在 kubernetes 中使用没有特权安全上下文的双向挂载传播
Using Mount Propagation bidirectional without Privileged Security context in kubernetes
我正在实施对使用双向装载传播的 CSIDriver 的支持。这要求容器是Privileged,但是在这个项目中,我们不允许使用特权容器。
还有其他方法吗?我试过使用 SYS_ADMIN 功能,但没有用。
- name: spiffe-csi-driver
image: ghcr.io/spiffe/spiffe-csi-driver:0.1.0
imagePullPolicy: IfNotPresent
args: [
"-workload-api-socket-dir", "/spire-agent-socket",
"-csi-socket-path", "/spiffe-csi/csi.sock",
]
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- mountPath: /spire-agent-socket
name: spire-agent-socket
readOnly: true
- mountPath: /spiffe-csi
name: spiffe-csi-socket-dir
# The volume containing mount points for containers.
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: mountpoint-dir
securityContext:
privileged: true # need to remove
# capabilities: # this didn't work
# add:
# - SYS_ADMIN
根据 K8s official documentation:
it is allowed only in privileged containers.
我正在实施对使用双向装载传播的 CSIDriver 的支持。这要求容器是Privileged,但是在这个项目中,我们不允许使用特权容器。
还有其他方法吗?我试过使用 SYS_ADMIN 功能,但没有用。
- name: spiffe-csi-driver
image: ghcr.io/spiffe/spiffe-csi-driver:0.1.0
imagePullPolicy: IfNotPresent
args: [
"-workload-api-socket-dir", "/spire-agent-socket",
"-csi-socket-path", "/spiffe-csi/csi.sock",
]
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- mountPath: /spire-agent-socket
name: spire-agent-socket
readOnly: true
- mountPath: /spiffe-csi
name: spiffe-csi-socket-dir
# The volume containing mount points for containers.
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: mountpoint-dir
securityContext:
privileged: true # need to remove
# capabilities: # this didn't work
# add:
# - SYS_ADMIN
根据 K8s official documentation:
it is allowed only in privileged containers.