuard 内核模块(或通常安装任何东西)的命令?
虽然这样做很危险,而且您真的必须知道自己在做什么,但是使用特权容器是可能的,详情请参阅here您需要在清单中添加以下内容:
securityContext:
privileged: true
Example 表示普通 docker
既然可以为 wireguard 使用 docker 映像,为什么还要挂载根文件系统。
或根据wireguard dockerfile构建您自己的图像。
还有一个项目kubewg可以帮助您管理 Wireguard。
kubewg is a Kubernetes controller that allows you to configure and manage [Wireguard] VPN configuration using a Kubernetes API server.
It introduces the following [CustomResourceDefinition] resources:
- Network: Represents a Wireguard VPN network.
- Peer: Represents a single Peer in a a Network. Each peer will be allocated an address in the network's subnet.
- RouteBinding: Represents additional route configuration that should be used by all members of the VPN network.
和Wormhole 用于 kubernetes 的基于 Wireguard 的覆盖网络 CNI 插件。
Wormhole is a simple CNI plugin designed to create an encrypted overlay network for kubernetes clusters.
WireGuard is a fascinating Fast, Modern, Secure VPN tunnel, that has been gaining significant praise from security experts, and is currently proposed for inclusion within the linux kernel.
Wormhole uses WireGuard to create a simple and secure high performance encrypted overlay network for kubernetes clusters, that is easy to manage and troubleshoot.
Wormhole does not implement network policy, instead we recommend to use calico or kube-router as network policy controllers.