TechQA.

Using Mount Propagation bidirectional without Privileged Security context in kubernetes

1k views Asked by At

I'm implementing support to a CSIDriver that uses Bidirectional Mount Propagation. This requires that the container be Privileged, but in this project, we are not allowed to use privileged containers.

There is any other way to do this? I've tried to use SYS_ADMIN capability, but it did not work.

    - name: spiffe-csi-driver
        image: ghcr.io/spiffe/spiffe-csi-driver:0.1.0
        imagePullPolicy: IfNotPresent
        args: [
          "-workload-api-socket-dir", "/spire-agent-socket",
          "-csi-socket-path", "/spiffe-csi/csi.sock",
        ]
        env:
          - name: MY_NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
        volumeMounts:
          - mountPath: /spire-agent-socket
            name: spire-agent-socket
            readOnly: true
          - mountPath: /spiffe-csi
            name: spiffe-csi-socket-dir
          # The volume containing mount points for containers.
          - mountPath: /var/lib/kubelet/pods
            mountPropagation: Bidirectional
            name: mountpoint-dir
        securityContext:
          privileged: true # need to remove
          # capabilities: # this didn't work 
          #   add:
          #   - SYS_ADMIN
kubernetes permissions containers csi-driver
Original Q&A
1

There are 1 answers

0
gohm'c On BEST ANSWER

According to K8s official documentation:

it is allowed only in privileged containers.

Related Questions in KUBERNETES

Related Questions in PERMISSIONS

Related Questions in CONTAINERS

Related Questions in CSI-DRIVER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions